From:  Wayne Thayer <wthayer@mozilla.com>
Date:  27 Apr 2019 08:14:09 Hong Kong Time
Newsgroup:  news.mozilla.org/mozilla.dev.security.policy
Subject:  

Policy 2.7 Proposal: Clarify Revocation Requirements for S/MIME Certificates

NNTP-Posting-Host:  63.245.210.105

Section 6 ("Revocation") of Mozilla's Root Store Policy states:

CAs MUST revoke Certificates that they have issued upon the occurrence of
> any event listed in the appropriate subsection of section 4.9.1 of the
> Baseline Requirements, according to the timeline defined therein.
>

Because the BRs don't apply to intermediate and end-entity certificates
that are constrained to S/MIME, it's not clear if our policy requires that
those certificates follow the BR revocation requirements or not.

The discussion [1] that led to the current language makes it clear that the
intent is for the revocation requirement to apply to S/MIME certificates.

I propose adding the following statement to clarify the scope of this
section:

This requirement applies to certificates that are not otherwise required to
> comply with the BRs.


This is https://github.com/mozilla/pkipolicy/issues/166 and
https://github.com/mozilla/pkipolicy/issues/167

I will appreciate everyone's input on this proposal.

- Wayne

[1]
https://groups.google.com/d/msg/mozilla.dev.security.policy/eAy0lxgFHR8/g6Jddy40EAAJ