[cabfpub] BR clarification re: test certificates

Gervase Markham gerv at mozilla.org
Mon Apr 10 08:13:13 MST 2017


Section 2.2 of the BRs says:

"The CA SHALL host test Web pages that allow Application Software
Suppliers to test their software with Subscriber Certificates that chain
up to each publicly trusted Root Certificate. At a minimum, the CA SHALL
host separate Web pages using Subscriber Certificates that are
(i) valid,
(ii) revoked, and
(iii) expired."

Mozilla requires these 3 URLs as part of the annual updates to the
CCADB. We want to make it clear (and have done so on
https://wiki.mozilla.org/CA:CommonCADatabase#How_To_Provide_Annual_Updates
) that we consider this requirement to be more fully specified as:

* valid   = unexpired and unrevoked
* revoked = unexpired, and present in either/both of CRL and OCSP
* expired = notAfter less than the current day, and unrevoked

In particular, please make sure your revoked certificate is _un_expired.

If people think the BRs need updating to clarify this, we could draft a
ballot.

Gerv


More information about the Public mailing list