Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clarify Revocation Codes for Intermediate CAs #520

Open
BenWilson-Mozilla opened this issue Jun 4, 2024 · 2 comments
Open

Clarify Revocation Codes for Intermediate CAs #520

BenWilson-Mozilla opened this issue Jun 4, 2024 · 2 comments
Assignees
@BenWilson-Mozilla
Labels
baseline-requirements Server Certificate CWG - Baseline Requirements

Comments

@BenWilson-Mozilla
Copy link
Contributor

It's a requirement that CRLs for Intermediate CAs have reason codes. Table 1.2.2 in the TLS BRs says "2020‐09‐30 7.2 and 7.3 All OCSP and CRL responses for Subordinate CA Certificates MUST include a meaningful reason code." That means that "0" or unspecified or blank is not allowed. But BR 7.2.2. is convoluted, confusing, and hard to parse. It says "When present (OID 2.5.29.21), MUST NOT be marked critical and MUST indicate the most appropriate reason for revocation of the Certificate. MUST be present unless the CRL entry is for a
Certificate not technically capable of causing issuance and either 1) the CRL entry is for a Subscriber Certificate subject to these
Requirements revoked prior to July 15, 2023 or 2) the reason for revocation (i.e., reasonCode) is unspecified (0). See the “CRLReasons” table for additional requirements."

Section 7.3 (OCSP profile) is a little more clear, but needs to be improved, too. It says, "If an OCSP response is for a Root CA or Subordinate CA Certificate, including Cross‐Certified Subordinate CA Certificates, and that certificate has been revoked, then the revocationReason field within the RevokedInfo of the CertStatus MUST be present.
The CRLReason indicated MUST contain a value permitted for CRLs, as specified in Section 7.2.2."

In other words, for CAs the revocation reason code must be present and must be one of:
keyCompromise (1)
cACompromise (2)
affiliationChanged (3)
superseded (4)
cessationOfOperation (5)
@BenWilson-Mozilla BenWilson-Mozilla added the baseline-requirements Server Certificate CWG - Baseline Requirements label Jun 4, 2024
@AdrianMueller-sws
Copy link

Hi Ben,
I agree that the text in the BR is hard to read. Regarding the Reason Codes for CA certificates in the CA Revocation List (CARL) I refer (in addition to the BR) to the X.509 standard which explains the meaning of the different reason codes in chapter 9.5.3.1 Reason code extension.

When reading the definitions in the BR and in the X.509 standard the meaningful reason codes for revoked CA certificates are

  • cACompromise (2) and
  • cessationOfOperation (5).

keyCompromise (1) is specifically mentioning the use for end-entity certificates, and the other reasons are seam end-entity targeted as well.

I hope this helps.

Best regards
Adrian

@dzacharo
Copy link
Contributor

Notes from the 2024-12-19 SCWG Teleconference:

  • Recommendation: Create two subsections in order to specify which revocation reasons are allowed for revoked CA Certificates and end-entity Certificates
  • Update section 7.2.2 for improved clarity.

@BenWilson-Mozilla BenWilson-Mozilla self-assigned this Dec 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@BenWilson-Mozilla BenWilson-Mozilla

Labels
baseline-requirements Server Certificate CWG - Baseline Requirements
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dzacharo @BenWilson-Mozilla @AdrianMueller-sws