CA/Root Store Policy Archive: Difference between revisions

CA/Root Store Policy Archive (view source)

Revision as of 23:05, 2 June 2022

6 bytes added , 2 June 2022

m

→‎2.8: Added "and maintain"

Bwilson

Confirmed users

377

edits

@@ Line 14: / Line 14: @@
 *** New Section 6.1.1 - When a TLS server certificate is revoked for keyCompromise, privilegeWithdrawn, cessationOfOperation, affiliationChanged, or superseded, the CRLReason MUST be included in the reasonCode extension of the CRL entry corresponding to the end entity TLS certificate. If the certificate is revoked for a different or unspecified reason, then the reasonCode extension MUST NOT be provided in the CRL.
 **** The CA operator's subscriber agreement for TLS server certificates [[CA/Revocation_Reasons#Communication_to_Subscribers|must inform certificate subscribers about the revocation reason options]], and tools must be updated to enable certificate subscribers to specify these revocation reason options.
-** December 31, 2022: CA operators will need to have uploaded all older (and available) versions of each CP and CPS (or CP/CPS), regardless of changes in ownership or control of the root CA, until the entire root CA certificate hierarchy operated in accordance with such documents is no longer trusted by the Mozilla root store.
+** December 31, 2022: CA operators will need to upload and maintain all older (and available) versions of each CP and CPS (or CP/CPS), regardless of changes in ownership or control of the root CA, until the entire root CA certificate hierarchy operated in accordance with such documents is no longer trusted by the Mozilla root store.
 ** July 1, 2023: CAs SHALL NOT sign SHA-1 hashes over certificates with an EKU extension containing the id-kp-ocspSigning key purpose; intermediate certificates that chain up to roots in Mozilla's program; OCSP responses; or CRLs.