Effective October 1, 2022, CA operators with intermediate CA
certificates that are capable of issuing TLS certificates chaining up to
root certificates in Mozilla's root store SHALL populate the CCADB
fields under "Pertaining to Certificates Issued by This CA" with either
the CRL Distribution Point for the "Full CRL Issued By This CA" or a
"JSON Array of Partitioned CRLs"
Requests have been made to clarify this policy for at least two situations where the CA is not actively issuing certificates: (1) the CA has not yet issued certificates, and (2) the CA issued certificates in the past, but is no longer issuing certificates, e.g. a "dormant" CA (provided that all previously issued certificates have since expired).
The language proposed thus far would address the first scenario by adding "within 7 days of such intermediate CA issuing its first certificate". Language should be developed that addresses the second scenario.
One suggestion might be to change the phrase directly above to read something like:
"unless no certificates have been issued by the intermediate CA or all previously issued certificates under that intermediate CA have expired, in which case, the CA operator shall
populate the CCADB
fields within 7 days of such intermediate CA issuing a certificate."
Thoughts? Discussion?
Thanks,
Ben