All,

Root store operators would like to easily find and use the URLs to the Full CRLs for things like Mozilla’s CRLite. The BRs do not require CRL URLs in end-entity certificates, and many CAs use partitioned CRLs for end-entity certificates.

Proposal: Add field called 'Full CRL Issued By This CA'

- New field on intermediate certificate records which may be filled in by CAs or root store operators when the certificate signs certificates that do not contain CRL URLs or only contain URLs to partitioned CRLs.

- This field would be included in public-facing reports such as http://ccadb-public.secure.force.com/ccadb/AllCertificateRecordsCSVFormat so that it can be used programmatically by root store operators, and could also be provided in crt.sh.

- Also add this field to root certificate records, even though only root store operators can currently update root certificate records.


I will appreciate your input on this proposal.

Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to