Hi Kathleen, Thank you for posting the notification concerning the update to CCADB. I have a follow-up question: in the discussion captured in https://github.com/mozilla/pkipolicy/issues/218, it appears that there's a desire for CAs to produce and publish complete CRLs for end-entity certificates that lack CRLDP to a complete CRL. However, I have not seen any concrete proposals/draft language for inclusion in 2.7.1 surrounding such a requirement. Is the thinking that this CCADB field will first be added and then in a subsequent Mozilla policy update, CAs will be required to publish full CRLs (perhaps as part of a CA/B Forum ballot) and disclose the location of such CRLs in CCADB?
Thanks, Corey On Wednesday, November 18, 2020 at 6:07:32 PM UTC-5, Kathleen Wilson wrote: > All, > > The following changes have been made in the CCADB: > > On Intermediate Cert pages: > - Renamed section heading ‘Revocation Information’ to ‘Revocation > Information for this Certificate’ > - Added section called ‘Pertaining to Certificates Issued by this CA’ > - Added 'Full CRL Issued By This CA' field to this new section. > Note: CAs modify this field directly on intermediate cert pages. > > On Root Cert pages: > - Added section called ‘Pertaining to Certificates Issued by this CA’ > - Added 'Full CRL Issued By This CA' field to this new section. > Note: Only root store operators may directly update root cert pages, so > send email to your root store operator if you would like a URL added to > this new field for a root cert. > > > Coming soon: > Add 'Full CRL Issued By This CA' column to report: > http://ccadb-public.secure.force.com/ccadb/AllCertificateRecordsCSVFormat > > > Thanks, > Kathleen _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
