Hi Kathleen,
Thank you for posting the notification concerning the update to CCADB. I have a 
follow-up question: in the discussion captured in 
https://github.com/mozilla/pkipolicy/issues/218, it appears that there's a 
desire for CAs to produce and publish complete CRLs for end-entity certificates 
that lack CRLDP to a complete CRL. However, I have not seen any concrete 
proposals/draft language for inclusion in 2.7.1 surrounding such a requirement. 
Is the thinking that this CCADB field will first be added and then in a 
subsequent Mozilla policy update, CAs will be required to publish full CRLs 
(perhaps as part of a CA/B Forum ballot) and disclose the location of such CRLs 
in CCADB?

Thanks,
Corey

On Wednesday, November 18, 2020 at 6:07:32 PM UTC-5, Kathleen Wilson wrote:
> All, 
> 
> The following changes have been made in the CCADB: 
> 
> On Intermediate Cert pages: 
> - Renamed section heading ‘Revocation Information’ to ‘Revocation 
> Information for this Certificate’ 
> - Added section called ‘Pertaining to Certificates Issued by this CA’ 
> - Added 'Full CRL Issued By This CA' field to this new section. 
> Note: CAs modify this field directly on intermediate cert pages. 
> 
> On Root Cert pages: 
> - Added section called ‘Pertaining to Certificates Issued by this CA’ 
> - Added 'Full CRL Issued By This CA' field to this new section. 
> Note: Only root store operators may directly update root cert pages, so 
> send email to your root store operator if you would like a URL added to 
> this new field for a root cert. 
> 
> 
> Coming soon: 
> Add 'Full CRL Issued By This CA' column to report: 
> http://ccadb-public.secure.force.com/ccadb/AllCertificateRecordsCSVFormat 
> 
> 
> Thanks, 
> Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to