On Thursday, November 19, 2020 at 3:13:58 PM UTC-8, Ben Wilson wrote:
> FWIW - Here is a recent post on this issue from JC Jones - 
> https://github.com/mozilla/crlite/issues/43#issuecomment-726493990
> On Thu, Nov 19, 2020 at 4:00 PM Ryan Hurst via dev-security-policy < 
> dev-secur...@lists.mozilla.org> wrote: 
> 
> > On Wednesday, November 18, 2020 at 8:26:50 PM UTC-8, Ryan Sleevi wrote:
> > > On Wed, Nov 18, 2020 at 7:57 PM Ryan Hurst via dev-security-policy < 
> > > dev-secur...@lists.mozilla.org> wrote: 
> > > 
> > > > Kathleen, 
> > > > 
> > > > This introduces an interesting question, how might Mozilla want to see 
> > > > partial CRLs be discoverable? Of course, they are pointed to by the 
> > > > associated CRLdp but is there a need for a manifest of these CRL 
> > shards 
> > > > that can be picked up by CCADB? 
> > > > 
> > > What's the use case for sharding a CRL when there's no CDP in the issued 
> > > certificates and the primary downloader is root stores? 
> >
> > I think there may be some confusion. In my response to Kathleen's mail I 
> > stated " Of course, they are pointed to by the associated CRLdp", as such I 
> > am not suggesting there is a value to sharded/partitioned CRLs if not 
> > referenced by the CRLdp. 
> > 
> > The origin of my question is that as I remember the requirements, CAs do 
> > not have to produce a full and complete CRL. Specifically today, I believe 
> > they are allowed to produce partitioned CRLs, this is good because in some 
> > cases a full and complete CRL can be gigabytes in size. I assume the reason 
> > for adding the URL to a full, and I imagine complete, CRL is that Mozilla 
> > would like to use this information in its CRLLite feature. 
> > 
> > If so, and a CA partitions CRLs and does not produce a full and complete 
> > CRL how should the CA ensure Mozilla has the entire set of information it 
> > wants? 
> > 
> > Ryan
> > _______________________________________________ 
> > dev-security-policy mailing list 
> > dev-secur...@lists.mozilla.org 
> > https://lists.mozilla.org/listinfo/dev-security-policy 
> >

I think the JSON array approach works and it addresses the concerns I had, 
specifically:
1. How do we make sure Mozilla has all the revocation data when a 
sharded/partitioned CRL approach is used.
2. How do we not force those CCAs that are doing sharded/partitioned CRLs from 
having to also maintain full CRLs which can be VERY big which has logistic 
challenges to distribute reliably and usably.

Maybe we can say such CAs provide a list to this JSON document in CCADB Full 
CRL field?

Ryan
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to