On Thursday, November 19, 2020 at 3:13:58 PM UTC-8, Ben Wilson wrote: > FWIW - Here is a recent post on this issue from JC Jones - > https://github.com/mozilla/crlite/issues/43#issuecomment-726493990 > On Thu, Nov 19, 2020 at 4:00 PM Ryan Hurst via dev-security-policy < > dev-secur...@lists.mozilla.org> wrote: > > > On Wednesday, November 18, 2020 at 8:26:50 PM UTC-8, Ryan Sleevi wrote: > > > On Wed, Nov 18, 2020 at 7:57 PM Ryan Hurst via dev-security-policy < > > > dev-secur...@lists.mozilla.org> wrote: > > > > > > > Kathleen, > > > > > > > > This introduces an interesting question, how might Mozilla want to see > > > > partial CRLs be discoverable? Of course, they are pointed to by the > > > > associated CRLdp but is there a need for a manifest of these CRL > > shards > > > > that can be picked up by CCADB? > > > > > > > What's the use case for sharding a CRL when there's no CDP in the issued > > > certificates and the primary downloader is root stores? > > > > I think there may be some confusion. In my response to Kathleen's mail I > > stated " Of course, they are pointed to by the associated CRLdp", as such I > > am not suggesting there is a value to sharded/partitioned CRLs if not > > referenced by the CRLdp. > > > > The origin of my question is that as I remember the requirements, CAs do > > not have to produce a full and complete CRL. Specifically today, I believe > > they are allowed to produce partitioned CRLs, this is good because in some > > cases a full and complete CRL can be gigabytes in size. I assume the reason > > for adding the URL to a full, and I imagine complete, CRL is that Mozilla > > would like to use this information in its CRLLite feature. > > > > If so, and a CA partitions CRLs and does not produce a full and complete > > CRL how should the CA ensure Mozilla has the entire set of information it > > wants? > > > > Ryan > > _______________________________________________ > > dev-security-policy mailing list > > dev-secur...@lists.mozilla.org > > https://lists.mozilla.org/listinfo/dev-security-policy > >
I think the JSON array approach works and it addresses the concerns I had, specifically: 1. How do we make sure Mozilla has all the revocation data when a sharded/partitioned CRL approach is used. 2. How do we not force those CCAs that are doing sharded/partitioned CRLs from having to also maintain full CRLs which can be VERY big which has logistic challenges to distribute reliably and usably. Maybe we can say such CAs provide a list to this JSON document in CCADB Full CRL field? Ryan _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy