Hi Corey,

From Apple’s perspective, the desire was first to have the field added to 
CCADB. From here, we’re planning on sending out a CA Communication notifying 
CAs that the field is available and requesting that CAs populate it. We are 
considering a requirement that Full CRLs be made available, but there are still 
issues to address and work out with the community prior to doing so.
Our goal is to have CAs provide CRLs such that we can be confident all revoked 
leaf certificates and intermediate CAs which chain to Roots present in our 
program are represented by a CRL provided by the CA Organization. In many 
cases, a Full CRL is the most direct way of doing so, but a pointer to a full 
set of partitioned CRLs should also be sufficient as a secondary option.

Thanks,
-Clint

On Thursday, November 19, 2020 at 12:27:55 PM UTC-8, corey....@digicert.com 
wrote:
> Hi Kathleen, 
> Thank you for posting the notification concerning the update to CCADB. I have 
> a follow-up question: in the discussion captured in 
> https://github.com/mozilla/pkipolicy/issues/218, it appears that there's a 
> desire for CAs to produce and publish complete CRLs for end-entity 
> certificates that lack CRLDP to a complete CRL. However, I have not seen any 
> concrete proposals/draft language for inclusion in 2.7.1 surrounding such a 
> requirement. Is the thinking that this CCADB field will first be added and 
> then in a subsequent Mozilla policy update, CAs will be required to publish 
> full CRLs (perhaps as part of a CA/B Forum ballot) and disclose the location 
> of such CRLs in CCADB? 
> 
> Thanks, 
> Corey
> On Wednesday, November 18, 2020 at 6:07:32 PM UTC-5, Kathleen Wilson wrote: 
> > All, 
> > 
> > The following changes have been made in the CCADB: 
> > 
> > On Intermediate Cert pages: 
> > - Renamed section heading ‘Revocation Information’ to ‘Revocation 
> > Information for this Certificate’ 
> > - Added section called ‘Pertaining to Certificates Issued by this CA’ 
> > - Added 'Full CRL Issued By This CA' field to this new section. 
> > Note: CAs modify this field directly on intermediate cert pages. 
> > 
> > On Root Cert pages: 
> > - Added section called ‘Pertaining to Certificates Issued by this CA’ 
> > - Added 'Full CRL Issued By This CA' field to this new section. 
> > Note: Only root store operators may directly update root cert pages, so 
> > send email to your root store operator if you would like a URL added to 
> > this new field for a root cert. 
> > 
> > 
> > Coming soon: 
> > Add 'Full CRL Issued By This CA' column to report: 
> > http://ccadb-public.secure.force.com/ccadb/AllCertificateRecordsCSVFormat 
> > 
> > 
> > Thanks, 
> > Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to