Hi Corey, From Apple’s perspective, the desire was first to have the field added to CCADB. From here, we’re planning on sending out a CA Communication notifying CAs that the field is available and requesting that CAs populate it. We are considering a requirement that Full CRLs be made available, but there are still issues to address and work out with the community prior to doing so. Our goal is to have CAs provide CRLs such that we can be confident all revoked leaf certificates and intermediate CAs which chain to Roots present in our program are represented by a CRL provided by the CA Organization. In many cases, a Full CRL is the most direct way of doing so, but a pointer to a full set of partitioned CRLs should also be sufficient as a secondary option.
Thanks, -Clint On Thursday, November 19, 2020 at 12:27:55 PM UTC-8, corey....@digicert.com wrote: > Hi Kathleen, > Thank you for posting the notification concerning the update to CCADB. I have > a follow-up question: in the discussion captured in > https://github.com/mozilla/pkipolicy/issues/218, it appears that there's a > desire for CAs to produce and publish complete CRLs for end-entity > certificates that lack CRLDP to a complete CRL. However, I have not seen any > concrete proposals/draft language for inclusion in 2.7.1 surrounding such a > requirement. Is the thinking that this CCADB field will first be added and > then in a subsequent Mozilla policy update, CAs will be required to publish > full CRLs (perhaps as part of a CA/B Forum ballot) and disclose the location > of such CRLs in CCADB? > > Thanks, > Corey > On Wednesday, November 18, 2020 at 6:07:32 PM UTC-5, Kathleen Wilson wrote: > > All, > > > > The following changes have been made in the CCADB: > > > > On Intermediate Cert pages: > > - Renamed section heading ‘Revocation Information’ to ‘Revocation > > Information for this Certificate’ > > - Added section called ‘Pertaining to Certificates Issued by this CA’ > > - Added 'Full CRL Issued By This CA' field to this new section. > > Note: CAs modify this field directly on intermediate cert pages. > > > > On Root Cert pages: > > - Added section called ‘Pertaining to Certificates Issued by this CA’ > > - Added 'Full CRL Issued By This CA' field to this new section. > > Note: Only root store operators may directly update root cert pages, so > > send email to your root store operator if you would like a URL added to > > this new field for a root cert. > > > > > > Coming soon: > > Add 'Full CRL Issued By This CA' column to report: > > http://ccadb-public.secure.force.com/ccadb/AllCertificateRecordsCSVFormat > > > > > > Thanks, > > Kathleen _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy