All, This email introduces public discussion regarding a new requirement to be included in the next version of the Mozilla Root Store Policy (MSRP), version 2.8, to be published in 2022. (See https://github.com/mozilla/pkipolicy/labels/2.8)
Github Issue #235 <https://github.com/mozilla/pkipolicy/issues/235> proposes that we amend MRSP section 4.1 <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#41-additional-requirements> to require, effective October 1, 2022, that CA operators with intermediate CA certificates that are capable of issuing TLS certificates chaining up to root certificates in Mozilla's root store populate the CCADB with the CRL Distribution Point for the Full CRL *or* a JSON Array of Partitioned CRLs. (The CCADB already has these two alternative fields available to be filled in by CAs and instructs, "When there is no full CRL for certificates issued by this CA, provide a JSON array whose elements are URLs of partial CRLs that when combined are the equivalent of a full CRL for the certificates issued" by the CA.) Mozilla is moving forward with CRLite <https://blog.mozilla.org/security/2020/01/09/crlite-part-1-all-web-pki-revocations-compressed/>, so we need full CRL information for TLS certificates. Apple has also stated that this same information will be required of CAs in their program, effective October 1, 2022. (See https://www.apple.com/certificateauthority/ca_program.html). We welcome your comments and suggestions. Thanks, Ben -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabu9mBe2%3DbZX4E3OyXPs0tsqbB754O24Y3CJj44u9oF%2Bg%40mail.gmail.com.
