One point of interest here: although Apple's requirements reference the "Pertaining to Certificates Issued By This CA" section, and the github issue and email above reference the "Full CRL Issued by this CA" and "JSON Array of Partitioned CRLs" fields, these are in fact the same thing: those two fields are the only fields in that section.
I'd hope / suggest that Mozilla and Apple will converge on using the same language to require that one of those two fields in that section be filled out for the sake of minimizing confusion. Aaron On Wed, Nov 17, 2021 at 8:06 PM Ben Wilson <[email protected]> wrote: > All, > > This email introduces public discussion regarding a new requirement to be > included in the next version of the Mozilla Root Store Policy (MSRP), > version 2.8, to be published in 2022. (See > https://github.com/mozilla/pkipolicy/labels/2.8) > > Github Issue #235 <https://github.com/mozilla/pkipolicy/issues/235> > proposes that we amend MRSP section 4.1 > <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#41-additional-requirements> > to require, effective October 1, 2022, that CA operators with intermediate > CA certificates that are capable of issuing TLS certificates chaining up to > root certificates in Mozilla's root store populate the CCADB with the CRL > Distribution Point for the Full CRL *or* a JSON Array of Partitioned CRLs. > (The CCADB already has these two alternative fields available to be filled > in by CAs and instructs, "When there is no full CRL for certificates issued > by this CA, provide a JSON array whose elements are URLs of partial CRLs > that when combined are the equivalent of a full CRL for the certificates > issued" by the CA.) > > Mozilla is moving forward with CRLite > <https://blog.mozilla.org/security/2020/01/09/crlite-part-1-all-web-pki-revocations-compressed/>, > so we need full CRL information for TLS certificates. Apple has also stated > that this same information will be required of CAs in their program, > effective October 1, 2022. (See > https://www.apple.com/certificateauthority/ca_program.html). > > We welcome your comments and suggestions. > > Thanks, > > Ben > > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabu9mBe2%3DbZX4E3OyXPs0tsqbB754O24Y3CJj44u9oF%2Bg%40mail.gmail.com > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabu9mBe2%3DbZX4E3OyXPs0tsqbB754O24Y3CJj44u9oF%2Bg%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEmnErewSkuxWuYPdVtaf7MV4gXwSMed7vsuS4F91b2sqsnNjQ%40mail.gmail.com.
