Is there a preference for which provides the greatest clarity to CAs (thinking especially of those that haven’t followed the ongoing development of this over the last ~18 months)?
> On Nov 18, 2021, at 12:51 PM, 'Aaron Gable' via > [email protected] <[email protected]> wrote: > > One point of interest here: although Apple's requirements reference the > "Pertaining to Certificates Issued By This CA" section, and the github issue > and email above reference the "Full CRL Issued by this CA" and "JSON Array of > Partitioned CRLs" fields, these are in fact the same thing: those two fields > are the only fields in that section. > > I'd hope / suggest that Mozilla and Apple will converge on using the same > language to require that one of those two fields in that section be filled > out for the sake of minimizing confusion. > > Aaron > > On Wed, Nov 17, 2021 at 8:06 PM Ben Wilson <[email protected] > <mailto:[email protected]>> wrote: > All, > > This email introduces public discussion regarding a new requirement to be > included in the next version of the Mozilla Root Store Policy (MSRP), version > 2.8, to be published in 2022. (See > https://github.com/mozilla/pkipolicy/labels/2.8 > <https://github.com/mozilla/pkipolicy/labels/2.8>) > > Github Issue #235 <https://github.com/mozilla/pkipolicy/issues/235> proposes > that we amend MRSP section 4.1 > <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#41-additional-requirements> > to require, effective October 1, 2022, that CA operators with intermediate > CA certificates that are capable of issuing TLS certificates chaining up to > root certificates in Mozilla's root store populate the CCADB with the CRL > Distribution Point for the Full CRL or a JSON Array of Partitioned CRLs. (The > CCADB already has these two alternative fields available to be filled in by > CAs and instructs, "When there is no full CRL for certificates issued by this > CA, provide a JSON array whose elements are URLs of partial CRLs that when > combined are the equivalent of a full CRL for the certificates issued" by the > CA.) > > Mozilla is moving forward with CRLite > <https://blog.mozilla.org/security/2020/01/09/crlite-part-1-all-web-pki-revocations-compressed/>, > so we need full CRL information for TLS certificates. Apple has also stated > that this same information will be required of CAs in their program, > effective October 1, 2022. (See > https://www.apple.com/certificateauthority/ca_program.html > <https://www.apple.com/certificateauthority/ca_program.html>). > > We welcome your comments and suggestions. > > Thanks, > > Ben > > > > -- > You received this message because you are subscribed to the Google Groups > "[email protected] <mailto:[email protected]>" > group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] > <mailto:[email protected]>. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabu9mBe2%3DbZX4E3OyXPs0tsqbB754O24Y3CJj44u9oF%2Bg%40mail.gmail.com > > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabu9mBe2%3DbZX4E3OyXPs0tsqbB754O24Y3CJj44u9oF%2Bg%40mail.gmail.com?utm_medium=email&utm_source=footer>. > > -- > You received this message because you are subscribed to the Google Groups > "[email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] > <mailto:[email protected]>. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEmnErewSkuxWuYPdVtaf7MV4gXwSMed7vsuS4F91b2sqsnNjQ%40mail.gmail.com > > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEmnErewSkuxWuYPdVtaf7MV4gXwSMed7vsuS4F91b2sqsnNjQ%40mail.gmail.com?utm_medium=email&utm_source=footer>. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/F3B35AAA-50FE-4F3B-AE09-DD5E49F63504%40apple.com.
smime.p7s
Description: S/MIME cryptographic signature
