Here is some draft language: "Effective October 1, 2022, CA operators with intermediate CA certificates that are capable of issuing TLS certificates chaining up to root certificates in Mozilla's root store SHALL populate the CCADB fields under "Pertaining to Certificates Issued by This CA" with either the CRL Distribution Point for the "Full CRL Issued By This CA" or a "JSON Array of Partitioned CRLs"." https://github.com/BenWilson-Mozilla/pkipolicy/commit/45c9e2638e82e972f32dfeba02f8cc019b20b2a9
On Fri, Dec 10, 2021 at 12:30 PM Aaron Gable <[email protected]> wrote: > I currently prefer the language proposed by Ben above, because the current > Apple language: > > > CA providers must populate the “Pertaining to Certificates Issued by > this CA” section of the CCADB for each included CA Certificate and each CA > Certificate chaining up to an included CA Certificate in the Apple Root > Program. > > is not clear as to whether it is expected that one or both fields in that > section must be filled out, and just reading the requirement does not make > it clear what kind of information is contained in that section. > > Aaron > > On Fri, Dec 10, 2021 at 8:18 AM 'Clint Wilson' via > [email protected] <[email protected]> wrote: > >> Is there a preference for which provides the greatest clarity to CAs >> (thinking especially of those that haven’t followed the ongoing development >> of this over the last ~18 months)? >> >> On Nov 18, 2021, at 12:51 PM, 'Aaron Gable' via >> [email protected] <[email protected]> wrote: >> >> One point of interest here: although Apple's requirements reference the >> "Pertaining to Certificates Issued By This CA" section, and the github >> issue and email above reference the "Full CRL Issued by this CA" and "JSON >> Array of Partitioned CRLs" fields, these are in fact the same thing: those >> two fields are the only fields in that section. >> >> I'd hope / suggest that Mozilla and Apple will converge on using the same >> language to require that one of those two fields in that section be filled >> out for the sake of minimizing confusion. >> >> Aaron >> >> On Wed, Nov 17, 2021 at 8:06 PM Ben Wilson <[email protected]> wrote: >> >>> All, >>> >>> This email introduces public discussion regarding a new requirement to >>> be included in the next version of the Mozilla Root Store Policy (MSRP), >>> version 2.8, to be published in 2022. (See >>> https://github.com/mozilla/pkipolicy/labels/2.8) >>> >>> Github Issue #235 <https://github.com/mozilla/pkipolicy/issues/235> >>> proposes that we amend MRSP section 4.1 >>> <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#41-additional-requirements> >>> to require, effective October 1, 2022, that CA operators with intermediate >>> CA certificates that are capable of issuing TLS certificates chaining up to >>> root certificates in Mozilla's root store populate the CCADB with the CRL >>> Distribution Point for the Full CRL *or* a JSON Array of Partitioned >>> CRLs. (The CCADB already has these two alternative fields available to >>> be filled in by CAs and instructs, "When there is no full CRL for >>> certificates issued by this CA, provide a JSON array whose elements are >>> URLs of partial CRLs that when combined are the equivalent of a full CRL >>> for the certificates issued" by the CA.) >>> >>> Mozilla is moving forward with CRLite >>> <https://blog.mozilla.org/security/2020/01/09/crlite-part-1-all-web-pki-revocations-compressed/>, >>> so we need full CRL information for TLS certificates. Apple has also stated >>> that this same information will be required of CAs in their program, >>> effective October 1, 2022. (See >>> https://www.apple.com/certificateauthority/ca_program.html). >>> >>> We welcome your comments and suggestions. >>> >>> Thanks, >>> >>> Ben >>> >>> >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "[email protected]" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabu9mBe2%3DbZX4E3OyXPs0tsqbB754O24Y3CJj44u9oF%2Bg%40mail.gmail.com >>> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabu9mBe2%3DbZX4E3OyXPs0tsqbB754O24Y3CJj44u9oF%2Bg%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "[email protected]" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEmnErewSkuxWuYPdVtaf7MV4gXwSMed7vsuS4F91b2sqsnNjQ%40mail.gmail.com >> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEmnErewSkuxWuYPdVtaf7MV4gXwSMed7vsuS4F91b2sqsnNjQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "[email protected]" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/F3B35AAA-50FE-4F3B-AE09-DD5E49F63504%40apple.com >> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/F3B35AAA-50FE-4F3B-AE09-DD5E49F63504%40apple.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaawGr3-P%2BeZ-MLuRDS2LC_pBqi9xeZ73Cd41452WKeiuw%40mail.gmail.com.
