The current subject line for GitHub Mozilla PKI Policy Issue #251 <https://github.com/mozilla/pkipolicy/issues/251> is "Edit MRSP 4.1 to clarify full CRL publication issues in the CCADB".
Currently, section 4.1 of MRSP <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#41-additional-requirements> states: Effective October 1, 2022, CA operators with intermediate CA certificates that are capable of issuing TLS certificates chaining up to root certificates in Mozilla's root store SHALL populate the CCADB fields under "Pertaining to Certificates Issued by This CA" with either the CRL Distribution Point for the "Full CRL Issued By This CA" or a "JSON Array of Partitioned CRLs" Requests have been made to clarify this policy for at least two situations where the CA is not actively issuing certificates: (1) the CA has not yet issued certificates, and (2) the CA issued certificates in the past, but is no longer issuing certificates, e.g. a "dormant" CA (provided that all previously issued certificates have since expired). The language proposed thus far would address the first scenario by adding "within 7 days of such intermediate CA issuing its first certificate". Language should be developed that addresses the second scenario. One suggestion might be to change the phrase directly above to read something like: "unless no certificates have been issued by the intermediate CA or all previously issued certificates under that intermediate CA have expired, in which case, the CA operator shall populate the CCADB fields within 7 days of such intermediate CA issuing a certificate." Thoughts? Discussion? Thanks, Ben -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaaC1yGzCcBjpC2s_B5Ce9wY-EXFFFfMFC2GH5pNnnGWzQ%40mail.gmail.com.
