Thanks Ben, this language seems reasonable to me (with one edit: the last acronym "CRL" needs to be plural).
That said, rather than repeating-and-extending the BRs language, I would consider turning this requirement on its head: "Each URL listed in the JSON Array of Partitioned CRLs MUST match a distributionPoint UniformResourceIdentifier value in the referenced CRL." Basically, because the CRLs are already required to include the distributionPoint field, there's no need to specify that again. Instead, just specify that the URL listed in CCADB must match the distributionPoint, because otherwise Mozilla won't trust the fetched CRL. Does that approach seem reasonable as well? Aaron On Wed, Nov 16, 2022 at 9:01 PM Ben Wilson <[email protected]> wrote: > This discussion thread is to address Issue #256 > <https://github.com/mozilla/pkipolicy/issues/256> and the need to clarify > that partitioned CRLs need to include a critical Issuing Distribution Point > extension. > > The language proposed for addition to Mozilla Root Store Policy section > 4.1 > <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#41-additional-requirements> > would read, "Each CRL referenced by the JSON Array of Partitioned CRLs > MUST contain a critical Issuing Distribution Point extension. The Issuing > Distribution Point extension MUST contain a distributionPoint containing a > UniformResourceIdentifier whose value equals the URL of the CRL in the JSON > Array of Partitioned CRL". > > Please provide any comments or suggestions. > > Thanks, > > Ben > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZ3nUbS9_hQUJ5rUzb%3DyPYkA-3ienthPwqMGdP8Fo-86g%40mail.gmail.com > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZ3nUbS9_hQUJ5rUzb%3DyPYkA-3ienthPwqMGdP8Fo-86g%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEmnErdgaxi9TROWe5GdQ%3DFpMXpQcQcquL8xgGgrVfxCyOeydw%40mail.gmail.com.
