I think you make a really good point! I'm not a fan of repeating ourselves, but clarity is very valuable.
I'd be happy with this requirement in either phrasing. Aaron On Tue, Nov 22, 2022 at 8:30 AM Corey Bonnell <[email protected]> wrote: > Hi Aaron, > > I prefer explicitly stating that something is allowed, because we have > seen previously that the lack of explicit allowance (or prohibition) in > these requirements is the source of much disagreement. For this reason, I > think explicitly enumerating what is allowed provides the most clarity (and > less room for future disagreements). > > > > That being said, I agree that your proposal is much more concise than the > other proposals. If folks think my concern about explicitly enumerating > allowances is unreasonable, then I think your language is fine. > > > > Thanks, > > Corey > > > > *From:* Aaron Gable <[email protected]> > *Sent:* Thursday, November 17, 2022 5:32 PM > *To:* Corey Bonnell <[email protected]> > *Cc:* Ben Wilson <[email protected]>; [email protected] < > [email protected]> > *Subject:* Re: Policy 2.8.1: MRSP Issue #256: Requirement that > Partitioned CRLs include an Issuing Distribution Point extension > > > > I believe that my proposal addresses that case. It only establishes a > single requirement: that the URLs in CCADB and (one of) the URIs in the > CRLs match. It doesn't matter why the CA is producing those CRLs > (specifically for CCADB, or for use directly by relying parties, or both) > or what the sharding strategy is: the important thing here is that the URL > requested by CRLite infrastructure contains a CRL with a matching > distributionPoint. > > > > Aaron > > > > On Thu, Nov 17, 2022 at 2:21 PM Corey Bonnell <[email protected]> > wrote: > > I think the proposal may need accommodate the case where issued > certificates have a CRLDP that contain a URI which points to a sharded CRL > that may not be disclosed in CCADB. In other words, it is possible that the > CA employs one sharding strategy for CCADB while using a different strategy > for the CRLs that are referenced in the CRLDP of certificates it issues. > The CA may be producing more CRLs than strictly necessary in this case, but > I’m unaware of anything prohibiting such practice today and am hard-pressed > to think of any issues that may arise with such an arrangement. I attempted > to capture this consideration in my language proposal on Github [1]. > > > > Thanks, > > Corey > > > > [1] > https://github.com/mozilla/pkipolicy/issues/256#issuecomment-1315648591 > > > > *From:* 'Aaron Gable' via [email protected] < > [email protected]> > *Sent:* Thursday, November 17, 2022 4:03 PM > *To:* Ben Wilson <[email protected]> > *Cc:* [email protected] <[email protected]> > *Subject:* Re: Policy 2.8.1: MRSP Issue #256: Requirement that > Partitioned CRLs include an Issuing Distribution Point extension > > > > Thanks Ben, this language seems reasonable to me (with one edit: the last > acronym "CRL" needs to be plural). > > > > That said, rather than repeating-and-extending the BRs language, I would > consider turning this requirement on its head: > > > > "Each URL listed in the JSON Array of Partitioned CRLs MUST match a > distributionPoint UniformResourceIdentifier value in the referenced CRL." > > > > Basically, because the CRLs are already required to include the > distributionPoint field, there's no need to specify that again. Instead, > just specify that the URL listed in CCADB must match the distributionPoint, > because otherwise Mozilla won't trust the fetched CRL. > > > > Does that approach seem reasonable as well? > > > > Aaron > > > > On Wed, Nov 16, 2022 at 9:01 PM Ben Wilson <[email protected]> wrote: > > This discussion thread is to address Issue #256 > <https://github.com/mozilla/pkipolicy/issues/256> and the need to clarify > that partitioned CRLs need to include a critical Issuing Distribution Point > extension. > > > > The language proposed for addition to Mozilla Root Store Policy section > 4.1 > <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#41-additional-requirements> > would read, "Each CRL referenced by the JSON Array of Partitioned CRLs MUST > contain a critical Issuing Distribution Point extension. The Issuing > Distribution Point extension MUST contain a distributionPoint containing a > UniformResourceIdentifier whose value equals the URL of the CRL in the JSON > Array of Partitioned CRL". > > > > Please provide any comments or suggestions. > > > > Thanks, > > > > Ben > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZ3nUbS9_hQUJ5rUzb%3DyPYkA-3ienthPwqMGdP8Fo-86g%40mail.gmail.com > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZ3nUbS9_hQUJ5rUzb%3DyPYkA-3ienthPwqMGdP8Fo-86g%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEmnErdgaxi9TROWe5GdQ%3DFpMXpQcQcquL8xgGgrVfxCyOeydw%40mail.gmail.com > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEmnErdgaxi9TROWe5GdQ%3DFpMXpQcQcquL8xgGgrVfxCyOeydw%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEmnErcBi9GBhN19sb7M%2B3onw_1xcN%3DsNgTLqueWDy7ES9x9YA%40mail.gmail.com.
