Currently the "JSON Array of Partitioned CRLs" field can be set to '[]' to indicate that the CA is aware that this value needs to be provided as soon as the intermediate certificate starts to issue certificates. We did this because leaving the "JSON Array of Partitioned CRLs" field empty indicates that the CA has not set the value in this field, and this results in an error that is reported in the CA's Task List when the "Full CRL Issued By This CA" field is also empty.
However, there is a problem when the "JSON Array of Partitioned CRLs" field needs to be set to '[]' via the API. When '[]' is passed into JSONArrayofPartitionedCRL the CCADB program sees it as an empty string. Here are a couple options to resolve this problem. Option 1: Update the CCADB to interpret input from the API <https://github.com/mozilla/CCADB-Tools/tree/master/API_AddUpdateIntermediateCert> : - If FullCRLIssuedByThisCA is provided then JSONArrayofPartitionedCRLs should be empty. - If *both* FullCRLIssuedByThisCA and JSONArrayofPartitionedCRLs are empty (or ‘[]’ which is seen as empty by the CCADB) then set the JSONArrayofPartitionedCRLs field to ‘[]’. - If JSONArrayofPartitionedCRLs is null, then no action is taken on the field. Option 2: Update the API to change JSONArrayofPartitionedCRLs to take a string instead of a JSON array. This will be a breaking change for the CAs who are currently using the API, as they will need to update the data type on their side as well. Option 3: Maybe [" "] or [""] can passed into JSONArrayofPartitionedCRLs? I'll ask our Salesforce Admin if the CCADB also sees those as empty when passed in via the API. --- Here are current references on this topic, and I have bolded the text that is relevant to this discussion. Apple's Root Store Policy <https://www.apple.com/certificateauthority/ca_program.html>: "Effective October 1, 2022, CA providers must populate the CCADB fields under "Pertaining to Certificates Issued by This CA" with either the CRL Distribution Point for the "Full CRL Issued By This CA" or a "JSON Array of Partitioned CRLs" on Root and Intermediate Certificate records, *within 7 days of the corresponding CA issuing its first certificate*. This requirement applies to each included CA Certificate and each CA Certificate chaining up to an included CA Certificate in the Apple Root Program." Mozilla's Root Store Policy <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/> : "CA operators with intermediate CA certificates that are capable of issuing TLS certificates chaining up to root certificates in Mozilla's root store SHALL populate the CCADB fields under "Pertaining to Certificates Issued by This CA" with either the CRL Distribution Point for the "Full CRL Issued By This CA" or a "JSON Array of Partitioned CRLs" *within 7 days of such intermediate CA issuing its first certificate*;" In the CCADB on intermediate certificate record pages, there is text at the beginning of the "Pertaining to Certificates Issued by this CA" section that says: "One of the following fields must be filled in. *If this intermediate certificate has not issued any certificates, you may put [] into the 'JSON Array of Partitioned CRLs' field until it starts issuing certificates.* The 'Full CRL Issued By This CA' can only contain one URL" The README.md for the API <https://github.com/mozilla/CCADB-Tools/tree/master/API_AddUpdateIntermediateCert> that is used by CAs to update intermediate certificate data in the CCADB says: Class PertainingToCertificatesIssued { String FullCRLIssuedByThisCA; # can be null or a link List<string> JSONArrayofPartitionedCRLs # Can be null or a JSON Array of strings; no action taken on this field when value is null;* when value is [] the field is reset to empty*; field has 20,000 characters limit } Email from our Salesforce admin: "The integration program reads 'JSONArrayofPartitionedCRL' into a list of array. *When the user passes '[]' in the request, the program sees it as an empty string.* " -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/a20fa312-08d5-4146-baf3-e1f81137a463n%40ccadb.org.
