On 6/23/2025 11:42 AM, 'Dimitris Zacharopoulos (HARICA)' via CCADB
Public wrote:
Hi Chris,
Regarding the URLs of CRLDPs, it is non uncommon for a CA to change
the URL of the CRLDP. Obviously, there are redirects until the
certificates with the old URL expire. What is the expectation if there
are multiple URLs to be included in CCADB?
Coming back to this thread from June 2025, I see several new incidents
submitted to bugzilla claiming violation of the CCADB policy which
states in section 6.2 that:
/"URLs MUST match exactly as they appear in the certificates issued by
the corresponding CA."/
A CA may offer multiple URLs, all pointing to the same full CRL file. As
long as the CCADB-reported URL downloads the same file as the URLs
embedded in the CRLDP extensions of certificates, what difference does
it make?
Historically I've seen CAs changing URLs (for CRL, OCSP, CAIssuer paths)
using improved naming schemes, shortening FQDNs, using CDNs, etc.
Shouldn't this continue to be allowed?
Would it be reasonable by this community to interpret that the
CCADB-reported CRLDP URL reflects the LATEST URL included in newly
issued certificates?
Thank you,
Dimitris.
--
You received this message because you are subscribed to the Google Groups "CCADB
Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/a/ccadb.org/d/msgid/public/204d8b7c-4a15-43bc-9889-e1a7d13aebba%40harica.gr.
