Empty JSON Array of Partitioned CRLs
492 views
Skip to first unread message
Ben Wilson
Mar 10, 2023, 2:22:27 PM3/10/23
to public
All,
The CCADB currently has a field titled, "JSON Array of Partitioned CRLs".
We have previously instructed CAs that when there is no CRL, they should put an empty JSON array in this field, "[]". A problem has arisen when this field is populated via API. When this notation for an empty array is submitted to the CCADB via API, it is dropped. So, I'm wondering whether we should adopt some other, consistent notation that will work with the API and for everyone who might use the information from this field in the CCADB.
(I don't like the idea of just leaving this field empty, because that is
the default when no information has been provided by the CA.)
Any advice is appreciated.
Thanks,
Ben
Ryan Hurst
Mar 12, 2023, 11:50:26 PM3/12/23
to Ben Wilson, public
Possibly add a last update value for this filed?
Ryan
--
You received this message because you are subscribed to the Google Groups "CCADB Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public+un...@ccadb.org.
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CA%2B1gtab59gZ0ae4OWnfLS055WZRW%3Dd923_-C6%2BJw_5e2Xx15oA%40mail.gmail.com.
Adrian Müller
Mar 13, 2023, 8:07:26 AM3/13/23
to CCADB Public, Ben Wilson
Dear Ben,
Thank you for bringing up this topic. Concerning the sentence “We have previously instructed CAs that when there is no CRL, they should put an empty JSON array in this field, "[]" I have the following question (please excuse my ignorance):
To which case does the above mentioned sentence refer to?
- The CA does not issue a CRL at all (e.g. because it relies on OCSP only or because it issues short-lived certificates for which no revocation services are provided).
- The CA issues a full CRL only, no partitioned CRLs are issued and therefore no array of partitioned CRLs is provided.
Thanks in advance for your answer.
Best regards
Adrian
Adrian M. Mueller
Product Manager Certificate Services
Aaron Gable
Mar 13, 2023, 12:16:05 PM3/13/23
to Adrian Müller, CCADB Public, Ben Wilson
It refers to case 2. It also refers to the case where the Subordinate CA exists and therefore has an entry in CCADB, but has never issued any certificates, and therefore is not yet required to populate the CRL fields: "...SHALL populate the CCADB fields... within 7 days of such intermediate CA issuing its first certificate" (MRSP, Section 4.1).
--
You received this message because you are subscribed to the Google Groups "CCADB Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public+un...@ccadb.org.
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/8bcf98c4-f8f8-4a35-a994-d83291d941e9n%40ccadb.org.
Kathleen Wilson
Mar 13, 2023, 6:59:06 PM3/13/23
to CCADB Public
Currently the "JSON Array of Partitioned CRLs" field can be set to '[]' to indicate that the
CA is aware that this value needs to be provided as soon as the
intermediate certificate starts to issue certificates. We did this because leaving
the "JSON Array of Partitioned CRLs" field empty indicates that the CA has not
set the value in this field, and this results in an error that is reported in the CA's Task
List when the "Full CRL Issued By This CA" field is also empty.
However, there is a problem when the "JSON Array of Partitioned CRLs" field needs to be set to '[]' via the API. When '[]' is passed into JSONArrayofPartitionedCRL the CCADB program sees it as an empty string.
Here are a couple options to resolve this problem.
Option 1:
Update the CCADB to interpret input from the API:
- If FullCRLIssuedByThisCA is provided then JSONArrayofPartitionedCRLs should be empty.
- If both FullCRLIssuedByThisCA and JSONArrayofPartitionedCRLs are empty (or ‘[]’ which is seen as empty by the CCADB) then set the JSONArrayofPartitionedCRLs field to ‘[]’.
- If JSONArrayofPartitionedCRLs is null, then no action is taken on the field.
- If both FullCRLIssuedByThisCA and JSONArrayofPartitionedCRLs are empty (or ‘[]’ which is seen as empty by the CCADB) then set the JSONArrayofPartitionedCRLs field to ‘[]’.
- If JSONArrayofPartitionedCRLs is null, then no action is taken on the field.
Option 2:
Update the API to change JSONArrayofPartitionedCRLs to take a string instead of a JSON array.
This will be a breaking change for the CAs who are currently using the API, as they will need to update the data type on their side as well.
Option 3:
Maybe [" "] or [""] can passed into JSONArrayofPartitionedCRLs?
I'll ask our Salesforce Admin if the CCADB also sees those as empty when passed in via the API.
---
Here are current references on this topic, and I have bolded the text that is relevant to this discussion.
"Effective October 1, 2022, CA providers must populate the CCADB fields under "Pertaining to Certificates Issued by This CA" with either the CRL Distribution Point for the "Full CRL Issued By This CA" or a "JSON Array of Partitioned CRLs" on Root and Intermediate Certificate records, within 7 days of the corresponding CA issuing its first certificate. This requirement applies to each included CA Certificate and each CA Certificate chaining up to an included CA Certificate in the Apple Root Program."
"CA operators with intermediate CA certificates that are capable of issuing TLS certificates chaining up to root certificates in Mozilla's root store SHALL populate the CCADB fields under "Pertaining to Certificates Issued by This CA" with either the CRL Distribution Point for the "Full CRL Issued By This CA" or a "JSON Array of Partitioned CRLs" within 7 days of such intermediate CA issuing its first certificate;"
In the CCADB on intermediate certificate record pages, there is text at the beginning of the "Pertaining to Certificates Issued by this CA" section that says:
"One of the following fields must be filled in. If this intermediate certificate has not issued any certificates, you may put [] into the 'JSON Array of Partitioned CRLs' field until it starts issuing certificates.
The 'Full CRL Issued By This CA' can only contain one URL"
The 'Full CRL Issued By This CA' can only contain one URL"
The README.md for the API that is used by CAs to update intermediate certificate data in the CCADB says:
Class PertainingToCertificatesIssued {
String FullCRLIssuedByThisCA; # can be null or a link
List<string> JSONArrayofPartitionedCRLs # Can be null or a JSON Array of strings; no action taken on this field when value is null; when value is [] the field is reset to empty; field has 20,000 characters limit
}
String FullCRLIssuedByThisCA; # can be null or a link
List<string> JSONArrayofPartitionedCRLs # Can be null or a JSON Array of strings; no action taken on this field when value is null; when value is [] the field is reset to empty; field has 20,000 characters limit
}
Email from our Salesforce admin:
"The integration program reads 'JSONArrayofPartitionedCRL' into a list of array. When the user passes '[]' in the request, the program sees it as an empty string. "
Jesper Kristensen
Mar 14, 2023, 4:29:59 PM3/14/23
to Kathleen Wilson, CCADB Public
To me your option 1 and 3 seems to be a hack on top of a hack, making the API harder to understand and making it more likely for CAs to make implementation errors. You have already made a hack in the API by changing [] into blank. I guess you have done that because you have already used null to mean "don't change the value of this field", and there is no good way to support both "set to blank" and "don't update the field" when the type is a List.
You could implement your option 2 in a backwards compatible way by adding a field with a different name (e.g.
JSONArrayofPartitionedCRLsAsString) and then allow at most one of the fields to be set in the request.
--
You received this message because you are subscribed to the Google Groups "CCADB Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public+un...@ccadb.org.
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/a20fa312-08d5-4146-baf3-e1f81137a463n%40ccadb.org.
Kathleen Wilson
Mar 15, 2023, 2:31:35 PM3/15/23
to CCADB Public, Jesper Kristensen, CCADB Public, Kathleen Wilson
Our Salesforce Admin has confirmed that passing [""] into JSONArrayofPartitionedCRLs will work -- it will result in [""] being stored in the "JSON Array of Partitioned CRLs" field.
I checked in the CCADB, and some CAs have already been manually entering [""] into the "JSON Array of Partitioned CRLs" field to indicate that the certificate is not yet issuing (and that they will provide a JSON array of partitioned CRLs when it does start issuing). So my preference is to go with this option. I will just have to clean up the inconsistencies in the instructions and API readme.
Jesper, If you still believe that this option is a hack on top of a hack, please help me understand what is wrong with it.
Thanks,
Kathleen
Jesper Kristensen
Mar 15, 2023, 4:59:08 PM3/15/23
to CCADB Public
If [""] in the API results in [""] in the field, that seems better than what I thought you were suggesting, that [""] in the api should be changed into [] in the field.
Kathleen Wilson
Apr 6, 2023, 8:27:16 PM4/6/23
to CCADB Public
To close this discussion...
The value [""] may be entered into the "JSON Array of Partitioned CRLs" field to indicate that the certificate is not yet issuing (and that the CA will provide a JSON array of partitioned CRLs when it does start issuing).
The API Instructions have been updated to indicate this, as well as the section instructions in the CCADB.
Thanks,
Kathleen
Reply all
Reply to author
Forward
0 new messages