Hi Aaron,
> As long as we do not publish the CRLs, they are not required to be updated on specific timetables.
My understanding is that absent the inclusion of a URI in a CRLDP extension of a Certificate that is subject to the BRs or some other Root Program requirement, there is no obligation by the CA to publish and update CRL-based revocation information on any specific cadence.
Given this, I believe that it’s compliant to not publish CRLs that are signed by the CA.
Thanks,
Corey
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEmnErfY4g7_6yz%2BLZ-mO0k_bDaSrxy4d9AJ8O8BQD-Et888tA%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/DM6PR14MB2186BFE4B53C139E80C133DC929E9%40DM6PR14MB2186.namprd14.prod.outlook.com.
Hi Ben,
There’s a few CA and CRL lifecycle events linked to this change:
The proposed change to section 4.1 means that CRLs need to be published as soon as they are being disclosed in CCADB.
In some cases, CAs are generated a while before they are used, for example TLS CAs that we rotate on a quarterly basis. In that case, CRLs will only be published close to the when the CA becomes operational.
It seems the timeline to populate the CRL information in CCADB is currently flexible and supports this approach (i.e. populating and publishing the CRL a while after the CA is disclosed).
Is this the correct understanding? If there’s a different interpretation or intention to restrict this timeline in the future, we would like to further discuss.
Thanks
Christophe
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtab97PjAttWujLsH7YX1L%2B5j8cNruEaq1kBFPz5AECq4eQ%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabYw%3D51CmBZ9b96MnGmo3u4z6GOSQwj0iurMtg%2BsjMrgQ%40mail.gmail.com.
Hi Ben,
The proposed phrasing sounds like a more flexible approach of CRL publishing, which seems to still meet the intention of the requirement.
This would allow for the use cases we highlighted.
Christophe