Tracking CRL Disclosure Compliance

[Rob Stradling]

To help CAs and any other interested parties track compliance with MRSP Version 2.8's CRL disclosure requirement (https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#41-additional-requirements) before the October 1st deadline, I've updated https://crt.sh/mozilla-disclosures to flag in-scope Intermediate Certificates for which both the "Full CRL Issued By This CA" and "JSON Array of Partitioned CRLs" fields are empty in the corresponding CCADB records.

https://crt.sh/mozilla-disclosures#disclosureincomplete shows each affected Intermediate Certificate, with the message '"Full CRL Issued By This CA" or "JSON Array of Partitioned CRLs" is required'.

https://crt.sh/mozilla-disclosures#disclosureincompletesummary shows a summary of the same information, grouped by Root Owner.

--

Rob Stradling

Senior Research & Development Scientist

Sectigo Limited

[Doug Beattie]

Hi Rob,

 

Nice report, as usual!

 

I noticed that some CAs that we might want to exclude in a future update of this report:

• A number of Roots were listed.  Since this is for ICAs, should we exclude those?
• https://crt.sh/?sha256=f27bf02c6e00c73d915eeb6a6a2f5fbf0c31ae0393149e6b5c31e41b113841c3&opt=mozilladisclosure
• The report includes expired ICAs, should we exclude those?
• https://crt.sh/?sha256=8b8e1f09af86ab016ea5af3bc8da09b7f25461cd46691bd675667b26b9258472&opt=mozilladisclosure
• The report includes revoked ICAs, should we exclude those?
• https://crt.sh/?sha256=4675a0e26d832ab881da9aeac5e1ba1a90a9a445c9145c5a99b25f29be95ecd0&opt=mozilladisclosure

 

Thanks!

--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/MW4PR17MB472956903A43D2975E52D7DEAA519%40MW4PR17MB4729.namprd17.prod.outlook.com.

[Rob Stradling]

Thanks Doug.

> A number of Roots were listed.  Since this is for ICAs, should we exclude those?

> https://crt.sh/?sha256=f27bf02c6e00c73d915eeb6a6a2f5fbf0c31ae0393149e6b5c31e41b113841c3&opt=mozilladisclosure

https://crt.sh/mozilla-disclosures aims to show all CA certificates (Roots and Intermediates), whether in-scope or out-of-scope for Mozilla's disclosure requirements, and to clearly show whether or not any further disclosure requirements apply.  I don't plan to change this approach.

That particular certificate is listed in the "Unconstrained, but no unexpired trust paths have been observed: Disclosure is not known to be required" group, which seems correct to me.

> The report includes expired ICAs, should we exclude those?

> https://crt.sh/?sha256=8b8e1f09af86ab016ea5af3bc8da09b7f25461cd46691bd675667b26b9258472&opt=mozilladisclosure

That particular certificate is listed in the "Expired: Disclosure is not required" group, which seems correct to me.

> The report includes revoked ICAs, should we exclude those?

> https://crt.sh/?sha256=4675a0e26d832ab881da9aeac5e1ba1a90a9a445c9145c5a99b25f29be95ecd0&opt=mozilladisclosure

That particular certificate is also listed in the "Expired: Disclosure is not required" group, which seems correct to me.  Expiration trumps Revocation in this report.

---

From: Doug Beattie
Sent: Friday, September 23, 2022 12:12
To: Rob Stradling; dev-secur...@mozilla.org
Subject: RE: Tracking CRL Disclosure Compliance