Policy 2.8.1: MRSP Issue #256: Requirement that Partitioned CRLs include an Issuing Distribution Point extension

572 views
Skip to first unread message

Ben Wilson

unread,
Nov 17, 2022, 12:01:34 AM11/17/22
to dev-secur...@mozilla.org
This discussion thread is to address Issue #256 and the need to clarify that partitioned CRLs need to include a critical Issuing Distribution Point extension.
 
The language proposed for addition to Mozilla Root Store Policy section 4.1 would read, "Each CRL referenced by the JSON Array of Partitioned CRLs MUST contain a critical Issuing Distribution Point extension. The Issuing Distribution Point extension MUST contain a distributionPoint containing a UniformResourceIdentifier whose value equals the URL of the CRL in the JSON Array of Partitioned CRL".

Please provide any comments or suggestions.

Thanks,

Ben

Aaron Gable

unread,
Nov 17, 2022, 4:02:54 PM11/17/22
to Ben Wilson, dev-secur...@mozilla.org
Thanks Ben, this language seems reasonable to me (with one edit: the last acronym "CRL" needs to be plural). 

That said, rather than repeating-and-extending the BRs language, I would consider turning this requirement on its head:

"Each URL listed in the JSON Array of Partitioned CRLs MUST match a distributionPoint UniformResourceIdentifier value in the referenced CRL."

Basically, because the CRLs are already required to include the distributionPoint field, there's no need to specify that again. Instead, just specify that the URL listed in CCADB must match the distributionPoint, because otherwise Mozilla won't trust the fetched CRL.

Does that approach seem reasonable as well?

Aaron

--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZ3nUbS9_hQUJ5rUzb%3DyPYkA-3ienthPwqMGdP8Fo-86g%40mail.gmail.com.

Corey Bonnell

unread,
Nov 17, 2022, 5:21:36 PM11/17/22
to Aaron Gable, Ben Wilson, dev-secur...@mozilla.org

I think the proposal may need accommodate the case where issued certificates have a CRLDP that contain a URI which points to a sharded CRL that may not be disclosed in CCADB. In other words, it is possible that the CA employs one sharding strategy for CCADB while using a different strategy for the CRLs that are referenced in the CRLDP of certificates it issues. The CA may be producing more CRLs than strictly necessary in this case, but I’m unaware of anything prohibiting such practice today and am hard-pressed to think of any issues that may arise with such an arrangement. I attempted to capture this consideration in my language proposal on Github [1].

 

Thanks,

Corey

 

[1] https://github.com/mozilla/pkipolicy/issues/256#issuecomment-1315648591

Aaron Gable

unread,
Nov 17, 2022, 5:31:50 PM11/17/22
to Corey Bonnell, Ben Wilson, dev-secur...@mozilla.org
I believe that my proposal addresses that case. It only establishes a single requirement: that the URLs in CCADB and (one of) the URIs in the CRLs match. It doesn't matter why the CA is producing those CRLs (specifically for CCADB, or for use directly by relying parties, or both) or what the sharding strategy is: the important thing here is that the URL requested by CRLite infrastructure contains a CRL with a matching distributionPoint.

Aaron

Corey Bonnell

unread,
Nov 22, 2022, 11:30:12 AM11/22/22
to Aaron Gable, Ben Wilson, dev-secur...@mozilla.org

Hi Aaron,

I prefer explicitly stating that something is allowed, because we have seen previously that the lack of explicit allowance (or prohibition) in these requirements is the source of much disagreement. For this reason, I think explicitly enumerating what is allowed provides the most clarity (and less room for future disagreements).

 

That being said, I agree that your proposal is much more concise than the other proposals. If folks think my concern about explicitly enumerating allowances is unreasonable, then I think your language is fine.

 

Thanks,

Corey

Aaron Gable

unread,
Nov 28, 2022, 7:17:36 PM11/28/22
to Corey Bonnell, Ben Wilson, dev-secur...@mozilla.org
I think you make a really good point! I'm not a fan of repeating ourselves, but clarity is very valuable.

I'd be happy with this requirement in either phrasing.

Aaron

Ben Wilson

unread,
Nov 30, 2022, 3:15:27 PM11/30/22
to Aaron Gable, Corey Bonnell, dev-secur...@mozilla.org, Andrew Ayer
What about adding something in both locations? 

(1) Making the change in MRSP section 4.1 to say, "Each CRL referenced by the JSON Array of Partitioned CRLs MUST contain a critical Issuing Distribution Point extension as described in section 6.3. The Issuing Distribution Point extension MUST contain a distributionPoint containing a UniformResourceIdentifier whose value equals the URL of the CRL in the JSON Array of Partitioned CRL;" 

AND

(2) making Corey's suggested change to MRSP section 6.3 so that it says,

A CRL whose scope does not include all unexpired certificates that are issued by the CA SHALL contain a critical Issuing Distribution Point extension. The distributionPoint field of the extension SHALL include a UniformResourceIdentifier whose value is derived from one of the two following sources:

1.    The UniformResourceIdentifier as encoded in the distributionPoint field of an issued certificate's CRL Distribution Points extension (see RFC 5280 section 5.2.5); or

2.    The URL as included in the "JSON Array of Partitioned CRLs" field in the CCADB entry corresponding to the certificate for the issuing CA.

Will that create any conflicting language or leave a gap that would allow CRL swapping?  If not, then I don't mind if it's slightly redundant in some aspects.

Thanks,

Ben

Corey Bonnell

unread,
Dec 5, 2022, 1:22:01 AM12/5/22
to Ben Wilson, Aaron Gable, dev-secur...@mozilla.org, Andrew Ayer

I like this solution. It establishes the CCADB-specific requirement in the section dedicated to CCADB but also specifies the CRL profile with details that are not necessarily specific to CCADB.

 

Thanks,

Corey

Ben Wilson

unread,
Dec 7, 2022, 2:39:08 PM12/7/22
to Corey Bonnell, Aaron Gable, dev-secur...@mozilla.org, Andrew Ayer

Ben Wilson

unread,
Jan 19, 2023, 5:45:59 PM1/19/23
to Corey Bonnell, Aaron Gable, dev-secur...@mozilla.org, Andrew Ayer
I am proposing that instead of having a section 6.3 (CRLs) we have a section 6.1.2 (TLS Certificate CRL Issuing Distribution Points) - thoughts, comments, suggestions?
See

Corey Bonnell

unread,
Jan 20, 2023, 11:00:10 AM1/20/23
to Ben Wilson, Aaron Gable, dev-secur...@mozilla.org, Andrew Ayer

Hi Ben,

I think this change is fine from a Mozilla Policy standpoint, as Mozilla only requires the disclosure of CRL URLs for TLS-capable CAs in CCADB. Apple, on the other hand, requires the disclosure of CRL URLs for all CAs regardless of technical capability (i.e., non-TLS CAs also have this disclosure requirement).  Further guidance in the Apple root program policy on the encoding requirements for IDPs may be needed to cover the non-TLS CA case.

Dimitris Zacharopoulos

unread,
Jan 23, 2023, 1:32:19 PM1/23/23
to Corey Bonnell, Ben Wilson, Aaron Gable, dev-secur...@mozilla.org, Andrew Ayer
Hi Corey,

I think Apple has clarified that they expect the full CRL URL to be added for CAs that are for the issuance of email protection or TLS certificates. It should not be required for CAs that contain an EKU with only id-kp-timeStamping or id-kp-codeSigning or id-kp-clientAuth. If I recall correctly, this was also confirmed by Kathleen during a CCADB presentation in February 2022.


Thanks,
Dimitris.

Corey Bonnell

unread,
Jan 23, 2023, 1:58:50 PM1/23/23
to Dimitris Zacharopoulos, Ben Wilson, Aaron Gable, dev-secur...@mozilla.org, Andrew Ayer

Hi Dimitris,

The CCADB update minutes for the February 2022 F2F [1] say:

 

“– Dimitris asked if full CRLs are required for technically constrained ICAs. Kathleen responded that the Root Program requirements are currently different; the new filter can be used in this case.

 

– Clint clarified that for the Apple Root Program, all ICAs will be required to make available full CRL information regardless of technical capability.”

 

Clint’s clarification aligns with the current wording of Apple Root Program policy. Your interpretation may very well be accurate, but I’m unable to find any minuted/written discussion that limits the scope of this requirement to encompass only id-kp-serverAuth or id-kp-emailProtection.

 

[1] https://cabforum.org/2022/02/22/2022-02-22-minutes-of-face-to-face-meeting-in-salt-lake-city/

Clint Wilson

unread,
Jan 23, 2023, 1:59:32 PM1/23/23
to Dimitris Zacharopoulos, Corey Bonnell, Ben Wilson, Aaron Gable, MDSP, Andrew Ayer
Hi Dimitris,

The current expectation is described in the Apple Policy:

Effective October 1, 2022, CA providers must populate the CCADB fields under "Pertaining to Certificates Issued by This CA" with either the CRL Distribution Point for the "Full CRL Issued By This CA" or a "JSON Array of Partitioned CRLs" on Root and Intermediate Certificate records, within 7 days of the corresponding CA issuing its first certificate. This requirement applies to each included CA Certificate and each CA Certificate chaining up to an included CA Certificate in the Apple Root Program. 

Notably, there is not currently an exclusion for certificates which do not contain the id-kp-serverAuth or id-kp-emailProtection EKUs; it applies to all the Root CAs included in the Apple Root Program as well as each subordinate CA which chains up to one of those Root CAs.

Thank you,
-Clint

Reply all
Reply to author
Forward
0 new messages