Policy 2.8: MRSP Issue #235: Require CCADB Disclosure of Full CRLs (or equivalent JSON array) for CRLite

186 views
Skip to first unread message

Ben Wilson

unread,
Nov 17, 2021, 11:06:08 PM11/17/21
to dev-secur...@mozilla.org
All,

This email introduces public discussion regarding a new requirement to be included in the next version of the Mozilla Root Store Policy (MSRP), version 2.8, to be published in 2022. (See https://github.com/mozilla/pkipolicy/labels/2.8)

Github Issue #235 proposes that we amend MRSP section 4.1 to require, effective October 1, 2022, that CA operators with intermediate CA certificates that are capable of issuing TLS certificates chaining up to root certificates in Mozilla's root store populate the CCADB with the CRL Distribution Point for the Full CRL or a JSON Array of Partitioned CRLs. (The CCADB already has these two alternative fields available to be filled in by CAs and instructs, "When there is no full CRL for certificates issued by this CA, provide a JSON array whose elements are URLs of partial CRLs that when combined are the equivalent of a full CRL for the certificates issued" by the CA.)

Mozilla is moving forward with CRLite, so we need full CRL information for TLS certificates. Apple has also stated that this same information will be required of CAs in their program, effective October 1, 2022. (See https://www.apple.com/certificateauthority/ca_program.html).

We welcome your comments and suggestions.

Thanks,

Ben


Aaron Gable

unread,
Nov 18, 2021, 3:51:20 PM11/18/21
to Ben Wilson, dev-secur...@mozilla.org
One point of interest here: although Apple's requirements reference the "Pertaining to Certificates Issued By This CA" section, and the github issue and email above reference the "Full CRL Issued by this CA" and "JSON Array of Partitioned CRLs" fields, these are in fact the same thing: those two fields are the only fields in that section.

I'd hope / suggest that Mozilla and Apple will converge on using the same language to require that one of those two fields in that section be filled out for the sake of minimizing confusion.

Aaron

--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabu9mBe2%3DbZX4E3OyXPs0tsqbB754O24Y3CJj44u9oF%2Bg%40mail.gmail.com.

Clint Wilson

unread,
Dec 10, 2021, 11:18:15 AM12/10/21
to Aaron Gable, Ben Wilson, MDSP
Is there a preference for which provides the greatest clarity to CAs (thinking especially of those that haven’t followed the ongoing development of this over the last ~18 months)?

Aaron Gable

unread,
Dec 10, 2021, 2:30:30 PM12/10/21
to Clint Wilson, Ben Wilson, MDSP
I currently prefer the language proposed by Ben above, because the current Apple language:

> CA providers must populate the “Pertaining to Certificates Issued by this CA” section of the CCADB for each included CA Certificate and each CA Certificate chaining up to an included CA Certificate in the Apple Root Program.

is not clear as to whether it is expected that one or both fields in that section must be filled out, and just reading the requirement does not make it clear what kind of information is contained in that section.

Aaron

Ben Wilson

unread,
Jan 6, 2022, 5:41:38 PM1/6/22
to Aaron Gable, Clint Wilson, MDSP
Here is some draft language:
"Effective October 1, 2022, CA operators with intermediate CA certificates that are capable of issuing TLS certificates chaining up to root certificates in Mozilla's root store SHALL populate the CCADB fields under "Pertaining to Certificates Issued by This CA" with either the CRL Distribution Point for the "Full CRL Issued By This CA" or a "JSON Array of Partitioned CRLs"."
Reply all
Reply to author
Forward
0 new messages