CRL partitioning and IDPs
Corey Bonnell
Hello,
As you all know, the new Apple and Mozilla policies for CAs to disclose the locations of CRL-based revocation information became effective this month. One of the options for CAs to provide this CRL-based revocation information is to provide a list of all CRL URLs, which when combined, provide a complete list of revoked certificates for the CRL issuer (CA) in the CCADB “JSON Array of Partitioned CRLs” field.
The issuance of partitioned CRLs is described in some detail in section 5.2.5 of RFC 5280 [1]. This section notes that CAs may partition CRLs any way they see fit. However, there is this requirement when partitioning CRLs:
“If the distributionPoint field is absent, the CRL MUST contain
entries for all revoked unexpired certificates issued by the CRL
issuer, if any, within the scope of the CRL.”
Although the wording could be improved, this passage is rather clear that the IDP extension with the distributionPoint field (which contains the URI of the CRL, in the WebPKI case) must be included if the CRL is partitioned.
X.509 08/2005 (which RFC 5280 profiles), section 8.6.2.2 is even clearer regarding the requirement to include the IDP extension in partitioned CRLs:
“If the issuing distribution point field, the AA issuing distribution point field, and the CRL scope field are all absent, the CRL shall contain entries for all revoked unexpired public-key certificates issued by the CRL issuer.”
Why does all this matter? Including the IDP extension not only aligns the CRL with the RFC 5280 profile, but also provides a security-critical function: it provides sufficient information to Relying Parties so that they can confirm they have retrieved the correct CRL and detect substitution attacks. Without the information carried in the IDP, an on-path attacker could substitute another CRL which doesn’t contain a serial number for a certificate that has been revoked, thus allowing the attacker to “hide” the revocation of a certificate. Given that the transport of these CRLs listed in CCADB is plaintext HTTP, such an attack would be feasible and would allow bad actors to tamper with the creation of the “compressed CRLs” that are generated by Apple, Mozilla, or other user agents. This security issue also has been raised several times on the IETF PKIX mailing list [2][3].
It does not appear that there is universal agreement or awareness on the above, based on some CCADB entries that were observed. Given this, I wanted to raise this topic for discussion to ensure that there is universal understanding of the requirements and expectations of Root Programs.
Thanks,
Corey
[1] https://www.rfc-editor.org/rfc/rfc5280#section-5.2.5
[2] https://mailarchive.ietf.org/arch/msg/pkix/sdBe9RXFcot9P23XPW-FiOvV2aM/
[3] https://mailarchive.ietf.org/arch/msg/pkix/qAQHDXOM_Y3xY3te-xR0e7lQLjM/
Aaron Gable
Although the wording could be improved, this passage is rather clear that the IDP extension with the distributionPoint field (which contains the URI of the CRL, in the WebPKI case) must be included if the CRL is partitioned.
> scope could be "all certificates issued by CA X", "all CA
> certificates issued by CA X", "all certificates issued by CA X that
> have been revoked for reasons of key compromise and CA compromise",
> or a set of certificates based on arbitrary local information, such
> as "all certificates issued to the NIST employees located in
> Boulder".
Andrew Ayer
"'Aaron Gable' via dev-secur...@mozilla.org"
> A client downloading the full collection of CRL shards can check the
> thisUpdate timestamps to ensure it is not receiving old data, and can
> check for duplicate shards to ensure it doesn't receive the same
> shard twice. As long as they download the correct expected number of
> sufficiently-recent shards, there are no duplicates, and all
> signatures validate, they can be confident that none of the shards
> have been replaced.
would determine whether a shard is "sufficiently-recent"? Let's say a
client considers anything less than 24 hours old to be
"sufficiently-recent" but a CA reissues CRLs every 12 hours. Then an
attacker would always be able to replace the shard they want to hide
with an older but still sufficiently-recent version of a different
shard.
Regards,
Andrew
Aaron Gable
Andrew Ayer
<dev-secur...@mozilla.org> wrote:
> An older but still sufficiently-recent version of a different shard
> would contain serials which also appear on the current version of
> that same different shard. These duplicate serials would immediately
> indicate that a substitution has occurred.
Regards,
Andrew
Aaron Gable
Andrew Ayer
<dev-secur...@mozilla.org> wrote:
> Ah, that's a good point!
>
> In Let's Encrypt's particular case, we guarantee that all of our CRL
> shards in a given "generation" share the same CRL Number, so
> detecting one shard substituted from a previous generation would be
> very easy. But I recognize that doing so is not required and could
> not be relied upon in the general case.
described by Corey without making assumptions about the CA's practices
which might not be true in all cases.
So I have to concur with Corey that there is currently a security issue
which would allow attackers to tamper with Apple and Mozilla revocation
systems.
A simple fix would be to require that CAs use HTTPS URLs for CRL
shards, though this wouldn't be as strong as relying on indicators
within the CRL itself.
Regards,
Andrew
Rob Stradling
Sent: 07 October 2022 15:01
To: Aaron Gable <aa...@letsencrypt.org>
Cc: 'Aaron Gable' via dev-secur...@mozilla.org <dev-secur...@mozilla.org>; Corey Bonnell <Corey....@digicert.com>
Subject: Re: CRL partitioning and IDPs
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fmozilla.org%2Fd%2Fmsgid%2Fdev-security-policy%2F20221007100135.dbb57df7c258081cac2953f1%2540andrewayer.name&data=05%7C01%7Crob%40sectigo.com%7C2b6603bb81ae4881fd1c08daa86c78e0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638007481084138290%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=wxvk2aikAMdS%2BKo4yOkkce73iGMrgATyEz%2BzKXvnWQo%3D&reserved=0.
Tim Hollebeek
If you think there is a bug in RFC 5280, please file an errata and let the IETF process take care of it, instead of coming to your own independent conclusion.
-Tim
Rob Stradling
Sent: 07 October 2022 17:30
To: Aaron Gable <aa...@letsencrypt.org>; Corey Bonnell <Corey....@digicert.com>
Cc: dev-secur...@mozilla.org <dev-secur...@mozilla.org>
Subject: RE: CRL partitioning and IDPs
If you think there is a bug in RFC 5280, please file an errata and let the IETF process take care of it, instead of coming to your own independent conclusion.
-Tim
I think it is totally reasonable to conclude that RFC 5280's "within the scope of the CRL" language is a bug.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
Job Snijders
I'd like to share some observations and an idea from a PKIX sibling of
the WebPKI used for Internet routing security. Technical innovation
should of course follow the IETF process; I'm sending this message here
to offer myself as a point of contact for further off-list discussion
with interested parties.
On Fri, Oct 07, 2022 at 10:01:35AM -0400, Andrew Ayer wrote:
> Right. I'm not seeing any way for a client to avoid the attack
> described by Corey without making assumptions about the CA's practices
> which might not be true in all cases.
>
> So I have to concur with Corey that there is currently a security
> issue which would allow attackers to tamper with Apple and Mozilla
> revocation systems.
>
> A simple fix would be to require that CAs use HTTPS URLs for CRL
> shards, though this wouldn't be as strong as relying on indicators
> within the CRL itself.
Public Key Infrastructure (RPKI) community faced when designing the
foundation for a Secure Internet Routing architecture [RFC6480].
[ crash course: The RPKI is a constellation of Trust Anchors (root
certs, aka unconstrained CAs), regular CAs (each more narrowly
constrained following hierarchical IP & AS resource delegations),
CRLs, and lots of Signed Objects (containers carrying EE certificates
and payloads relevant to BGP routing). A key point here is that the
distribution of RPKI data from CAs towards Relying Parties solely
relies on object security, not transport security like HTTPS. ]
Some risks were identified at the time: (1) RPs must be able to verify
they have the complete set of files in hand the CA intended them to
have; (2) none of the files were tampered with mid-flight; (3) the RP is
not falling victim to replay attacks of previously valid data.
To mitigate the above risks, the concept of "Manifests" was introduced.
A RPKI Manifest [RFC9286] is a Cryptographic Message Syntax (CMS)
protected content type which carries as payload a monotonically
increasing value (manifestNumber) and a listing of pairs of a file name
and SHA-256 message digests calculated over the file's contents. Each
Manifest listing contains the filename of a CRL and the SHA-256 of that
CRL file.
As a certificate can list multiple CRL Distribution Point URLs (pointing
to shards), the WebPKI RP can establish there is a set of files to
consider, and for each file can verify the issuer signature; but cannot
verify whether each file within the set is the most current one, (or
whether the set of files are coherent from a versioning perspective).
On the other hand, RPKI RPs are 'better off' in this regard: they can
compare whether the newly fetched Manifest has a higher manifestNumber
than the (previously fetched, locally cached) Manifest, and each
manifestNumber corresponds to a list of SHA-256 hashes; making for a
great mechanism to robustly deal with distribution bundles of files.
Perhaps a bit of glue is missing in this ecosystem if there are concerns
about replay attacks (or more innocently phrased 'caching decoherence'),
and CRL sharding? Maybe researchers & auditors would benefit from a
RPKI-Manifest-like extension to the products generated by the likes of
Boulder?
I'm happy to share what I know (having authored a few internet-drafts
and some experience implementing RPKI RP software). Perhaps there is an
opportunity here to do better than 'just put the files on HTTPS'! :-)
Kind regards,
Job
Aaron Gable
Although this "defect" remains in RFC5280, ISTM that the original X.509 requirement is restored by MRSP section 5.2 [2], which says:
"CA operators MUST NOT issue ... partial/scoped CRLs that lack a distributionPoint in a critical issuingDistributionPoint extension"
Does this observation cause you to rethink your conclusion?
Tim Hollebeek
As you correctly point out, IETF processes differ significantly from WG to WG, and occasionally IETF doesn’t live up to the standards it claims to uphold, for various reasons. I haven’t been closely following your experiences with ACME, but I apologize if you feel that they were not handled to your satisfaction, and if I can help with that in any way with that I’m willing to do so.
If people feel that filing errata is not worth their time, that is their choice to make. However, even if the errata is never incorporated into an update, it’s still useful documentation to have. For example, the 6844 errata were even referenced in the BRs long before they ever got put into 6844-bis. Many of the IETF RFCs (including RFC 5280!) have published errata that are quite useful.
I happen to know that both of the LAMPS chairs (I’m one) are pretty familiar with RFC 5280, and if there are important errors to call out, we’d certainly be interested in seeing that done. It’s an important RFC.
I’m dancing around the merits, because I don’t want to comment on a topic that might come to LAMPS in the near future, but I do want to reiterate, if you think that there is something wrong with RFC 5280, I’d appreciate if people would file errata, and we can take things from there.
-Tim
From: 'Rob Stradling' via dev-secur...@mozilla.org <dev-secur...@mozilla.org>
Sent: Friday, October 7, 2022 1:13 PM
To: Tim Hollebeek <tim.ho...@digicert.com>
Cc: dev-secur...@mozilla.org; Aaron Gable <aa...@letsencrypt.org>; Corey Bonnell <Corey....@digicert.com>
Subject: Re: CRL partitioning and IDPs
Hi Tim. That's the theoretically correct process, but...
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/MW4PR17MB4729F3A7356AEBD37C087047AA5F9%40MW4PR17MB4729.namprd17.prod.outlook.com.
Corey Bonnell
> though this wouldn't be as strong as relying on indicators within the CRL
> itself.
Firstly, compromise of the web server/CDN serving the sharded CRLs would allow
an attacker to carry out the substitution attack described in this thread,
whereas the use of IDP would require the attacker to compromise the CA's
signing infrastructure to suppress the inclusion of the extension. Thus, there
is a different level of security in the two approaches.
Secondly, using HTTPS for transport raises the possibility of recursive
revocation lookups, depending on the certificate chain employed.
Lastly, the inclusion of the IDP extension and distributionPoint field in
sub-scoped CRLs is a requirement of RFC 5280 and X.509 and thus must be
unconditionally included (it is a deviation of the profile to omit it). Given
that the inclusion of the IDP is the standard mechanism to prevent exactly the
attack described in this thread, it should be employed here as opposed to
layering hacky fixes on top of CRLs that do not adhere to the profile.
Thanks,
Corey
-----Original Message-----
From: dev-secur...@mozilla.org <dev-secur...@mozilla.org> On
Behalf Of Andrew Ayer
Sent: Friday, October 7, 2022 10:02 AM
To: Aaron Gable <aa...@letsencrypt.org>
<dev-secur...@mozilla.org>; Corey Bonnell <Corey....@digicert.com>
Subject: Re: CRL partitioning and IDPs
You received this message because you are subscribed to the Google Groups
"dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to dev-security-po...@mozilla.org.
To view this discussion on the web visit
Clint Wilson
Further, it's probably worth noting that CRL URL(s) referenced only in the CCADB JSON array should match the IDP URL(s).
Cheers,
Clint
Aaron Gable
> A simple fix would be to require that CAs use HTTPS URLs for CRL shards,
> though this wouldn't be as strong as relying on indicators within the CRL
> itself.
I believe including the IDP is the better solution, for three reasons:
Firstly, compromise of the web server/CDN serving the sharded CRLs would allow
an attacker to carry out the substitution attack described in this thread,
whereas the use of IDP would require the attacker to compromise the CA's
signing infrastructure to suppress the inclusion of the extension. Thus, there
is a different level of security in the two approaches.
Secondly, using HTTPS for transport raises the possibility of recursive
revocation lookups, depending on the certificate chain employed.
Lastly, the inclusion of the IDP extension and distributionPoint field in
sub-scoped CRLs is a requirement of RFC 5280 and X.509 and thus must be
unconditionally included (it is a deviation of the profile to omit it). Given
that the inclusion of the IDP is the standard mechanism to prevent exactly the
attack described in this thread, it should be employed here as opposed to
layering hacky fixes on top of CRLs that do not adhere to the profile.
Corey Bonnell
Hi Aaron,
> But no, including the distributionPoint is absolutely not required by RFC 5280 as long as the CRL includes all revoked unexpired certificates within its scope. It is not even required by the Mozilla Root Store Policy, as long as there is no critical IssuingDistributionPoint extension in the CRL. It is required by X.509, but the whole point of RFC 5280 is that it defines what portions of X.509 apply to the Web PKI; it does not include that requirement from X.509. These may be oversights or mistakes, and I agree they should be changed, but we try very hard to separate intent from actual requirements here.
I’ll quote the relevant passage from RFC 5280 again here for easy reference:
“If the distributionPoint field is absent, the CRL MUST contain
entries for all revoked unexpired certificates issued by the CRL
issuer, if any, within the scope of the CRL”
My interpretation of this passage is that it is defining the required scope of the CRL in the absence of the distributionPoint field. Namely, all revoked certificates issued by the CA must be contained within the scope of the CRL. However, it sounds like your interpretation is that the CRL must contain all revoked certificates that are within its scope. This sounds tautological or seemingly indicates that it is somehow possible to recursively scope CRLs (i.e., a scope within a scope) by including the distributionPoint field.
Can you expand upon how your interpretation would work in practice?
Thanks,
Corey
From: 'Aaron Gable' via dev-secur...@mozilla.org <dev-secur...@mozilla.org>
Sent: Wednesday, October 12, 2022 12:26 PM
To: Corey Bonnell <Corey....@digicert.com>
Cc: Andrew Ayer <ag...@andrewayer.name>; 'Aaron Gable' via dev-secur...@mozilla.org <dev-secur...@mozilla.org>
Subject: Re: CRL partitioning and IDPs
On Wed, Oct 12, 2022 at 7:07 AM Corey Bonnell <Corey....@digicert.com> wrote:
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEmnEreuC0JKJo5kOjaYqgPB9zS8xgeM3j0afJ_HcQmkx%3DsEUA%40mail.gmail.com.
Rob Stradling
Sent: 07 October 2022 18:45
To: Rob Stradling <r...@sectigo.com>
Cc: 'Aaron Gable' via dev-secur...@mozilla.org <dev-secur...@mozilla.org>; Corey Bonnell <Corey....@digicert.com>; Andrew Ayer <ag...@andrewayer.name>
Subject: Re: CRL partitioning and IDPs
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
Rob Stradling
From: 'Clint Wilson' via dev-secur...@mozilla.org
Sent: Wednesday, October 12, 2022 17:25
To: Corey Bonnell
Cc: Andrew Ayer; Aaron Gable; MDSP
Subject: Re: CRL partitioning and IDPs
Further, it's probably worth noting that CRL URL(s) referenced only in the CCADB JSON array should match the IDP URL(s).
Cheers,
Clint
>
>> A simple fix would be to require that CAs use HTTPS URLs for CRL shards,
>> though this wouldn't be as strong as relying on indicators within the CRL
>> itself.
>
> I believe including the IDP is the better solution, for three reasons:
>
> an attacker to carry out the substitution attack described in this thread,
> whereas the use of IDP would require the attacker to compromise the CA's
> signing infrastructure to suppress the inclusion of the extension. Thus, there
> is a different level of security in the two approaches.
>
> Secondly, using HTTPS for transport raises the possibility of recursive
> revocation lookups, depending on the certificate chain employed.
>
> Lastly, the inclusion of the IDP extension and distributionPoint field in
> sub-scoped CRLs is a requirement of RFC 5280 and X.509 and thus must be
> unconditionally included (it is a deviation of the profile to omit it). Given
> that the inclusion of the IDP is the standard mechanism to prevent exactly the
> attack described in this thread, it should be employed here as opposed to
> layering hacky fixes on top of CRLs that do not adhere to the profile.
>
> Corey
>
> -----Original Message-----
> From: dev-secur...@mozilla.org <dev-secur...@mozilla.org> On
> Behalf Of Andrew Ayer
> Sent: Friday, October 7, 2022 10:02 AM
> To: Aaron Gable <aa...@letsencrypt.org>
> <dev-secur...@mozilla.org>; Corey Bonnell <Corey....@digicert.com>
> Subject: Re: CRL partitioning and IDPs
>
> <dev-secur...@mozilla.org> wrote:
>
>> Ah, that's a good point!
>>
>> In Let's Encrypt's particular case, we guarantee that all of our CRL
>> shards in a given "generation" share the same CRL Number, so detecting
>> one shard substituted from a previous generation would be very easy.
>> But I recognize that doing so is not required and could not be relied
>> upon in the general case.
>
> Right. I'm not seeing any way for a client to avoid the attack described by
> Corey without making assumptions about the CA's practices which might not be
> true in all cases.
>
> So I have to concur with Corey that there is currently a security issue which
> would allow attackers to tamper with Apple and Mozilla revocation systems.
>
> though this wouldn't be as strong as relying on indicators within the CRL
> itself.
>
> Andrew
>
> --
> You received this message because you are subscribed to the Google Groups
> "dev-secur...@mozilla.org" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to dev-security-po...@mozilla.org.
> To view this discussion on the web visit
>
> --
> You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
Aaron Gable
My interpretation of this passage is that it is defining the required scope of the CRL in the absence of the distributionPoint field. Namely, all revoked certificates issued by the CA must be contained within the scope of the CRL. However, it sounds like your interpretation is that the CRL must contain all revoked certificates that are within its scope. This sounds tautological or seemingly indicates that it is somehow possible to recursively scope CRLs (i.e., a scope within a scope) by including the distributionPoint field.
"the CRL MUST contain (entries for all revoked unexpired certificates issued by the CRL issuer, if any) within its scope"; or
Can you expand upon how your interpretation would work in practice?
Aaron Gable
Clint Wilson
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEmnErfpyPYrhu35fJ1nDGqeht%3D7Dyw8VZKzoMfVvk%3DM3GyP1g%40mail.gmail.com.
Tim Hollebeek
Shouldn’t CABF ballot discussions and endorsement conversations happen on the relevant CABF lists? This is somewhat important both to make sure the relevant conversations are properly documented and archived in the right place, as well as for compliance with the CABF IPR rules. It doesn’t horribly matter for small ballots like this, but it’s still probably a good idea to do things the usual ways and locations.
Also, January 1st is not a particularly good date to use as a compliance deadline. The proximity to the winter holidays and year rollover causes all sorts of fun silliness that’s generally best avoided.
-Tim
From: 'Aaron Gable' via dev-secur...@mozilla.org <dev-secur...@mozilla.org>
Sent: Friday, October 14, 2022 12:30 PM
To: Corey Bonnell <Corey....@digicert.com>
Cc: Andrew Ayer <ag...@andrewayer.name>; 'Aaron Gable' via dev-secur...@mozilla.org <dev-secur...@mozilla.org>
Subject: Re: CRL partitioning and IDPs
To ensure that future parties don't have to have this same discussion again, I have put together a CA/BF ballot to update the BRs to explicitly require the distributionPoint field in sharded CRLs:
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEmnErfpyPYrhu35fJ1nDGqeht%3D7Dyw8VZKzoMfVvk%3DM3GyP1g%40mail.gmail.com.
Aaron Gable
Tim Hollebeek
We largely don’t care as we consider this to be an existing requirement, so the date doesn’t really matter for us, but I’m totally ok with enhancing the BRs to make the requirement more explicit, and putting an agreed upon future compliance date in there for anyone who might have missed this subtle requirement. I was mostly commenting on Jan 1st being bad to help out other people who might be affected.
I have previously noted that the 15th day of odd months tends to dodge most holidays (e.g. Jan 15th or Mar 15th), and choosing from those six compliance dates might make CABF BR compliance schedules look a little bit more organized and less like 100 individuals randomly throwing darts at a calendar, but that’s just a personal preference of mine.
-Tim
From: 'Aaron Gable' via dev-secur...@mozilla.org <dev-secur...@mozilla.org>
Sent: Friday, October 14, 2022 1:07 PM
To: Tim Hollebeek <tim.ho...@digicert.com>
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEmnErekmR76rbFvjyPQK7z85QbPQHynszFSN8tee48B_XcO%2Bw%40mail.gmail.com.
Corey Bonnell
Hi Aaron,
I had a draft reply written up to better explain my interpretation but deleted it since I think the CABF ballot is a more constructive path forward on this issue.
Are you also considering filing an erratum against 5280 so this particular PKI footgun can be addressed at the IETF?
Thanks,
Corey
From: Aaron Gable <aa...@letsencrypt.org>
Sent: Wednesday, October 12, 2022 7:51 PM
To: Corey Bonnell <Corey....@digicert.com>
Cc: Andrew Ayer <ag...@andrewayer.name>; 'Aaron Gable' via dev-secur...@mozilla.org <dev-secur...@mozilla.org>
Subject: Re: CRL partitioning and IDPs
On Wed, Oct 12, 2022 at 1:02 PM Corey Bonnell <Corey....@digicert.com> wrote:
Aaron Gable
Are you also considering filing an erratum against 5280 so this particular PKI footgun can be addressed at the IETF?
Tim Hollebeek
More information about the process: https://www.ietf.org/about/groups/iesg/statements/processing-errata-ietf-stream/
Thanks for filing it. I’m actually curious to see where the discussion goes, and what the people who were around at the time (including the author) have to say about the history, original intent, and proposed resolution.
-Tim
From: 'Aaron Gable' via dev-secur...@mozilla.org <dev-secur...@mozilla.org>
Sent: Friday, October 14, 2022 3:44 PM
To: Corey Bonnell <Corey....@digicert.com>
Cc: Andrew Ayer <ag...@andrewayer.name>; 'Aaron Gable' via dev-secur...@mozilla.org <dev-secur...@mozilla.org>
Subject: Re: CRL partitioning and IDPs
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEmnErd1g11zCEMnMHbSQf2n1o5GUm5A%2BGa4H93c05%2B3bAuJnA%40mail.gmail.com.