On Jul 31, 2014, at 11:23 PM, Jeremy Rowley <jeremy.row...@digicert.com> wrote:
> This is great. Thanks Richard! Thanks go to the whole team. This was very much a group effort. > For OneCRL and the EE certs, establishing parameters around when an EE is > eligible for inclusion would give guidance to CAs about when to report > revocations. Is the OneCRL intended for when the cert is compromised because > of a breach of the CA? Or can high profile domains with stolen keys request > inclusion? There are two types of EE coverage you could imagine: 1. One-off "exceptional" inclusions of individual certificates 2. Bulk inclusion of an EE-issuing CA's CRL I think most of the discussion/controversy here is about the bulk inclusion. One-off exceptional inclusion in OneCRL is something that we will almost certainly do for high-profile cases. By definition, it's a small enough set that the burden to include it will not be that high. Is there a reason to discriminate between the two cases you describe? The earlier proposal for something like OneCRL included some instructions for requesting revocation be distributed through OneCRL. We should produce something similar once we're ready to accept such requests. https://wiki.mozilla.org/CA:ImprovingRevocation#Preload_Revocations_of_Certain_End-Entity_Certificates Hope that helps, --Richard > Jeremy > > -----Original Message----- > From: dev-security-policy > [mailto:dev-security-policy-bounces+jeremy.rowley=digicert....@lists.mozilla.org] > On Behalf Of Richard Barnes > Sent: Thursday, July 31, 2014 8:08 PM > To: mozilla-dev-security-pol...@lists.mozilla.org; > mozilla-dev-tech-cry...@lists.mozilla.org > Subject: New wiki page on certificate revocation plans > > Hi all, > > We in the Mozilla PKI team have been discussing ways to improve revocation > checking in our PKI stack, consolidating a bunch of ideas from earlier work > [1][2] and some maybe-new-ish ideas. I've just pressed "save" on a new wiki > page with our initial plan: > > https://wiki.mozilla.org/CA:RevocationPlan > > It would be really helpful if people could review and provide feedback on > this plan. > > There's one major open issue highlighted in the wiki page. We're planning to > adopt a centralized revocation list model for CA certificates, which we're > calling OneCRL. (Conceptually similar to Chrome's CRLsets.) In addition to > covering CA certifcates, we're also considering covering some end-entity (EE) > certificates with OneCRL too. But there are some drawbacks to this approach, > so it's not certain that we will include this in the final plan. Feedback on > this point would be especially valuable. > > Thanks a lot, > --Richard > > [1] https://wiki.mozilla.org/CA:ImprovingRevocation > [2] https://www.imperialviolet.org/2012/02/05/crlsets.html > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
