All,
Root store operators would like to easily find and use the URLs to the
Full CRLs for things like Mozilla’s CRLite. The BRs do not require CRL
URLs in end-entity certificates, and many CAs use partitioned CRLs for
end-entity certificates.
Proposal: Add field called 'Full CRL Issued By This CA'
- New field on intermediate certificate records which may be filled in
by CAs or root store operators when the certificate signs certificates
that do not contain CRL URLs or only contain URLs to partitioned CRLs.
- This field would be included in public-facing reports such as
http://ccadb-public.secure.force.com/ccadb/AllCertificateRecordsCSVFormat
so that it can be used programmatically by root store operators, and
could also be provided in crt.sh.
- Also add this field to root certificate records, even though only root
store operators can currently update root certificate records.
I will appreciate your input on this proposal.
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
