On Wednesday, November 18, 2020 at 8:26:50 PM UTC-8, Ryan Sleevi wrote: > On Wed, Nov 18, 2020 at 7:57 PM Ryan Hurst via dev-security-policy < > dev-secur...@lists.mozilla.org> wrote: > > > Kathleen, > > > > This introduces an interesting question, how might Mozilla want to see > > partial CRLs be discoverable? Of course, they are pointed to by the > > associated CRLdp but is there a need for a manifest of these CRL shards > > that can be picked up by CCADB? > > > What's the use case for sharding a CRL when there's no CDP in the issued > certificates and the primary downloader is root stores?
I think there may be some confusion. In my response to Kathleen's mail I stated " Of course, they are pointed to by the associated CRLdp", as such I am not suggesting there is a value to sharded/partitioned CRLs if not referenced by the CRLdp. The origin of my question is that as I remember the requirements, CAs do not have to produce a full and complete CRL. Specifically today, I believe they are allowed to produce partitioned CRLs, this is good because in some cases a full and complete CRL can be gigabytes in size. I assume the reason for adding the URL to a full, and I imagine complete, CRL is that Mozilla would like to use this information in its CRLLite feature. If so, and a CA partitions CRLs and does not produce a full and complete CRL how should the CA ensure Mozilla has the entire set of information it wants? Ryan _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
