FWIW - Here is a recent post on this issue from JC Jones - https://github.com/mozilla/crlite/issues/43#issuecomment-726493990
On Thu, Nov 19, 2020 at 4:00 PM Ryan Hurst via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Wednesday, November 18, 2020 at 8:26:50 PM UTC-8, Ryan Sleevi wrote: > > On Wed, Nov 18, 2020 at 7:57 PM Ryan Hurst via dev-security-policy < > > dev-secur...@lists.mozilla.org> wrote: > > > > > Kathleen, > > > > > > This introduces an interesting question, how might Mozilla want to see > > > partial CRLs be discoverable? Of course, they are pointed to by the > > > associated CRLdp but is there a need for a manifest of these CRL > shards > > > that can be picked up by CCADB? > > > > > What's the use case for sharding a CRL when there's no CDP in the issued > > certificates and the primary downloader is root stores? > > I think there may be some confusion. In my response to Kathleen's mail I > stated " Of course, they are pointed to by the associated CRLdp", as such I > am not suggesting there is a value to sharded/partitioned CRLs if not > referenced by the CRLdp. > > The origin of my question is that as I remember the requirements, CAs do > not have to produce a full and complete CRL. Specifically today, I believe > they are allowed to produce partitioned CRLs, this is good because in some > cases a full and complete CRL can be gigabytes in size. I assume the reason > for adding the URL to a full, and I imagine complete, CRL is that Mozilla > would like to use this information in its CRLLite feature. > > If so, and a CA partitions CRLs and does not produce a full and complete > CRL how should the CA ensure Mozilla has the entire set of information it > wants? > > Ryan > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
