Hi Kathleen, It was my impression from earlier discussions <https://groups.google.com/g/mozilla.dev.security.policy/c/Bf6HSA44528> that the plan was for the new CCADB field to contain a URL which points to a document containing only a JSON array of partitioned CRL URLs, rather than the new CCADB field containing such an array directly.
Obviously this plan may have changed due to other off-list conversations, but I would like to express a strong preference for the original plan. At the scale at which Let's Encrypt issues, it is likely that our JSON array will contain on the order of 1000 CRL URLs, and will add a new one (and age out an entirely-expired one) every 6 hours or so. I am not aware of any existing automation which updates CCADB at that frequency. Further, from a resiliency perspective, we would prefer that the CRLs we generate live at fully static paths. Rather than overwriting CRLs with new versions when they are re-issued prior to their nextUpdate time, we would leave the old (soon-to-be-expired) CRL in place, offer its replacement at an adjacent path, and update the JSON to point at the replacement. This process would have us updating the JSON array on the order of minutes, not hours. We believe that earlier "URL to a JSON array..." approach makes room for significantly simpler automation on the behalf of CAs without significant loss of auditability. I believe it may be helpful for the CCADB field description (or any upcoming portion of the MRSP which references it) to include specific requirements around the cache lifetime of the JSON document and the CRLs referenced within it. Thanks, Aaron On Wed, Feb 24, 2021 at 12:36 PM Kathleen Wilson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > All, > > As previously discussed, there is a section on root and intermediate > certificate pages in the CCADB called ‘Pertaining to Certificates Issued > by this CA’, and it currently has one field called 'Full CRL Issued By > This CA'. > > Proposal: Add field called 'JSON Array of Partitioned CRLs Issued By > This CA' > > Description of this proposed field: > When there is no full CRL for certificates issued by this CA, provide a > JSON array whose elements are URLs of partitioned, DER-encoded CRLs that > when combined are the equivalent of a full CRL. The JSON array may omit > obsolete partitioned CRLs whose scopes only include expired certificates. > > Example: > > [ > "http://cdn.example/crl-1.crl";, > "http://cdn.example/crl-2.crl"; > ] > > > > Additionally, I propose adding a new section to > https://www.ccadb.org/cas/fields called “Revocation Information”. > > The proposed draft for this new section is here: > > https://docs.google.com/document/d/1uVK0h4q5BSrFv6e86f2SwR5m2o9Kl1km74vG4HnkABw/edit?usp=sharing > > > I will appreciate your input on this proposal. > > Thanks, > Kathleen > > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
