I currently prefer the language proposed by Ben above, because the current Apple language:
> CA providers must populate the “Pertaining to Certificates Issued by this CA” section of the CCADB for each included CA Certificate and each CA Certificate chaining up to an included CA Certificate in the Apple Root Program. is not clear as to whether it is expected that one or both fields in that section must be filled out, and just reading the requirement does not make it clear what kind of information is contained in that section. Aaron On Fri, Dec 10, 2021 at 8:18 AM 'Clint Wilson' via dev-security-policy@mozilla.org <dev-security-policy@mozilla.org> wrote: > Is there a preference for which provides the greatest clarity to CAs > (thinking especially of those that haven’t followed the ongoing development > of this over the last ~18 months)? > > On Nov 18, 2021, at 12:51 PM, 'Aaron Gable' via > dev-security-policy@mozilla.org <dev-security-policy@mozilla.org> wrote: > > One point of interest here: although Apple's requirements reference the > "Pertaining to Certificates Issued By This CA" section, and the github > issue and email above reference the "Full CRL Issued by this CA" and "JSON > Array of Partitioned CRLs" fields, these are in fact the same thing: those > two fields are the only fields in that section. > > I'd hope / suggest that Mozilla and Apple will converge on using the same > language to require that one of those two fields in that section be filled > out for the sake of minimizing confusion. > > Aaron > > On Wed, Nov 17, 2021 at 8:06 PM Ben Wilson <bwil...@mozilla.com> wrote: > >> All, >> >> This email introduces public discussion regarding a new requirement to be >> included in the next version of the Mozilla Root Store Policy (MSRP), >> version 2.8, to be published in 2022. (See >> https://github.com/mozilla/pkipolicy/labels/2.8) >> >> Github Issue #235 <https://github.com/mozilla/pkipolicy/issues/235> >> proposes that we amend MRSP section 4.1 >> <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#41-additional-requirements> >> to require, effective October 1, 2022, that CA operators with intermediate >> CA certificates that are capable of issuing TLS certificates chaining up to >> root certificates in Mozilla's root store populate the CCADB with the CRL >> Distribution Point for the Full CRL *or* a JSON Array of Partitioned CRLs. >> (The CCADB already has these two alternative fields available to be filled >> in by CAs and instructs, "When there is no full CRL for certificates issued >> by this CA, provide a JSON array whose elements are URLs of partial CRLs >> that when combined are the equivalent of a full CRL for the certificates >> issued" by the CA.) >> >> Mozilla is moving forward with CRLite >> <https://blog.mozilla.org/security/2020/01/09/crlite-part-1-all-web-pki-revocations-compressed/>, >> so we need full CRL information for TLS certificates. Apple has also stated >> that this same information will be required of CAs in their program, >> effective October 1, 2022. (See >> https://www.apple.com/certificateauthority/ca_program.html). >> >> We welcome your comments and suggestions. >> >> Thanks, >> >> Ben >> >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "dev-security-policy@mozilla.org" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to dev-security-policy+unsubscr...@mozilla.org. >> To view this discussion on the web visit >> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabu9mBe2%3DbZX4E3OyXPs0tsqbB754O24Y3CJj44u9oF%2Bg%40mail.gmail.com >> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabu9mBe2%3DbZX4E3OyXPs0tsqbB754O24Y3CJj44u9oF%2Bg%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > > -- > You received this message because you are subscribed to the Google Groups " > dev-security-policy@mozilla.org" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to dev-security-policy+unsubscr...@mozilla.org. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEmnErewSkuxWuYPdVtaf7MV4gXwSMed7vsuS4F91b2sqsnNjQ%40mail.gmail.com > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEmnErewSkuxWuYPdVtaf7MV4gXwSMed7vsuS4F91b2sqsnNjQ%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > > -- > You received this message because you are subscribed to the Google Groups " > dev-security-policy@mozilla.org" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to dev-security-policy+unsubscr...@mozilla.org. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/F3B35AAA-50FE-4F3B-AE09-DD5E49F63504%40apple.com > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/F3B35AAA-50FE-4F3B-AE09-DD5E49F63504%40apple.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEmnErcc7352eMFkaDy3SfhyLDjuW%3DzxY8yckh%2BBpEHp_LfAfw%40mail.gmail.com.
