This is great. Thanks Richard! For OneCRL and the EE certs, establishing parameters around when an EE is eligible for inclusion would give guidance to CAs about when to report revocations. Is the OneCRL intended for when the cert is compromised because of a breach of the CA? Or can high profile domains with stolen keys request inclusion?
Jeremy -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert....@lists.mozilla.org] On Behalf Of Richard Barnes Sent: Thursday, July 31, 2014 8:08 PM To: mozilla-dev-security-pol...@lists.mozilla.org; mozilla-dev-tech-cry...@lists.mozilla.org Subject: New wiki page on certificate revocation plans Hi all, We in the Mozilla PKI team have been discussing ways to improve revocation checking in our PKI stack, consolidating a bunch of ideas from earlier work [1][2] and some maybe-new-ish ideas. I've just pressed "save" on a new wiki page with our initial plan: https://wiki.mozilla.org/CA:RevocationPlan It would be really helpful if people could review and provide feedback on this plan. There's one major open issue highlighted in the wiki page. We're planning to adopt a centralized revocation list model for CA certificates, which we're calling OneCRL. (Conceptually similar to Chrome's CRLsets.) In addition to covering CA certifcates, we're also considering covering some end-entity (EE) certificates with OneCRL too. But there are some drawbacks to this approach, so it's not certain that we will include this in the final plan. Feedback on this point would be especially valuable. Thanks a lot, --Richard [1] https://wiki.mozilla.org/CA:ImprovingRevocation [2] https://www.imperialviolet.org/2012/02/05/crlsets.html _______________________________________________ dev-security-policy mailing list dev-security-pol...@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto