This is great. Thanks Richard!
For OneCRL and the EE certs, establishing parameters around when an EE is
eligible for inclusion would give guidance to CAs about when to report
revocations. Is the OneCRL intended for when the cert is compromised because
of a breach of the CA? Or can high profile domains with stolen keys request
inclusion?
Jeremy
-Original Message-
From: dev-security-policy
[mailto:dev-security-policy-bounces+jeremy.rowley=digicert@lists.mozilla.org]
On Behalf Of Richard Barnes
Sent: Thursday, July 31, 2014 8:08 PM
To: mozilla-dev-security-pol...@lists.mozilla.org;
mozilla-dev-tech-cry...@lists.mozilla.org
Subject: New wiki page on certificate revocation plans
Hi all,
We in the Mozilla PKI team have been discussing ways to improve revocation
checking in our PKI stack, consolidating a bunch of ideas from earlier work
[1][2] and some maybe-new-ish ideas. I've just pressed save on a new wiki
page with our initial plan:
https://wiki.mozilla.org/CA:RevocationPlan
It would be really helpful if people could review and provide feedback on this
plan.
There's one major open issue highlighted in the wiki page. We're planning to
adopt a centralized revocation list model for CA certificates, which we're
calling OneCRL. (Conceptually similar to Chrome's CRLsets.) In addition to
covering CA certifcates, we're also considering covering some end-entity (EE)
certificates with OneCRL too. But there are some drawbacks to this approach,
so it's not certain that we will include this in the final plan. Feedback on
this point would be especially valuable.
Thanks a lot,
--Richard
[1] https://wiki.mozilla.org/CA:ImprovingRevocation
[2] https://www.imperialviolet.org/2012/02/05/crlsets.html
___
dev-security-policy mailing list
dev-security-pol...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto