Re: CCADB Proposal: Add field called JSON Array of Partitioned CRLs Issued By This CA

Hi Kathleen, It was my impression from earlier discussions that the plan was for the new CCADB field to contain a URL which points to a document containing only a JSON array of partitioned CRL URLs, rather than the new CCADB

Re: CCADB Proposal: Add field called JSON Array of Partitioned CRLs Issued By This CA

Sure, happy to provide more details! The fundamental issue here is the scale at which Let's Encrypt issues, and the automated nature by which clients interact with Let's Encrypt. LE currently has 150M certificates active, all (as of March 1st) signed by the same issuer certificate, R3. In the

Re: Policy 2.7.1: MRSP Issue #206: Limit re-use of domain name verification to 398 days

Yes - I think we could focus on the domain validations themselves and allow domain validations to be reused for 398 days (maybe even from December 6, 2019), and then combine that with certificate issuance, but I'm not sure I like pushing this out to Feb 1, 2022 or even Oct. 1, 2021. Maybe someone

Re: Policy 2.7.1: MRSP Issue #206: Limit re-use of domain name verification to 398 days

On Thu, Feb 25, 2021 at 2:29 PM Doug Beattie via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > I'd prefer that we tie this to a date related to when the domain > validations are done, or perhaps 2 statements. As it stands (and as others > have commented), on July 1 all

Re: Policy 2.7.1: MRSP Issue #153: Cradle-to-Grave Contiguous Audits

I haven't seen any response to my question about whether there is still a concern over the language "as evidenced by a Qualified Auditor's key destruction report". I did add "This cradle-to-grave audit requirement applies equally to subordinate CAs as it does to root CAs" to address the scenarios

Re: Policy 2.7.1: MRSP Issue #206: Limit re-use of domain name verification to 398 days

All, I continue to move this Issue #206 forward with a proposed change to section 2.1 of the MRSP (along with an effort to modify section 3.2.2.4 or section 4.2.1 of the CA/B Forum's Baseline Requirements). Currently, I am still contemplating adding a subsection 5.1 to MRSP section 2.1 that

Re: CCADB Proposal: Add field called JSON Array of Partitioned CRLs Issued By This CA

Hugely useful! Thanks for sharing - this is incredibly helpful. I've snipped a good bit, just to keep the thread small, and have some further questions inline. On Thu, Feb 25, 2021 at 2:15 PM Aaron Gable wrote: > I believe that there is an argument to be made here that this plan > increases

Re: CCADB Proposal: Add field called JSON Array of Partitioned CRLs Issued By This CA

On Thu, Feb 25, 2021 at 12:33 PM Aaron Gable via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Obviously this plan may have changed due to other off-list conversations, > but I would like to express a strong preference for the original plan. At > the scale at which Let's

Re: Policy 2.7.1: MRSP Issue #218: Clarify CRL requirements for End Entity Certificates

As placeholder in the Mozilla Root Store Policy, I'm proposing the following sentence for section 6.1 - "A CA MUST ensure that it populates the CCADB with the appropriate 'full CRL' in the CCADB revocation information field pertaining to certificates issued by the CA

RE: Policy 2.7.1: MRSP Issue #206: Limit re-use of domain name verification to 398 days

Ben, I'd prefer that we tie this to a date related to when the domain validations are done, or perhaps 2 statements. As it stands (and as others have commented), on July 1 all customers will immediately need to validate all domains that were done between 825 and 397 days ago, so a huge number

Re: CCADB Proposal: Add field called JSON Array of Partitioned CRLs Issued By This CA

On Thu, Feb 25, 2021 at 8:21 PM Aaron Gable wrote: > If I may, I believe that the problem is less that it is a reference (which > is true of every URL stored in CCADB), and more that it is a reference to > an unsigned object. > While that's a small part, it really is as I said: the issue of

Re: CCADB Proposal: Add field called JSON Array of Partitioned CRLs Issued By This CA

Similarly, snipping and replying to portions of your message below: On Thu, Feb 25, 2021 at 12:52 PM Ryan Sleevi wrote: > Am I understanding your proposal correctly that "any published JSON > document be valid for a certain period of time" effectively means that each > update of the JSON

The Ace Care Center Team has received your request []

…….. Please do not reply to this email. …….. Hello from the Ace Care Center Team! Thank you for your recent request. Because of added safety measures for our employees due to Coronavirus and increased call center traffic, there may be delays

Re: Policy 2.7.1: MRSP Issue #206: Limit re-use of domain name verification to 398 days

I think it makes sense to separate out the date for domain validation expiration from the issuance of server certificates with previously validated domain names, but agree with Ben that the timeline doesn’t seem to need to be prolonged. What about something like this: 1. Domain name or IP