Re: CCADB Proposal: Add field called JSON Array of Partitioned CRLs Issued By This CA

On Fri, Feb 26, 2021 at 12:05 PM Ryan Sleevi wrote: > You can still do parallel signing. I was trying to account for that > explicitly with the notion of the “pre-reserved” set of URLs. However, that > also makes an assumption I should have been more explicit about: whether > the expectation is

Re: CCADB Proposal: Add field called JSON Array of Partitioned CRLs Issued By This CA

On Fri, Feb 26, 2021 at 6:01 PM Aaron Gable wrote: > On Fri, Feb 26, 2021 at 12:05 PM Ryan Sleevi wrote: > >> You can still do parallel signing. I was trying to account for that >> explicitly with the notion of the “pre-reserved” set of URLs. However, that >> also makes an assumption I should

Re: CCADB Proposal: Add field called JSON Array of Partitioned CRLs Issued By This CA

On Fri, Feb 26, 2021 at 5:18 PM Ryan Sleevi wrote: > I do believe it's problematic for the OCSP and CRL versions of the > repository to be out of sync, but also agree this is an area that is useful > to clarify. To that end, I filed > https://github.com/cabforum/servercert/issues/252 to make

Re: CCADB Proposal: Add field called JSON Array of Partitioned CRLs Issued By This CA

> We already have automation for CCADB. CAs can and do use it for disclosure of > intermediates. Any CA representatives that are surprised by this statement might want to go and read the "CCADB Release Notes" (click the hyperlink when you login to the CCADB). That's the only place I've seen

Re: CCADB Proposal: Add field called JSON Array of Partitioned CRLs Issued By This CA

Thanks for the reminder that CCADB automatically dereferences URLs for archival purposes, and for the info about existing automation! I don't personally have CCADB credentials, so all of my knowledge of it is based on what I've learned from others at LE and from this list. If we leave out the

Re: CCADB Proposal: Add field called JSON Array of Partitioned CRLs Issued By This CA

On Fri, Feb 26, 2021 at 5:49 AM Rob Stradling wrote: > > We already have automation for CCADB. CAs can and do use it for > disclosure of intermediates. > > Any CA representatives that are surprised by this statement might want to > go and read the "CCADB Release Notes" (click the hyperlink when

Re: CCADB Proposal: Add field called JSON Array of Partitioned CRLs Issued By This CA

On Fri, Feb 26, 2021 at 1:46 PM Aaron Gable wrote: > If we leave out the "new url for each re-issuance of a given CRL" portion > of the design (or offer both url-per-thisUpdate and > static-url-always-pointing-at-the-latest), then we could in fact include > CRLDP urls in the certificates using

Re: Policy 2.7.1: MRSP Issue #206: Limit re-use of domain name verification to 398 days

On Thu, Feb 25, 2021 at 7:55 PM Clint Wilson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > I think it makes sense to separate out the date for domain validation > expiration from the issuance of server certificates with previously > validated domain names, but agree