Re: CCADB Proposal: Add field called JSON Array of Partitioned CRLs Issued By This CA

2021-02-26 Thread Aaron Gable via dev-security-policy
On Fri, Feb 26, 2021 at 5:18 PM Ryan Sleevi wrote: > I do believe it's problematic for the OCSP and CRL versions of the > repository to be out of sync, but also agree this is an area that is useful > to clarify. To that end, I filed > https://github.com/cabforum/servercert/issues/252 to make

Re: CCADB Proposal: Add field called JSON Array of Partitioned CRLs Issued By This CA

2021-02-26 Thread Ryan Sleevi via dev-security-policy
On Fri, Feb 26, 2021 at 6:01 PM Aaron Gable wrote: > On Fri, Feb 26, 2021 at 12:05 PM Ryan Sleevi wrote: > >> You can still do parallel signing. I was trying to account for that >> explicitly with the notion of the “pre-reserved” set of URLs. However, that >> also makes an assumption I should

Re: CCADB Proposal: Add field called JSON Array of Partitioned CRLs Issued By This CA

2021-02-26 Thread Aaron Gable via dev-security-policy
On Fri, Feb 26, 2021 at 12:05 PM Ryan Sleevi wrote: > You can still do parallel signing. I was trying to account for that > explicitly with the notion of the “pre-reserved” set of URLs. However, that > also makes an assumption I should have been more explicit about: whether > the expectation is

Re: CCADB Proposal: Add field called JSON Array of Partitioned CRLs Issued By This CA

2021-02-26 Thread Ryan Sleevi via dev-security-policy
On Fri, Feb 26, 2021 at 1:46 PM Aaron Gable wrote: > If we leave out the "new url for each re-issuance of a given CRL" portion > of the design (or offer both url-per-thisUpdate and > static-url-always-pointing-at-the-latest), then we could in fact include > CRLDP urls in the certificates using

Re: CCADB Proposal: Add field called JSON Array of Partitioned CRLs Issued By This CA

2021-02-26 Thread Aaron Gable via dev-security-policy
Thanks for the reminder that CCADB automatically dereferences URLs for archival purposes, and for the info about existing automation! I don't personally have CCADB credentials, so all of my knowledge of it is based on what I've learned from others at LE and from this list. If we leave out the

Re: CCADB Proposal: Add field called JSON Array of Partitioned CRLs Issued By This CA

2021-02-26 Thread Ryan Sleevi via dev-security-policy
On Fri, Feb 26, 2021 at 5:49 AM Rob Stradling wrote: > > We already have automation for CCADB. CAs can and do use it for > disclosure of intermediates. > > Any CA representatives that are surprised by this statement might want to > go and read the "CCADB Release Notes" (click the hyperlink when

Re: CCADB Proposal: Add field called JSON Array of Partitioned CRLs Issued By This CA

2021-02-26 Thread Rob Stradling via dev-security-policy
olicy ; Kathleen Wilson Subject: Re: CCADB Proposal: Add field called JSON Array of Partitioned CRLs Issued By This CA CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. On Th

Re: CCADB Proposal: Add field called JSON Array of Partitioned CRLs Issued By This CA

2021-02-25 Thread Ryan Sleevi via dev-security-policy
On Thu, Feb 25, 2021 at 8:21 PM Aaron Gable wrote: > If I may, I believe that the problem is less that it is a reference (which > is true of every URL stored in CCADB), and more that it is a reference to > an unsigned object. > While that's a small part, it really is as I said: the issue of

Re: CCADB Proposal: Add field called JSON Array of Partitioned CRLs Issued By This CA

2021-02-25 Thread Aaron Gable via dev-security-policy
Similarly, snipping and replying to portions of your message below: On Thu, Feb 25, 2021 at 12:52 PM Ryan Sleevi wrote: > Am I understanding your proposal correctly that "any published JSON > document be valid for a certain period of time" effectively means that each > update of the JSON

Re: CCADB Proposal: Add field called JSON Array of Partitioned CRLs Issued By This CA

2021-02-25 Thread Ryan Sleevi via dev-security-policy
Hugely useful! Thanks for sharing - this is incredibly helpful. I've snipped a good bit, just to keep the thread small, and have some further questions inline. On Thu, Feb 25, 2021 at 2:15 PM Aaron Gable wrote: > I believe that there is an argument to be made here that this plan > increases

Re: CCADB Proposal: Add field called JSON Array of Partitioned CRLs Issued By This CA

2021-02-25 Thread Aaron Gable via dev-security-policy
Sure, happy to provide more details! The fundamental issue here is the scale at which Let's Encrypt issues, and the automated nature by which clients interact with Let's Encrypt. LE currently has 150M certificates active, all (as of March 1st) signed by the same issuer certificate, R3. In the

Re: CCADB Proposal: Add field called JSON Array of Partitioned CRLs Issued By This CA

2021-02-25 Thread Ryan Sleevi via dev-security-policy
On Thu, Feb 25, 2021 at 12:33 PM Aaron Gable via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Obviously this plan may have changed due to other off-list conversations, > but I would like to express a strong preference for the original plan. At > the scale at which Let's

Re: CCADB Proposal: Add field called JSON Array of Partitioned CRLs Issued By This CA

2021-02-25 Thread Aaron Gable via dev-security-policy
Hi Kathleen, It was my impression from earlier discussions that the plan was for the new CCADB field to contain a URL which points to a document containing only a JSON array of partitioned CRL URLs, rather than the new CCADB