[cabfpub] Request for details on CRL Sets

Rick Andrews Rick_Andrews at symantec.com
Fri Aug 16 23:54:01 UTC 2013

This request is directed towards Google and Mozilla, whose browsers currently use CRL Sets or are expected to use them in the near future. In a discussion among some of the CAs about how CRL Sets worked, it became clear that we really don't know the details, especially with regards to exceptions. We know of no formal published specifications.

We think this is an area where transparency would be beneficial. CAs would like to understand exactly how they work and how the information is gathered, to insure that design assumptions were correct. Are CRLs filtered for certain reason codes? Are very large CRLs included?

Note that for end entity certificates, CAs are required to use OCSP but are not required to issue CRLs. We need to know how browsers handle end entity certificates without CDP pointers. Those certs would not be covered by a CRL Set. CAs may wish to have the freedom to stop issuing CRLs due to their size and bandwidth costs, but if many CAs decided to do that, it appears that CRL Sets would be negative affected.

Google, Mozilla, can you publish detailed specs?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130816/7529aa5a/attachment-0002.html>

More information about the Public mailing list