[cabfpub] Revocation Information

Gervase Markham gerv at mozilla.org
Tue Sep 23 10:35:06 UTC 2014

Hi everyone,

At the face-to-face in Beijing, we talked out our new plan for
revocation, and specifically OneCRL, our plan to aggregate revocation
information for all non-leaf certificates (and perhaps some others) into
a single source which Firefox would then download regularly, probably daily.

I had three questions for the CAs in the group, although there was not
time to have a long discussion about them then, so I am presenting them

They are:

1) If we asked you to provide a set of URLs which together provided
revocation information for all the non-EE certificates in hierarchies
which chained up to a root we trust, could you do that?

2) Would all those URLs be URLs to CRLs? (I.e., to reverse the question,
are there any intermediate certs for which you only provide revocation
info via OCSP?)

3) Would you need some of that set of URLs to be secret (i.e. revealed
to Mozilla, but you would prefer Mozilla not to reveal them to others)?
If so, why?

I expect the answers from all CAs to be Yes, Yes and No, so if your
answer as a CA would be something else, please speak up :-)

We would want to build a system to make it easy for CAs to provide this
information on an ongoing basis, but the discussion of how we do that is
out of scope for the moment.


More information about the Public mailing list