[Servercert-wg] Ballot proposal: require distributionPoint in sharded CRLs
Aaron Gable
aaron at letsencrypt.org
Fri Oct 14 17:04:29 UTC 2022
Hi all,
Based on a long discussion[1] on MDSP, I've come to the conclusion that it
would be good for the BRs to specifically mandate that sharded/partitioned
CRLs include the Issuing Distribution Point extension and its
distributionPoint field. This is both because the field is important to
defend against replacement attacks, and because RFC 5280's language seems
to actually say something different and has led to a long discussion on
interpretation.
To this end, I would like to propose a ballot to include explicit language
to this effect in the BRs:
https://github.com/cabforum/servercert/pull/396
Clint Wilson at Mozilla has kindly agreed to endorse; I'm seeking a second
endorser (and any thoughts and opinions on the ballot text itself, of
course!) so that it can be assigned a ballot number and officially open the
discussion period.
Thanks,
Aaron
[1]
https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/qhrGxLvyreU
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20221014/a0004935/attachment.html>
More information about the Servercert-wg
mailing list