[Servercert-wg] Ballot proposal: require distributionPoint in sharded CRLs

[Dimitris Zacharopoulos (HARICA)]

Hi Aaron,

If there are no objections from others, would it be ok if we add this 
proposal to the upcoming profiles ballot which will be discussed at the 
F2F, and merge your PR in the profiles branch? I would just set the date 
to whatever effective date we decide, other than Jan 1 :)

The change seems rather uncontroversial. I'd be willing to endorse a 
separate ballot if the group decides not to include it in the profiles 
ballot.


Thanks,
Dimitris.




On 14/10/2022 8:04 μ.μ., Aaron Gable via Servercert-wg wrote:
> Hi all,
>
> Based on a long discussion[1] on MDSP, I've come to the conclusion 
> that it would be good for the BRs to specifically mandate that 
> sharded/partitioned CRLs include the Issuing Distribution Point 
> extension and its distributionPoint field. This is both because the 
> field is important to defend against replacement attacks, and because 
> RFC 5280's language seems to actually say something different and has 
> led to a long discussion on interpretation.
>
> To this end, I would like to propose a ballot to include explicit 
> language to this effect in the BRs:
>
> https://github.com/cabforum/servercert/pull/396
>
> Clint Wilson at Mozilla has kindly agreed to endorse; I'm seeking a 
> second endorser (and any thoughts and opinions on the ballot text 
> itself, of course!) so that it can be assigned a ballot number and 
> officially open the discussion period.
>
> Thanks,
> Aaron
>
> [1] 
> https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/qhrGxLvyreU
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20221014/d4303dd0/attachment.html>