[Servercert-wg] Ballot proposal: require distributionPoint in sharded CRLs

Aaron Gable aaron at letsencrypt.org
Fri Oct 14 17:56:59 UTC 2022


Sure, I have no objection to incorporating it into the profiles ballot.

I admit I haven't looked carefully at the whole profiles ballot myself yet,
and I'm slightly trepidatious that getting it passed will be a protracted
process, but this change definitely falls within its purview. I'm happy to
go either way on this one!

Aaron

On Fri, Oct 14, 2022 at 10:32 AM Dimitris Zacharopoulos (HARICA) <
dzacharo at harica.gr> wrote:

>
> Hi Aaron,
>
> If there are no objections from others, would it be ok if we add this
> proposal to the upcoming profiles ballot which will be discussed at the
> F2F, and merge your PR in the profiles branch? I would just set the date to
> whatever effective date we decide, other than Jan 1 :)
>
> The change seems rather uncontroversial. I'd be willing to endorse a
> separate ballot if the group decides not to include it in the profiles
> ballot.
>
>
> Thanks,
> Dimitris.
>
>
>
>
> On 14/10/2022 8:04 μ.μ., Aaron Gable via Servercert-wg wrote:
>
> Hi all,
>
> Based on a long discussion[1] on MDSP, I've come to the conclusion that it
> would be good for the BRs to specifically mandate that sharded/partitioned
> CRLs include the Issuing Distribution Point extension and its
> distributionPoint field. This is both because the field is important to
> defend against replacement attacks, and because RFC 5280's language seems
> to actually say something different and has led to a long discussion on
> interpretation.
>
> To this end, I would like to propose a ballot to include explicit language
> to this effect in the BRs:
>
> https://github.com/cabforum/servercert/pull/396
>
> Clint Wilson at Mozilla has kindly agreed to endorse; I'm seeking a second
> endorser (and any thoughts and opinions on the ballot text itself, of
> course!) so that it can be assigned a ballot number and officially open the
> discussion period.
>
> Thanks,
> Aaron
>
> [1]
> https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/qhrGxLvyreU
>
> _______________________________________________
> Servercert-wg mailing listServercert-wg at cabforum.orghttps://lists.cabforum.org/mailman/listinfo/servercert-wg
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20221014/4e1fd305/attachment-0001.html>


More information about the Servercert-wg mailing list