[Servercert-wg] Ballot proposal: require distributionPoint in sharded CRLs

Corey Bonnell Corey.Bonnell at digicert.com
Fri Oct 14 18:05:20 UTC 2022


I have a slight preference for keeping this proposal separate, if only to avoid expanding the scope (pun intended) of an already very large ballot.

 

If an additional endorser is needed, I’d also be happy to endorse.

 

Thanks,

Corey

 

From: Servercert-wg <servercert-wg-bounces at cabforum.org> On Behalf Of Dimitris Zacharopoulos (HARICA) via Servercert-wg
Sent: Friday, October 14, 2022 1:33 PM
To: Aaron Gable <aaron at letsencrypt.org>; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Subject: Re: [Servercert-wg] Ballot proposal: require distributionPoint in sharded CRLs

 


Hi Aaron, 

If there are no objections from others, would it be ok if we add this proposal to the upcoming profiles ballot which will be discussed at the F2F, and merge your PR in the profiles branch? I would just set the date to whatever effective date we decide, other than Jan 1 :) 

The change seems rather uncontroversial. I'd be willing to endorse a separate ballot if the group decides not to include it in the profiles ballot. 


Thanks, 
Dimitris.





On 14/10/2022 8:04 μ.μ., Aaron Gable via Servercert-wg wrote:

Hi all, 

 

Based on a long discussion[1] on MDSP, I've come to the conclusion that it would be good for the BRs to specifically mandate that sharded/partitioned CRLs include the Issuing Distribution Point extension and its distributionPoint field. This is both because the field is important to defend against replacement attacks, and because RFC 5280's language seems to actually say something different and has led to a long discussion on interpretation.

 

To this end, I would like to propose a ballot to include explicit language to this effect in the BRs:

 

https://github.com/cabforum/servercert/pull/396

 

Clint Wilson at Mozilla has kindly agreed to endorse; I'm seeking a second endorser (and any thoughts and opinions on the ballot text itself, of course!) so that it can be assigned a ballot number and officially open the discussion period.

 

Thanks,

Aaron

 

[1] https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/qhrGxLvyreU





_______________________________________________
Servercert-wg mailing list
Servercert-wg at cabforum.org <mailto:Servercert-wg at cabforum.org> 
https://lists.cabforum.org/mailman/listinfo/servercert-wg

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20221014/5c15a47d/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4990 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20221014/5c15a47d/attachment.p7s>


More information about the Servercert-wg mailing list