[Servercert-wg] Ballot proposal: require distributionPoint in sharded CRLs

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Fri Oct 14 18:09:09 UTC 2022 

Aaron, Corey,

The cleanup ballot is already in progress and I believe the WG hopes to 
move with the profiles ballot next. Aaron's proposed ballot to update 
the CRL profile will definitely conflict with the profiles ballot so we 
need to be careful if we run both ballots at the same time. If we are to 
have separate ballots, my hope is that this CRL profile ballot is done 
after the profiles one.


Thanks,
Dimitris.

On 14/10/2022 9:05 μ.μ., Corey Bonnell wrote:
>
> I have a slight preference for keeping this proposal separate, if only 
> to avoid expanding the scope (pun intended) of an already very large 
> ballot.
>
> If an additional endorser is needed, I’d also be happy to endorse.
>
> Thanks,
>
> Corey
>
> *From:* Servercert-wg <servercert-wg-bounces at cabforum.org> *On Behalf 
> Of *Dimitris Zacharopoulos (HARICA) via Servercert-wg
> *Sent:* Friday, October 14, 2022 1:33 PM
> *To:* Aaron Gable <aaron at letsencrypt.org>; CA/B Forum Server 
> Certificate WG Public Discussion List <servercert-wg at cabforum.org>
> *Subject:* Re: [Servercert-wg] Ballot proposal: require 
> distributionPoint in sharded CRLs
>
>
> Hi Aaron,
>
> If there are no objections from others, would it be ok if we add this 
> proposal to the upcoming profiles ballot which will be discussed at 
> the F2F, and merge your PR in the profiles branch? I would just set 
> the date to whatever effective date we decide, other than Jan 1 :)
>
> The change seems rather uncontroversial. I'd be willing to endorse a 
> separate ballot if the group decides not to include it in the profiles 
> ballot.
>
>
> Thanks,
> Dimitris.
>
>
>
> On 14/10/2022 8:04 μ.μ., Aaron Gable via Servercert-wg wrote:
>
>     Hi all,
>
>     Based on a long discussion[1] on MDSP, I've come to the conclusion
>     that it would be good for the BRs to specifically mandate that
>     sharded/partitioned CRLs include the Issuing Distribution Point
>     extension and its distributionPoint field. This is both because
>     the field is important to defend against replacement attacks, and
>     because RFC 5280's language seems to actually say something
>     different and has led to a long discussion on interpretation.
>
>     To this end, I would like to propose a ballot to include explicit
>     language to this effect in the BRs:
>
>     https://github.com/cabforum/servercert/pull/396
>
>     Clint Wilson at Mozilla has kindly agreed to endorse; I'm seeking
>     a second endorser (and any thoughts and opinions on the ballot
>     text itself, of course!) so that it can be assigned a ballot
>     number and officially open the discussion period.
>
>     Thanks,
>
>     Aaron
>
>     [1]
>     https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/qhrGxLvyreU
>
>
>
>     _______________________________________________
>
>     Servercert-wg mailing list
>
>     Servercert-wg at cabforum.org
>
>     https://lists.cabforum.org/mailman/listinfo/servercert-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20221014/0653d482/attachment-0001.html>

More information about the Servercert-wg mailing list