[Servercert-wg] Ballot proposal: require distributionPoint in sharded CRLs

[Wendy Brown - QT3LB-C]

Just a question -
if a certificate that is being checked for revocation does not contain a
cDP, how will requiring iDP in the CRL assist in preventing a CRL
substitution attack? If you don't have the correct cDP for a given
certificate how will the iDP in that sharded CRL provide assurance that the
RP is looking at the correct CRL?

thanks,

Wendy


Wendy Brown

Supporting GSA

FPKIMA Technical Liaison

Protiviti Government Services
703-965-2990 (cell)


On Fri, Oct 14, 2022 at 1:05 PM Aaron Gable via Servercert-wg <
servercert-wg at cabforum.org> wrote:

> Hi all,
>
> Based on a long discussion[1] on MDSP, I've come to the conclusion that it
> would be good for the BRs to specifically mandate that sharded/partitioned
> CRLs include the Issuing Distribution Point extension and its
> distributionPoint field. This is both because the field is important to
> defend against replacement attacks, and because RFC 5280's language seems
> to actually say something different and has led to a long discussion on
> interpretation.
>
> To this end, I would like to propose a ballot to include explicit language
> to this effect in the BRs:
>
> https://github.com/cabforum/servercert/pull/396
>
> Clint Wilson at Mozilla has kindly agreed to endorse; I'm seeking a second
> endorser (and any thoughts and opinions on the ballot text itself, of
> course!) so that it can be assigned a ballot number and officially open the
> discussion period.
>
> Thanks,
> Aaron
>
> [1]
> https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/qhrGxLvyreU
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20221014/c3f952ca/attachment.html>