[Servercert-wg] Ballot proposal: require distributionPoint in sharded CRLs

Aaron Gable aaron at letsencrypt.org
Fri Oct 14 19:48:07 UTC 2022


On Fri, Oct 14, 2022 at 12:34 PM Wendy Brown - QT3LB-C <wendy.brown at gsa.gov>
wrote:

> Just a question -
> if a certificate that is being checked for revocation does not contain a
> cDP, how will requiring iDP in the CRL assist in preventing a CRL
> substitution attack? If you don't have the correct cDP for a given
> certificate how will the iDP in that sharded CRL provide assurance that the
> RP is looking at the correct CRL?
>

In the case of the CRLs disclosed in CCADB's JSON Array of Partitioned CRLs
field, the relying party (e.g. Mozilla or Apple) can verify that the
distributionPoint contained within the CRL matches the URL disclosed in
CCADB.

On Fri, Oct 14, 2022 at 11:14 AM Corey Bonnell <Corey.Bonnell at digicert.com>
wrote:

> I don’t believe the profiles ballot modifies section 7.2 at all, so there
> should be no conflict in having a separate proposal.
>

The current profiles ballot lightly modifies Section 7.2.1 (
https://github.com/cabforum/servercert/pull/373/files#diff-e0ac1bd190515a4f2ec09139d395ef6a8c7e9e5b612957c1f5a2dea80c6a6cfeR3118),
but not in a way that would lead to a merge conflict with this ballot.

Aaron
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20221014/71594b59/attachment.html>


More information about the Servercert-wg mailing list