We're going to move the enrollment list from the intermediates collection to the cert-revocations collection.
The schema for cert-revocations has been updated with an enrolledIssuers field that holds a JSON array of strings. Each string in enrolledIssuers is to be a base64 encoded identifier for a CRLite-enrolled issuer. The identifier will be SHA256(subject || spki) where subject is a DER encoded RFC 5280 RDNSequence and spki is a DER encoded RFC 5280 SubjectPublicKeyInfo.
The CRLite aggregator should output the new identifiers in enrolled.json, and moz_kinto_publisher should populate the enrolledIssuers field. The signoff script should validate the enrolledIssuers field.
We'll continue to keep the crlite_enrolled flags in intermediates up to date for now.
Client-side changes will be tracked in Bug 1750787
We're going to move the enrollment list from the
intermediates
collection to thecert-revocations
collection.The schema for
cert-revocations
has been updated with anenrolledIssuers
field that holds a JSON array of strings. Each string inenrolledIssuers
is to be a base64 encoded identifier for a CRLite-enrolled issuer. The identifier will beSHA256(subject || spki)
wheresubject
is a DER encoded RFC 5280RDNSequence
andspki
is a DER encoded RFC 5280SubjectPublicKeyInfo
.The CRLite aggregator should output the new identifiers in
enrolled.json
, andmoz_kinto_publisher
should populate theenrolledIssuers
field. The signoff script should validate theenrolledIssuers
field.We'll continue to keep the
crlite_enrolled
flags inintermediates
up to date for now.Client-side changes will be tracked in Bug 1750787