We're going to move the enrollment list from the intermediates collection to the cert-revocations collection.
The schema for cert-revocations has been updated with an enrolledIssuers field that holds a JSON array of strings. Each string in enrolledIssuers is to be a base64 encoded identifier for a CRLite-enrolled issuer. The identifier will be SHA256(subject || spki) where subject is a DER encoded RFC 5280 RDNSequence and spki is a DER encoded RFC 5280 SubjectPublicKeyInfo.
The CRLite aggregator should output the new identifiers in enrolled.json, and moz_kinto_publisher should populate the enrolledIssuers field. The signoff script should validate the enrolledIssuers field.
We'll continue to keep the crlite_enrolled flags in intermediates up to date for now.
Client-side changes will be tracked in Bug 1750787
We're going to move the enrollment list from the
intermediatescollection to thecert-revocationscollection.The schema for
cert-revocationshas been updated with anenrolledIssuersfield that holds a JSON array of strings. Each string inenrolledIssuersis to be a base64 encoded identifier for a CRLite-enrolled issuer. The identifier will beSHA256(subject || spki)wheresubjectis a DER encoded RFC 5280RDNSequenceandspkiis a DER encoded RFC 5280SubjectPublicKeyInfo.The CRLite aggregator should output the new identifiers in
enrolled.json, andmoz_kinto_publishershould populate theenrolledIssuersfield. The signoff script should validate theenrolledIssuersfield.We'll continue to keep the
crlite_enrolledflags inintermediatesup to date for now.Client-side changes will be tracked in Bug 1750787