Closed BenWilson-Mozilla closed 1 year ago
As mentioned here, https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/YSgndT3vSEI/m/2N31x8nUBAAJ, and in the previous threads linked in this issue, MRSP section 4.1 needs to be modified to more clearly indicate when full CRLs need to be added to the CCADB. One suggestion for discussion/consideration is "Full CRL URLs MUST be provided in the CCADB before the CA signs certificates, or if it is already signing certificates, then within 7 days of disclosing the CA certificate in the CCADB." But it needs to be made more clear when CAs need to fill in the CCADB field in different scenarios-- e.g. when a CRL does not yet exist, etc.
Apple's communication to CAs clarified the requirement "for CAs which have not issued any certificates, it is not required that the Full CRL information be provided in the CCADB."
This issue needs to be broadened to include other related issues - see, e.g., https://bugzilla.mozilla.org/show_bug.cgi?id=1793210, CRLs for dormant CAs.
Posted to start a discussion of this on mdsp here - https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/2cUeEQFVTVw/m/m_SGRw8FBwAJ
Related to https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/KYab8Ide6ws/m/3AFjcGDyAQAJ, we should add a statement in either section 4.1 or 6.1.1 of the MRSP that posting full CRL URLs or arrays in the CCADB is considered "publishing" them because root store operators depend on the accuracy of the CRL information contained or referenced in those locations. Also, see the email here: https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/KYab8Ide6ws/m/jo2S3uT1AgAJ