-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider removal of mandatory requirement for CRLs for end entity certs #556
Comments
CAs MUST maintain an online 24x7 repository mechanism whereby application software can automatically check online the current status of all unexpired certificates issued by the CA. For end-entity certificates, CRLs MUST be updated and reissued at least every seven days, and the value of the nextUpdate field MUST NOT be more than ten days beyond the value of the thisUpdate field. For end-entity certificates, if the CA provides revocation information via an Online Certificate Status Protocol (OCSP) service:
I interpret the above to suggest CRLs are required for end-entity certificates, but given inclusion of DST Root CA 3 (Let's Encrypt) in the Mozilla Store - I must be missing something. |
Apple does not have a specific requirement.
|
For Mozilla, it looks like the only requirement is to maintain a 24x7 repo which can either be a CRL or OCSP. I would only read it as CRLs are required if it specifically stated it which it does not. CRLs must be..... not end entities must support CRL. |
Mozilla: Frankly, this looks like an oversight, or a typo. They seem to be missing a phrase 'if the CA provides' at the front (like in the OCSP paragraph). Is it as simple as asking? Clearly Let's Encrypt is in the store... and presumably they don't issue CRLs.... [They also appear to have no requirements for sub CAs...., just end entities. I'd bet that is an oversight as well.] |
Yes, Let's Encrypt is OCSP-only, and does not publish CRLs. Mozilla section 6 could be clarified to remove ambiguity, and we could always raise this on m.d.s.p to point this out if we wanted, but my understanding has always been that it's as @debcooley pointed out -- there's an implied "if CRLs are provided" to the CRL clause. |
CRL shall statements impacted:
|
Section 5.8 CA termination question:
The CA can't publish a long-term CRL if there is no CRL. Is the requirement then: "CAs must operate OCSP services for the validity period of all issued certificates"? [The scenario might be irrelevant to our CP and infrastructure.] |
or be more specific to the CA (root) that will issue CRLs. |
yes - if a CA only does OCSP & no CRL, then it must have a way to maintain the OCSP service until all issued certs have expired even if the CA "terminates" |
During development / testing and comparison with the CP and certificate profiles, there is a request to consider removal of the requirement for Certificate Revocation Lists to be published and the associated URIs to included in the CDP extension for serverAuth certificates.
Impacts:
Requirements review:
Microsoft trusted root program requirements:
Apple [TODO]
Mozilla [TODO]
Other [TODO]
The text was updated successfully, but these errors were encountered: