On Fri, Feb 26, 2021 at 5:18 PM Ryan Sleevi <r...@sleevi.com> wrote: > I do believe it's problematic for the OCSP and CRL versions of the > repository to be out of sync, but also agree this is an area that is useful > to clarify. To that end, I filed > https://github.com/cabforum/servercert/issues/252 to make sure we don't > lose track of this for the BRs. >
Thanks! I like that bug, and commented on it to provide a little more clarity for how the question arose in my mind and what language we might want to update. It sounds like maybe what we want is language to the effect that, if a CA is publishing both OCSP and CRLs, then a certificate is not considered Revoked until it shows up as Revoked in both revocation mechanisms. (And it must be Revoked within 24 hours.) We'll make sure our parallel CRL infrastructure re-issues CRLs close-to-immediately after a certificate in that shard's scope is revoked, just as we do for OCSP today. Thanks again, Aaron _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy