Skip to content

CRLs: include IssuingDistributionPoint extension#6412

Merged
aarongable merged 5 commits intomainfrom
crl-idp
Oct 24, 2022
Merged

CRLs: include IssuingDistributionPoint extension#6412
aarongable merged 5 commits intomainfrom
crl-idp

Conversation

@aarongable
Copy link
Copy Markdown
Contributor

@aarongable aarongable commented Sep 27, 2022
edited
Loading

Add the Issuing Distribution Point extension to all of our end-entity
CRLs. The extension contains the Distribution Point, the URL from
which this CRL is meant to be downloaded. Because our CRLs are
sharded, this URL prevents an on-path attacker from substituting a
different shard than the client expected in order to hide a revocation.
The extension also contains the OnlyContainsUserCerts boolean,
because our CRLs only contain end-entity certificates.

The Distribution Point url is constructed from a configurable base URI,
the issuer's NameID, the shard index, and the suffix ".crl". The base
URI must use the "http://" scheme and must not end with a slash.

openssl displays the IDP extension as:

X509v3 Issuing Distribution Point: critical
  Full Name:
    URI:http://c.boulder.test/66283756913588288/0.crl                Only User Certificates

Fixes #6410

DO NOT SUBMIT before #6442 has been deployed.

@aarongable aarongable changed the base branch from main to crldpbase-config October 10, 2022 22:57
Base automatically changed from crldpbase-config to main October 11, 2022 15:55
@aarongable aarongable marked this pull request as ready for review October 13, 2022 17:28
@aarongable aarongable requested a review from a team as a code owner October 13, 2022 17:28
@aarongable aarongable merged commit 868214b into main Oct 24, 2022
@aarongable aarongable deleted the crl-idp branch October 24, 2022 18:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@beautifulentropy beautifulentropy beautifulentropy approved these changes

@jsha jsha Awaiting requested review from jsha jsha is a code owner automatically assigned from letsencrypt/boulder-developers

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

crl-updater: consider including Issuing Distribution Point extension

2 participants

@aarongable @beautifulentropy