Update policy.md

[ChristopherRC]

• update section 1 to make it clear that the responsibility to keep CCADB information up to date includes populating new data fields or values added to the CCADB.
• clarify disclosure for changes in CRL URLs and transitions from full to partitioned (or vice versa).

[CBonnell]

I might be missing something, but I'm not sure why this allowance for a transition plan is needed. Switching from a full CRL to partitioned CRLs (and vice versa) can be done in one step in CCADB. Allowing both full and partitioned CRLs means that the CA is specifying redundant revocation information, as all revocation information can be found in the full CRL.

[dzacharo]

Hi Corey,

The information I received from my team is that the transition is not an atomic operation in CCADB and the CA. Therefore, the transition will look like this:

1. The CA publishes the partitioned CRL URLs to CCADB
2. The CA starts issuing certificates with the new URLs
3. (Perhaps wait for older certificates to expire)
4. The CA removes the full CRL URL from CCADB

Similarly for the reverse path (from partitioned CRLs to full).

Does that make sense?

[CBonnell]

@dzacharo,

Just to make sure we're discussing the same scenario:

Is there is a "Step 0: Disclose the full CRL URL (which does not contain an IDP extension) in CCADB"?

[ChristopherRC]

@dzacharo, @CBonnell, we’re starting to wonder if this is a non-issue and if the current policy language adequately allows for this type of rare(?) transition to occur. We appreciate additional perspective or concurrence.

[CBonnell]

I still don’t think this proposed language is needed, but hopefully @dzacharo will come back with additional info in case I’m missing something.