feat: unset OnlyContainsUserCerts and OnlyContainsCACerts options during Distribution Point marshaling

[savely-krasovsky]

Name of feature:

Unset OnlyContainsUserCerts and OnlyContainsCACerts options during Distribution Point marshaling.

Pain or issue this feature alleviates:

Why is this important to the project (if not answered above):

Is there documentation on how to use this feature? If so, where?

In what environments or workflows is this feature supported?

In what environments or workflows is this feature explicitly NOT supported (if any)?

Supporting links/other PRs/issues:

💔Thank you!

[CLAassistant]

All committers have signed the CLA.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[maraino]

I haven't tried, but my I think that if you set idpOnlyContainsCACerts and you revoke a "user" certificate, that will also appear in the CRL.

[savely-krasovsky]

If there is no special reason to set OnlyUser I think it would make sense to just disable it. Specification says you must set either distribution point or one of those flags on, but in our case DP is already set, so both flags could be unset.

[savely-krasovsky]

@maraino what do you think about the change like that? I don't see any particular reason why those params are set. step-ca CRL list could contain both CA and user certs.

[maraino]

@maraino what do you think about the change like that? I don't see any particular reason why those params are set. step-ca CRL list could contain both CA and user certs.

That makes more sense to me, we'll include this in our next triage.