Publish an infrastructure only CRL in addition to the full CRL

*Puppet Version:6.x
*Puppet Server Version: 6.x?
*OS Name/Version: n/a

Background: In our current implementation the CRL validity is set to 5 years. This effectively nullifies revocation checking of any ‘server’ certificates by agent nodes. This issue does not quite affect MoM and any of the compile masters because everytime a new CRL is published it is available/updated locally on MoM and replicated to compile masters using a ‘file-sync’ mechanism.
While agent nodes not doing revocation checking of servers or compile masters is less of a risk than the other way round it still is an issue. Throughout we strive to ensure all SSL endpoints do the appropriate checking to protect themselves against rogue peers or from any active man in the middle attempts. Agent typically runs in privileged mode and trust all content (and commands) from servers - generalized to mean any services on MoM and compile masters. Hence it is important to plug this potential vulnerability.

One of the concerns with publishing shorter validity CRL or letting agents fetch a CRL any time it is updated is the increased demands on bandwidth, particularly in environments where CRL can grow significantly large. While a shorter validity CRL may not necessarily address requirements of using the most up to date revocation status in certain high security or compliance environments it is a step in right direction short of implementing OCSP.

Proposal:
Publish a CRL containing only MoM and compile master certificates. Agent CRL requests be satisfied with this CRL. This assumes compile masters, with puppet agents, do not use the same mechanism to request CRLs and continue to get/use the ‘full’ CRL.
With the CRL size in check, it should allow us to publish CRL with shorter validity and/or allowing agents to fetch a new one every time it is published.