On 10/12/13 06:20, Jan Schejbal wrote: > The third sub-ca cert (Subject AC DGTPE Signature Authentification) > includes a CRL DP for a CRL issued by sub-ca 2, validity 2011-09-09 to > 2014-09-13. The CRL is empty.
Look again. It seems that it now contains 1106 certificates (!), with widely varying revocation dates. It would be interesting to know by what process this happened. Were these certs revoked in the past but the CRL not updated due to some technical issue? Or have they just decided to do a blanket revocation of every cert issued? Or something else? > Am I correct in the assumption that this means that the only way this CA > can deal with Sub-CA compromises effectively is asking for an emergency > update of all software relying on the certificates? AIUI, yes. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
