On 27/06/16 01:07, Nick Lamb wrote:
On Sunday, 26 June 2016 21:26:06 UTC+1, Ben Laurie wrote:
My concern is that is is trivial to demonstrate an intermediate is
revoked, yet still validate a chain that includes that "revoked"
certificate.
Sure. If you decide not to check for revocation, then you won't know if it's
revoked. I don't think there's any surprise there. If your revocation check
depends on, say, Mozilla compiling a list of revoked intermediates, then you
won't know about revocations unless they're on that list.
I'm still hesitant as I wait for the other shoe to drop, surely you already
knew all this?
Just to reiterate: https://crt.sh/mozilla-disclosures is only
considering an intermediate to be "revoked" if it has been disclosed to
Salesforce as "revoked".
Mozilla have said that they intend to generate OneCRL from the
Salesforce data. OneCRL is an effective revocation mechanism in Firefox.
https://crt.sh/mozilla-disclosures is *not* considering CRLs and/or OCSP.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
