Rob Stradling <rob.stradl...@comodo.com> writes: >>I guess it makes them easy to revoke, if a single revocation can kill 313 >>certs at once. > >That's true.
Hey, WoSign has solved the CRL scalability problem! >It'd be impossible to revoke (via CRL and/or OCSP) a subset of those 313 >certs though. I also get the feeling that a lot of PKI software won't handle the revocation properly, because they're expecting to revoke *the* certificate, not the certificate, and the other certificate, and that other one there too, and that one in the corner, and ... . In other words I'm assuming most code will treat serial numbers as unique and assume the revocation acted on when the first cert has been marked as invalid. Peter. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy