On 08/06/17 14:15, Rob Stradling via dev-security-policy wrote:
On 08/06/17 13:24, Kurt Roeckx via dev-security-policy wrote:
On 2017-06-08 14:16, Rob Stradling wrote:
crt.sh collates revocation information from all known CRL
Distribution Point URLs for each CA. The CDP URLs listed at
https://crt.sh/?id=12729173 were observed in other certs issued by
the same CA:
Sorry, I meant to write "listed at https://crt.sh/?id=149444544";.
That shows:
http://www.cert.fnmt.es/crls/ARLFNMTRCM.crl
This CA tends to put multiple CRL URLs in a single DistributionPoint,
rather than put each CRL URL in its own DistributionPoint. Most CAs do
the latter, but IINM the former is also valid (see [1]).
Currently, crt.sh only processes the first URL in each
DistributionPoint. (Bug at [2] - I'm treating it as GENERAL_NAME rather
than GENERAL_NAMES - I'll get that fixed).
Fixed.
crt.sh now processes all CRL URLs that have been observed in all
"fullName" DistributionPoints (rather than just the first URL in each
"fullName").
http://www.cert.fnmt.es/crls/ARLFNMTRCM.crl isn't the first CDP URL in
any DistributionPoint of any cert known to crt.sh, and so crt.sh hasn't
noticed that URL yet.
crt.sh has now noticed and processed this CRL successfully, and
therefore the error messages have now disappeared from
https://crt.sh/?id=149444544, etc.
But tries to use:
http://www.cert.fnmt.es.testa.eu/crls/ARLFNMTRCMEU.crl
This is the first CDP URL in these two certs:
https://crt.sh/?id=50915068
https://crt.sh/?id=50915069
[1] https://tools.ietf.org/html/rfc5280#section-4.2.1.13
"If the DistributionPointName contains multiple values, each name
describes a different mechanism to obtain the same CRL. For example,
the same CRL could be available for retrieval through both LDAP and
HTTP.
[2] https://github.com/crtsh/libx509pq/blob/master/x509pq.c#L2513
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
