On 08/02/18 13:47, Hanno Böck wrote: > Is a revoked intermediate cert a license for operating a yolo CA that > signs everything? Given the fragility of revocation checking I'd find > that a problematic precedent.
In this case, the certificates are revoked in Firefox via OneCRL and Chrome via CRLSets (AIUI) and so the revocations are guaranteed to be noticed. > The OCSP seems operational and replies with "Good" and the issuance > happened before it's being added to OneCRL. If the cert itself has not been revoked by its issuer, "Good" is an entirely reasonably response... > I don't find a reference why this intermediate had been added to > OneCRL, but I think this deserves more clarification what's going on > here. OneCRL additions normally have an associated bug but I can't see one for this... Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy