On 08/02/18 15:50, Gervase Markham via dev-security-policy wrote:
On 08/02/18 13:47, Hanno Böck wrote:
Is a revoked intermediate cert a license for operating a yolo CA that
signs everything? Given the fragility of revocation checking I'd find
that a problematic precedent.
In this case, the certificates are revoked in Firefox via OneCRL and
Chrome via CRLSets (AIUI) and so the revocations are guaranteed to be
noticed.
The OCSP seems operational and replies with "Good" and the issuance
happened before it's being added to OneCRL.
If the cert itself has not been revoked by its issuer, "Good" is an
entirely reasonably response...
I don't find a reference why this intermediate had been added to
OneCRL, but I think this deserves more clarification what's going on
here.
OneCRL additions normally have an associated bug but I can't see one for
this...
https://crt.sh/mozilla-onecrl (which parses the OneCRL JSON feed)
suggests https://bugzilla.mozilla.org/show_bug.cgi?id=1432467.
--
Rob Stradling
Senior Research & Development Scientist
ComodoCA.com
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
