On 02/26/2009 05:24 AM, David E. Ross:
In the case of secure browsing at authenticated Web sites, I want to be conservative in what I accept. If a CA is generating certificates that do not comply with accepted RFCs, what else is that CA doing wrong? In other words, if a CA sends CRLs that are not binary DER, that should be a red flag that the CA might not be trustworthy in other respects.
Or in other words - and lets put it a bit more mildly - they certainly never tested their CRLs, at least not with the software this group cares about.
But didn't Kyle say the CRLs are empty anyway (no revocations)? I couldn't find any records either. This doesn't sound quite right. More investigations needed here IMO. Review is due at the weekend...
-- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto