On Feb 26, 3:55 pm, Eddy Nigg <eddy_n...@startcom.org> wrote: > On 02/26/2009 06:18 AM, Eddy Nigg: > > > > > > > On 02/26/2009 05:24 AM, David E. Ross: > > >> In the case of secure browsing at authenticated Web sites, I want to be > >> conservative in what I accept. If a CA is generating certificates that > >> do not comply with accepted RFCs, what else is that CA doing wrong? In > >> other words, if a CA sends CRLs that are not binary DER, that should be > >> a red flag that the CA might not be trustworthy in other respects. > > > Or in other words - and lets put it a bit more mildly - they certainly > > never tested their CRLs, at least not with the software this group cares > > about. > > > But didn't Kyle say the CRLs are empty anyway (no revocations)? I > > couldn't find any records either. This doesn't sound quite right. More > > investigations needed here IMO. Review is due at the weekend... > > Right now I found a few CRL apparently intended for EE certs > athttp://fedir.comsign.co.il/crl/ServerCA.crlandhttp://fedir.comsign.co.il/crl/corporate.crl > > Those are DER encoded, the other ones are apparently for their own CAs > (e.g. suicide notes) which perhaps isn't relevant anyway. Not sure... > > -- > Regards > > Signer: Eddy Nigg, StartCom Ltd. > Jabber: start...@startcom.org > Blog: https://blog.startcom.org- Hide quoted text - > > - Show quoted text -
The CRL that you have problems with are generated manually trough our offline CA. (RSA Certificate Manager) When generating manually you just copy the crl into notepad and save it as crl. The above CRL's are from our online intemediates that are generated automatically (Also RSA CM) Probably that is the difference. We will gererate new CRL's the "proper way" as soon as we can. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
