On 11/09/2011 11:24 AM, Matthias Hunstock wrote: > Am 09.11.2011 16:47, schrieb Daniel Kahn Gillmor: > >> My concern is that the CAs in question appear to be signing certificates >> for names that do not have any domain suffix at all, or have a suffix >> (like .local) known to be used in a colliding fashion by many people. > > No, not "is signing". WAS signing.
Correction duly noted; i have no evidence that they signed any of these after 2010-04. Wags may point out that i also have no evidence that they have *not* signed any of these after 2010-04, but i certainly can't claim that they have. >> I'm baffled by the idea that any CA would think it reasonable to sign a >> .local name for a certificate of any duration, let alone a 5 year duration. > > Uhm btw. ... did you check the CRL? i did not, but as i noted, the certificate is in active use. You can see it here: https://webmail-berlin.leibniz-gemeinschaft.de/ Its CRLs don't seem to contain the certificate's serial number: > > 0 dkg@pip:~$ wget -q -O- > http://cdp1.pca.dfn.de/global-services-ca/pub/crl/cacrl.crl | openssl crl > -inform DER -text -noout -CAfile /tmp/DFN-VereinCAServices | egrep -A1 'Last > Update|0F2B8944' > verify OK > Last Update: Nov 7 21:07:27 2011 GMT > Next Update: Nov 17 21:07:27 2011 GMT > 0 dkg@pip:~$ Am i checking this wrong? --dkg
signature.asc
Description: OpenPGP digital signature
