https://wiki.mozilla.org/CA:Problematic_Practices#CRL_with_critical_CIDP_Extension
There's a problem with the validation of the info on that page.
The following recommendation "Our recommendation is to remove the
critical flag from the CIDP extension of your CRL." is extremly dangerous.
The only reason to include a CIDP extension in the CRL is when the CRL
*does not* cover all certs issued by the CA. Removing the critical flag
means that it will be accepted as a valid CRL for certs it doesn't cover.
The correct recommendation is to ask the CA to generate two CRLs,
including one without the CIDP that covers every currently valid certs
issued by the CA.
_______________________________________________
dev-tech-crypto mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-crypto
