On 02/26/2009 06:18 AM, Eddy Nigg:
On 02/26/2009 05:24 AM, David E. Ross:
In the case of secure browsing at authenticated Web sites, I want to be
conservative in what I accept. If a CA is generating certificates that
do not comply with accepted RFCs, what else is that CA doing wrong? In
other words, if a CA sends CRLs that are not binary DER, that should be
a red flag that the CA might not be trustworthy in other respects.
Or in other words - and lets put it a bit more mildly - they certainly
never tested their CRLs, at least not with the software this group cares
about.
But didn't Kyle say the CRLs are empty anyway (no revocations)? I
couldn't find any records either. This doesn't sound quite right. More
investigations needed here IMO. Review is due at the weekend...
Right now I found a few CRL apparently intended for EE certs at
http://fedir.comsign.co.il/crl/ServerCA.crl and
http://fedir.comsign.co.il/crl/corporate.crl
Those are DER encoded, the other ones are apparently for their own CAs
(e.g. suicide notes) which perhaps isn't relevant anyway. Not sure...
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog: https://blog.startcom.org
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
