"and required by EV" ? Eddy, the EV Guidelines impose certain requirements on Intermediate CAs *when* they are used, but AFAIK they don't mandate that Intermediate CAs MUST be used.
Visit https://www.securetrust.com in FF3 for an example of an EV-enabled Root Certificate (CN = SecureTrust CA) that issues EV SSL Certificates without involving any Intermediate CA(s) in the certificate chain. On Monday 12 January 2009 10:28:42 Eddy Nigg wrote: > On 01/12/2009 11:56 AM, Jean-Marc Desperrier: > > Eddy Nigg wrote: > >> [...] No exception can be added for revoked certificates, but for > >> expired ones it's possible - hence it suggests that revocation is more > >> severe than expired (if one can think in those terms). Or how would you > >> explain that? > > > > As I have already found myself in the situation of really needing to > > override an expired certificate, I beg to differ and find an explanation. > > > > In the case of revoked certificates, you have positive proof that the CA > > wants that cert to be revoked. > > Indeed! That was the point I was trying to make (and why i believe that > expired but revoked certificates should never be removed from the CRL). > Considering that intermediate CAs are more and more common and the > encouraged practice anyway (and required by EV), those CRLs shouldn't > grow that badly until the issuing CA certificate expires. As Julien also > mentioned, some CAs keep the revoked certs for a period of N years in > the CRL - with intermediates assumed limited life-time, we aren't really > far from that. > > > In the case of expired certificates, you just don't know. So it leave > > the possibility that you have out of band information that the key is > > not compromised and that you should be able to access the site. > > Yes, I view an expired certificate differently than a revoked one. There > are indeed situations which require to access a site with an expired cert. -- Rob Stradling Senior Research & Development Scientist Comodo - Creating Trust Online Office Tel: +44.(0)1274.730505 Fax Europe: +44.(0)1274.730909 www.comodo.com Comodo CA Limited, Registered in England No. 04058690 Registered Office: 3rd Floor, 26 Office Village, Exchange Quay, Trafford Road, Salford, Manchester M5 3EQ This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by replying to the e-mail containing this attachment. Replies to this email may be monitored by Comodo for operational or business reasons. Whilst every endeavour is taken to ensure that e-mails are free from viruses, no liability can be accepted and the recipient is requested to use their own virus checking software. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto