Am 2013-12-10 12:09, schrieb Jan Schejbal: > 5. Appears unable to operate a CA properly as per Erwann's mail (e.g. > no valid CRLs).
I had a look at the CRLs of the certificates in the chain. The first sub-ca cert in the chain (Subject MINEFI-AUTORITE DE CERTIFICATION RACINE) includes a CRL DP which provides a CRL issued by the root, valid from 2013-12-01 through 2014-01-08. This CRL contains one certificate with a revocation date in 2008. The second sub-ca cert (Subject AC Racine DGTPE) includes a CRL DP for a CRL issued by sub-ca 1, validity 2013-06-04 to 2015-06-04. The CRL is empty. The third sub-ca cert (Subject AC DGTPE Signature Authentification) includes a CRL DP for a CRL issued by sub-ca 2, validity 2011-09-09 to 2014-09-13. The CRL is empty. The fourth and final sub-ca cert (Subject AC DG Trésor SSL), does not contain a CRL DP. Thus, if I understand it correctly, the CA cannot effectively revoke the "Trésor" Sub-CA without revoking other Sub-CAs. Further, any revocation will have limited effectiveness for at least one month, since signed CRLs valid until then already exist for the entire chain. Even then, the CA would need to revoke the MINEFI Sub-CA - otherwise, the revocation will have limited effectiveness for many more months. No OCSP responders are specified in the certificates. Am I correct in the assumption that this means that the only way this CA can deal with Sub-CA compromises effectively is asking for an emergency update of all software relying on the certificates? (Even under the assumption that software does check CRLs, that is.) By the way, CAs were informed in February 2012 that they will need to comply with v1 of the CAB BR by July 2012. These requirements already state that OCSP is mandatory effective January 2013. They also explicitly prohibit CRLs with nextUpdate values more than 12 months from the thisUpdate value. Such a CRL was issued in 2013, i.e. long after the effective date of the BR. The 2011 audit statement <https://bug666771.bugzilla.mozilla.org/attachment.cgi?id=661038> appears to claim that they fulfill the 1.0 BR, however, they seem to have audited themselves?!? Kind regards, Jan -- Please avoid sending mails, use the group instead. If you really need to send me an e-mail, mention "FROM NG" in the subject line, otherwise my spam filter will delete your mail. Sorry for the inconvenience, thank the spammers... _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
