Am 2013-12-11 23:59, schrieb Gervase Markham: > Look again. It seems that it now contains 1106 certificates (!), with > widely varying revocation dates.
Can't confirm that for any of the following CRL DPs: http://www.icp.minefi.gouv.fr/igca.crl (1 entry) http://www.icp.minefi.gouv.fr/ac-racine.crl (empty) http://crl1.dgtpe.fr/AC_Racine_DGTPE.crl (empty) These are the CRL DPs in the first, second and third sub-ca cert, respectively (containing the revocations for the root, first SubCA and second SubCA). The CRL for the third Sub-CA has 1110 certificates, but there is no CRL DP pointing to it in the fourth cert - you need to manually get it from http://crl1.dgtpe.fr/AC_DGTPE_Signature_Authentification.crl According to that CRL, the fourth Sub-CA is indeed revoked. The first revoked serial is 0x0313DC, the last one is 0x031F90. That's a range of ~3000 certificates. That's a lot of revocations, but that doesn't need to mean much. 432 are "Key compromise" 323 are "Superseded" 268 are "Cessation Of Operation" 42 are "Affiliation Changed" and I think the rest is without a reason extension. Kind regards, Jan -- Please avoid sending mails, use the group instead. If you really need to send me an e-mail, mention "FROM NG" in the subject line, otherwise my spam filter will delete your mail. Sorry for the inconvenience, thank the spammers... _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
