On Feb 17, 2014, at 4:49 AM, Erwann Abalea <[email protected]> wrote:
> There's some minor points: > - the CRLs include a revoked certificate with a reason "unspecified", RFC5280 > states that it SHOULD be absent (instead of using this reason code); SHOULD > isn't a MUST > - the OCSP responders, when asked about the only revoked certificate so far > (serial 01000000000000000000000000000001), reply as if it was non existent > (unauthorized); this is strange, as this certificate should exist, if it's > revoked The 01000000000000000000000000000001 serial number is just a "placeholder" non-existent serial number we put in our CRL files if there are no revoked certificates under the CA certificate. We added it around 2007 or 2008 to work around a problem that existed in a Novell server software (now I can't remember the name of it) which would throw an exception and fail to assign a certificate if the CRL had zero revoked entries. Thanks for reviewing Erwann! Cheers, Paul Tiemann (DigiCert) _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
