Bonsoir, Le lundi 6 octobre 2014 15:55:24 UTC+2, Certificates a écrit : > Thank you for your clarifications. We analysed it, and we add Authority > Key Identifier extension to our CRLs. As it it mentioned in s. 5.2.1 RFC > 5280 "this extension is especially useful where an issuer has more than > one signing key, either due to multiple concurrent key pairs or due to > changeover". We based the value of this extension on issuer name and > serial number. We checked that GoDaddy distinguishes CRLs in the same way. > The CRL for the newer CA certificate is available now here > http://www.elektronicznypodpis.pl/crl/trusted_ca_2013.crl. CRL for the > elder CA certificate will be available tomorrow.
Please read X.509 or RFC5280 again. AKI is not a way to limit the scope of the CRL. AKI is not to be set as a critical extension. AKI is only a helper so the RP can avoid guessing which key signed this object. The RP has absolutely no obligation to follow this helper. The ONLY RFC5280-compatible extension to reduce the scope of a CRL is the IssuingDistributionPoint. GoDaddy distinguishes the CRLs not by their AKI, but by the IssuingDistributionPoint extension, and this extension MUST be critical for its goal to be achieved. BTW, the AKI extension of such partitioned CRLs at GoDaddy is identical on all the CRLs (I checked http://crl.godaddy.com/gds2-{1,...,17}.crl). _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
