We studied RFC5280 and we look into it once again. As you notice GoDaddy issues 17 different CRLs signed all with one certificate and the same pair of keys. It’s a little bit different situation than we have. It looks that Mozilla and Internet Explorer deal properly with our CRLs without IDP extension. While you want to connect with our test web page https://revoked.elektronicznypodpis.pl/ , which has a revoked certificate you get an error: sec_error_revoked_certificate. IE also finds our certificate as revoked. For Mozilla OCSP is priority as it is mentioned in BR, so I’m not sure that IDP is absolutely needed in our CRLs.
Regards Od: Erwann Abalea <[email protected]> Do: [email protected], Data: 2014-10-07 00:20 Temat: Re: Re: Re: KIR S.A. Root Inclusion Request Wysłane przez: "dev-security-policy" <dev-security-policy-bounces+certificates=kir.com...@lists.mozilla.org> Bonsoir, Le lundi 6 octobre 2014 15:55:24 UTC+2, Certificates a écrit : > Thank you for your clarifications. We analysed it, and we add Authority > Key Identifier extension to our CRLs. As it it mentioned in s. 5.2.1 RFC > 5280 "this extension is especially useful where an issuer has more than > one signing key, either due to multiple concurrent key pairs or due to > changeover". We based the value of this extension on issuer name and > serial number. We checked that GoDaddy distinguishes CRLs in the same way. > The CRL for the newer CA certificate is available now here > http://www.elektronicznypodpis.pl/crl/trusted_ca_2013.crl. CRL for the > elder CA certificate will be available tomorrow. Please read X.509 or RFC5280 again. AKI is not a way to limit the scope of the CRL. AKI is not to be set as a critical extension. AKI is only a helper so the RP can avoid guessing which key signed this object. The RP has absolutely no obligation to follow this helper. The ONLY RFC5280-compatible extension to reduce the scope of a CRL is the IssuingDistributionPoint. GoDaddy distinguishes the CRLs not by their AKI, but by the IssuingDistributionPoint extension, and this extension MUST be critical for its goal to be achieved. BTW, the AKI extension of such partitioned CRLs at GoDaddy is identical on all the CRLs (I checked http://crl.godaddy.com/gds2-{1,...,17}.crl). _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy Krajowa Izba Rozliczeniowa S.A., ul. rtm. W. Pileckiego 65, 02-781 Warszawa, zarejestrowana w Sądzie Rejonowym dla m. st. Warszawy, XIII Wydział Gospodarczy Krajowego Rejestru Sądowego pod nr KRS 0000113064, NIP 526-030-05-17, REGON 012105474, kapitał zakładowy i wpłacony 5.445.000 zł. Informacja zawarta w tej transmisji jest przeznaczona tylko dla osoby lub jednostki, do której jest adresowana. Może ona zawierać zastrzeżone i poufne informacje i jeżeli to nie Państwo są wskazanym odbiorcą, nie można kopiować, rozpowszechniać lub podejmować żadnych czynności w oparciu o nią. W przypadku otrzymania tej transmisji przez pomyłkę, proszę powiadomić nadawcę za pomocą emaila zwrotnego i usunąć tę transmisję (wraz z załącznikami) z Państwa systemu. The information contained in this transmission is intended only for the individual or entity to whom it is addressed. It may contain privileged and confidential information and if you are not an indicated recipient, you must not copy, distribute or take any action in reliance on it. If received in error, please notify the sender by return email and delete his transmission (and any attachments) from your system. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
