This is two different root CA, issued two different CRL, the two CA don't revoke any certificate, so both CRL should be same value to Zero.
Thanks. Best Regards, Richard -----Original Message----- From: dev-security-policy [mailto:[email protected]] On Behalf Of Martin Rublik Sent: Tuesday, June 30, 2015 2:29 PM To: [email protected] Subject: Re: WoSign Root Renewal Request On 30. 6. 2015 3:00, Richard Wang wrote: > Very thanks for your question. > This two root is a new root CA that only issued one test SSL for test site, > no certificate is revoked till now, so the CRL number is 0. If we revoked > one certificate someday, it will increase to 1, and so on. > Please check the working root CRL: http://crls1.wosign.com/ca1-server-4.crl, > its number is 1E that you can count the revoked certificate is 30. > > Best Regards, > > Richard I might be wrong here, but I think this violates RFC 5280. Citing https://www.ietf.org/rfc/rfc5280.txt section 5.2.3. CRL Number: If a CRL issuer generates two CRLs (two complete CRLs, two delta CRLs, or a complete CRL and a delta CRL) for the same scope at different times, the two CRLs MUST NOT have the same CRL number. That is, if the this update field (Section 5.1.2.4) in the two CRLs are not identical, the CRL numbers MUST be different. Please not that CRL I downloaded today http://crls8.wosign.com/ca8-ssl4.crl has this update set to june 30th (different from june 29th). Martin _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
