Re: WoSign Root Renewal Request

Tue, 30 Jun 2015 01:08:05 -0700 

Hi Richard,
You seem to be saying that the CRL number always matches the amount of times you've revoked a certificate. This is not the case. Each time the CRL is updated, even when the list of revoked certificates is the same, you should update the CRL number. That is, if you generate the CRL once a day the CRL number should be incremented once a day. 


Kurt

On 2015-06-30 09:49, Richard Wang wrote:

This is two different root CA, issued two different CRL, the two CA don't
revoke any certificate, so both CRL should be same value to Zero.

Thanks.

Best Regards,

Richard

-----Original Message-----
From: dev-security-policy
[mailto:[email protected]] On
Behalf Of Martin Rublik
Sent: Tuesday, June 30, 2015 2:29 PM
To: [email protected]
Subject: Re: WoSign Root Renewal Request

On 30. 6. 2015 3:00, Richard Wang wrote:

Very thanks for your question.
This two root is a new root CA that only issued one test SSL for test site,
no certificate is revoked till now, so the CRL number is 0. If we revoked
one certificate someday, it will increase to 1, and so on.
Please check the working root CRL: http://crls1.wosign.com/ca1-server-4.crl,
its number is 1E that you can count the revoked certificate is 30.

Best Regards,

Richard


I might be wrong here, but I think this violates RFC 5280. Citing
https://www.ietf.org/rfc/rfc5280.txt section 5.2.3.  CRL Number:

If a CRL issuer generates two CRLs (two complete CRLs, two delta CRLs, or a
complete CRL and a delta CRL) for the same scope at different times, the two
CRLs MUST NOT have the same CRL number.
That is, if the this update field (Section 5.1.2.4) in the two CRLs are not
identical, the CRL numbers MUST be different.

Please not that CRL I downloaded today http://crls8.wosign.com/ca8-ssl4.crl
has this update set to june 30th (different from june 29th).

Martin



_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy



_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy






















					Reply via email to