On Sat, Jun 25, 2016 at 3:50 AM, Ben Laurie <b...@google.com> wrote: > On 25 June 2016 at 00:56, Rob Stradling <rob.stradl...@comodo.com> wrote: >> On 24/06/16 14:38, Rob Stradling wrote: >>> >>> I've just updated https://crt.sh/mozilla-disclosures. >>> >>> There's now a separate grouping for undisclosed intermediates for which >>> all observed paths to a trusted root have been "revoked". >>> >>> A path is considered to be "revoked" if at least one intermediate in the >>> path has been 1) disclosed to Salesforce AND 2) marked as Revoked in >>> Salesforce and/or OneCRL. > > I am curious how this is supposed to work. The issuer is identified by > the Issuer DN. Revoked certificates are identified by serial number > (in CRLs). So ... how is an intermediate ever revoked, in reality?
It is not the CA that is revoked, it is the path from the trust anchor to the CA that is revoked. The Mozilla requirement is not disclosure of Issuers, it is the disclosure of CA certificates. Given this, revocation is a reasonable check. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
