On 01/09/16 11:29, Peter Gutmann wrote:
Rob Stradling <[email protected]> writes:
I guess it makes them easy to revoke, if a single revocation can kill 313
certs at once.
That's true.
Hey, WoSign has solved the CRL scalability problem!
If WoSign have discovered a way to know, at time of issuance, that a
cert will need to be revoked, then yes, yes they have. ;-)
It'd be impossible to revoke (via CRL and/or OCSP) a subset of those 313
certs though.
I also get the feeling that a lot of PKI software won't handle the revocation
properly, because they're expecting to revoke *the* certificate, not the
certificate, and the other certificate, and that other one there too, and that
one in the corner, and ... . In other words I'm assuming most code will treat
serial numbers as unique and assume the revocation acted on when the first
cert has been marked as invalid.
That could well be true.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
