On Thu, Sep 1, 2016 at 6:35 AM, Rob Stradling <[email protected]> wrote:
> On 01/09/16 11:29, Peter Gutmann wrote: > >> Rob Stradling <[email protected]> writes: >> >> I guess it makes them easy to revoke, if a single revocation can kill 313 >>>> certs at once. >>>> >>> >>> That's true. >>> >> >> Hey, WoSign has solved the CRL scalability problem! >> > > If WoSign have discovered a way to know, at time of issuance, that a cert > will need to be revoked, then yes, yes they have. ;-) > > It'd be impossible to revoke (via CRL and/or OCSP) a subset of those 313 >>> certs though. >>> >> >> I also get the feeling that a lot of PKI software won't handle the >> revocation >> properly, because they're expecting to revoke *the* certificate, not the >> certificate, and the other certificate, and that other one there too, and >> that >> one in the corner, and ... . In other words I'm assuming most code will >> treat >> serial numbers as unique and assume the revocation acted on when the first >> cert has been marked as invalid. >> > > That could well be true. In practice, I would actually expect this not to be an issue. Typically, your PKI stack is looking at whether a single certificate has been revoked, in which case it will never know about all the others. --Richard > > > -- > Rob Stradling > Senior Research & Development Scientist > COMODO - Creating Trust Online > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
