On 09/01/2016 01:29 PM, Peter Gutmann wrote:
I also get the feeling that a lot of PKI software won't handle the revocation
properly, because they're expecting to revoke *the* certificate, not the
certificate, and the other certificate, and that other one there too, and that
one in the corner, and ... . In other words I'm assuming most code will treat
serial numbers as unique and assume the revocation acted on when the first
cert has been marked as invalid.
From my experience, once one of the certificates has been revoked, it's
basically for all of them with the same serial and issuer. At the PKI
all certificates with the same serial must be revoked however to get a
unique serial order.
--
Regards
Signer: Eddy Nigg, Founder
StartCom Ltd. <http://www.startcom.org>
XMPP: start...@startcom.org <xmpp:start...@startcom.org>
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
