On 09/01/2016 01:29 PM, Peter Gutmann wrote:
I also get the feeling that a lot of PKI software won't handle the revocation properly, because they're expecting to revoke *the* certificate, not the certificate, and the other certificate, and that other one there too, and that one in the corner, and ... . In other words I'm assuming most code will treat serial numbers as unique and assume the revocation acted on when the first cert has been marked as invalid.
From my experience, once one of the certificates has been revoked, it's basically for all of them with the same serial and issuer. At the PKI all certificates with the same serial must be revoked however to get a unique serial order.
-- Regards Signer: Eddy Nigg, Founder StartCom Ltd. <http://www.startcom.org> XMPP: start...@startcom.org <xmpp:start...@startcom.org> _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy