On 23/09/16 17:15, Jakob Bohm wrote: > Mechanisms such as OneCRL tend to be horribly incomplete. Just in the > past few months there has been repeated mention on this list of revoked > certificates that were not on OneCRL, only on the CA CRLs.
OneCRL is not intended to be a comprehensive list of all revoked certificates in the world. The focus is on revoked intermediates, plus also perhaps some high-profile misissuances of end-entity certificates. So the ".sb" certificate, for example, probably won't be added to OneCRL because the person who has the private key came to tell us about it rather than attempting to misuse it, and it's not at all clear how it could be meaningfully misused anyway. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
