在 2016年10月16日星期日 UTC+8下午3:59:13,Adrian R.写道: > Hello > > i read in the news (but not here on m.d.s.p) that a few days ago Globalsign > revoked one of their intermediary roots and then un-revoked it (well, the > revocation is accidental, but it was still a properly announced revocation, > via signed CRL and OCSP). > > http://www.theregister.co.uk/2016/10/15/globalsign_incident_report/ > > They rolled back the revocation, but i thought that the BRs explicitly forbid > that a suspended/revoked certificate be un-suspended/un-revoked. > > https://www.globalsign.com/en/customer-revocation-error/ > > is this revival/un-revocation of an intermediary CA allowed by the BRs? > > ~~~~ > Adrian R. > > (p.s. can we call this revived certificate a zombie? :) ) > > > > > > (off-topic note: sigh, was intending not to post here again because news > relay servers that strip DKIM signatures will generate a lot of DMARC failure > reports for rejected messages. oh well.)
It's said that OCSP servers are responsible for this. Not a intented revocation. Don't sure, but I would see someone can explain this. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
