On Sun, Oct 16, 2016 at 05:13:54PM +0200, Kurt Roeckx wrote:
> On Sun, Oct 16, 2016 at 07:38:29AM -0700, Nick Lamb wrote:
> > On Sunday, 16 October 2016 08:59:13 UTC+1, Adrian R.  wrote:
> > > They rolled back the revocation, but i thought that the BRs explicitly 
> > > forbid that a suspended/revoked certificate be un-suspended/un-revoked.
> > 
> > I don't know whether the exact text permits this, but it seems from a 
> > common sense point of view that what happened here wasn't a revoked 
> > certificate being unrevoked, but instead a technical fault resulted in the 
> > creation of Bad OCSP responses for a period of time by mistake for 
> > certificates GlobalSign never actually revoked.
> As far as I understood things, it was also in the CRL.

Yes, it was in the CRL for the root that issued the cross-signed cert, which
is entirely proper.  The problem, I surmise, is that the CRLs for multiple
CAs were munged into a single database for the OCSP infrastructure, and it
didn't account for two certs with the same serial (and public key, and subject,
and etc etc) but from different issuers appearing at the same time, and
published erroneous OCSP responses.  I don't feel that fixing the OCSP
responder to publish correct OCSP responses is a BR violation.

- Matt

dev-security-policy mailing list

Reply via email to