On 16/10/2016 09:59, Adrian R. wrote:

i read in the news (but not here on m.d.s.p) that a few days ago Globalsign 
revoked one of their intermediary roots and then un-revoked it (well, the 
revocation is accidental, but it was still a properly announced revocation, via 
signed CRL and OCSP).


They rolled back the revocation, but i thought that the BRs explicitly forbid 
that a suspended/revoked certificate be un-suspended/un-revoked.


is this revival/un-revocation of an intermediary CA allowed by the BRs?

I have just read that page, and find it utterly confusing and badly
written.  Lot's of formal tone of voice, but no precision or clarity.

What I would have expected was a much clearer statement (on the page, not in some linked document) as to:

1. Which Intermediary CA certificates were affected (because
  certificate holders cannot see the cache state affecting relying
  parties, we need to check our certificates against something
  specific to see if we are affected).

2. If this affects all AlphaSSL and CloudSSL certificates or only some
  of them.

3. If this was an "exercise" (training/experimental etc.) or an actual
  operational decision.

4. If the revoked cross certificate was one of the cross certificates
  previously provided to certificate holders to allow us to make our
  servers compatible with older clients, and if so, which one.

5. If this was e-mailed to all potentially affected certificate
  holders, or just dumped in some public forums which certificate
  holders might not see in time to take necessary action.


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
dev-security-policy mailing list

Reply via email to