On 09/11/16 14:06, Jakob Bohm wrote: > On 09/11/2016 14:26, Rob Stradling wrote: >> ... >> On 09/11/16 13:02, Gervase Markham wrote: >>> ... >>> I can't seem to >>> use censys.io to work out why it thinks we trust it, because I thought >>> that we didn't trust all of that stuff. >> >> Paths from this cert up to an NSS built-in root do exist, but they all >> contain at least one expired or revoked intermediate. >> >> I'm guessing that Censys isn't considering the revocation status of >> intermediates in the manner that crt.sh does. >> >> See here: https://crt.sh/?caid=373&opt=mozilladisclosure > > Did I hear rumors that some browsers don't check this either?
It's true that not all browsers support all revocation methods. However, the context of Gerv's comment and my response was Mozilla browsers and the revocation methods that are supported by Mozilla browsers. Specifically, Gerv was wondering why Censys was declaring the FPKI to be trusted by Mozilla when we know that the FPKI has in fact been distrusted by Mozilla via OneCRL. -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
