On 08/06/17 13:24, Kurt Roeckx via dev-security-policy wrote:
On 2017-06-08 14:16, Rob Stradling wrote:
crt.sh collates revocation information from all known CRL Distribution
Point URLs for each CA. The CDP URLs listed at
https://crt.sh/?id=12729173 were observed in other certs issued by
the same CA:
Sorry, I meant to write "listed at https://crt.sh/?id=149444544".
This CA tends to put multiple CRL URLs in a single DistributionPoint,
rather than put each CRL URL in its own DistributionPoint. Most CAs do
the latter, but IINM the former is also valid (see ).
Currently, crt.sh only processes the first URL in each
DistributionPoint. (Bug at  - I'm treating it as GENERAL_NAME rather
than GENERAL_NAMES - I'll get that fixed).
http://www.cert.fnmt.es/crls/ARLFNMTRCM.crl isn't the first CDP URL in
any DistributionPoint of any cert known to crt.sh, and so crt.sh hasn't
noticed that URL yet.
But tries to use:
This is the first CDP URL in these two certs:
"If the DistributionPointName contains multiple values, each name
describes a different mechanism to obtain the same CRL. For example,
the same CRL could be available for retrieval through both LDAP and
Senior Research & Development Scientist
COMODO - Creating Trust Online
dev-security-policy mailing list