On 08/06/17 13:24, Kurt Roeckx via dev-security-policy wrote:
On 2017-06-08 14:16, Rob Stradling wrote:
crt.sh collates revocation information from all known CRL Distribution Point URLs for each CA. The CDP URLs listed at https://crt.sh/?id=12729173 were observed in other certs issued by the same CA:

Sorry, I meant to write "listed at https://crt.sh/?id=149444544";.

That shows:
http://www.cert.fnmt.es/crls/ARLFNMTRCM.crl

This CA tends to put multiple CRL URLs in a single DistributionPoint, rather than put each CRL URL in its own DistributionPoint. Most CAs do the latter, but IINM the former is also valid (see [1]).

Currently, crt.sh only processes the first URL in each DistributionPoint. (Bug at [2] - I'm treating it as GENERAL_NAME rather than GENERAL_NAMES - I'll get that fixed).

http://www.cert.fnmt.es/crls/ARLFNMTRCM.crl isn't the first CDP URL in any DistributionPoint of any cert known to crt.sh, and so crt.sh hasn't noticed that URL yet.

But tries to use:
http://www.cert.fnmt.es.testa.eu/crls/ARLFNMTRCMEU.crl

This is the first CDP URL in these two certs:
https://crt.sh/?id=50915068
https://crt.sh/?id=50915069


[1] https://tools.ietf.org/html/rfc5280#section-4.2.1.13
  "If the DistributionPointName contains multiple values, each name
   describes a different mechanism to obtain the same CRL.  For example,
   the same CRL could be available for retrieval through both LDAP and
   HTTP.

[2] https://github.com/crtsh/libx509pq/blob/master/x509pq.c#L2513

--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to