On 08/06/17 14:15, Rob Stradling via dev-security-policy wrote:
On 08/06/17 13:24, Kurt Roeckx via dev-security-policy wrote:
On 2017-06-08 14:16, Rob Stradling wrote:
crt.sh collates revocation information from all known CRL Distribution Point URLs for each CA. The CDP URLs listed at https://crt.sh/?id=12729173 were observed in other certs issued by the same CA:

Sorry, I meant to write "listed at https://crt.sh/?id=149444544";.

That shows:

This CA tends to put multiple CRL URLs in a single DistributionPoint, rather than put each CRL URL in its own DistributionPoint. Most CAs do the latter, but IINM the former is also valid (see [1]).

Currently, crt.sh only processes the first URL in each DistributionPoint. (Bug at [2] - I'm treating it as GENERAL_NAME rather than GENERAL_NAMES - I'll get that fixed).


crt.sh now processes all CRL URLs that have been observed in all "fullName" DistributionPoints (rather than just the first URL in each "fullName").

http://www.cert.fnmt.es/crls/ARLFNMTRCM.crl isn't the first CDP URL in any DistributionPoint of any cert known to crt.sh, and so crt.sh hasn't noticed that URL yet.

crt.sh has now noticed and processed this CRL successfully, and therefore the error messages have now disappeared from https://crt.sh/?id=149444544, etc.

But tries to use:

This is the first CDP URL in these two certs:

[1] https://tools.ietf.org/html/rfc5280#section-
   "If the DistributionPointName contains multiple values, each name
    describes a different mechanism to obtain the same CRL.  For example,
    the same CRL could be available for retrieval through both LDAP and

[2] https://github.com/crtsh/libx509pq/blob/master/x509pq.c#L2513

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

dev-security-policy mailing list

Reply via email to