On 08/02/18 13:47, Hanno Böck wrote:
> Is a revoked intermediate cert a license for operating a yolo CA that
> signs everything? Given the fragility of revocation checking I'd find
> that a problematic precedent.
In this case, the certificates are revoked in Firefox via OneCRL and
Chrome via CRLSets (AIUI) and so the revocations are guaranteed to be
> The OCSP seems operational and replies with "Good" and the issuance
> happened before it's being added to OneCRL.
If the cert itself has not been revoked by its issuer, "Good" is an
entirely reasonably response...
> I don't find a reference why this intermediate had been added to
> OneCRL, but I think this deserves more clarification what's going on
OneCRL additions normally have an associated bug but I can't see one for
dev-security-policy mailing list