On 08/02/18 13:47, Hanno Böck wrote:
> Is a revoked intermediate cert a license for operating a yolo CA that
> signs everything? Given the fragility of revocation checking I'd find
> that a problematic precedent.

In this case, the certificates are revoked in Firefox via OneCRL and
Chrome via CRLSets (AIUI) and so the revocations are guaranteed to be

> The OCSP seems operational and replies with "Good" and the issuance
> happened before it's being added to OneCRL.

If the cert itself has not been revoked by its issuer, "Good" is an
entirely reasonably response...

> I don't find a reference why this intermediate had been added to
> OneCRL, but I think this deserves more clarification what's going on
> here.

OneCRL additions normally have an associated bug but I can't see one for

dev-security-policy mailing list

Reply via email to