On 08/02/18 15:50, Gervase Markham via dev-security-policy wrote:
On 08/02/18 13:47, Hanno Böck wrote:
Is a revoked intermediate cert a license for operating a yolo CA that
signs everything? Given the fragility of revocation checking I'd find
that a problematic precedent.
In this case, the certificates are revoked in Firefox via OneCRL and
Chrome via CRLSets (AIUI) and so the revocations are guaranteed to be
The OCSP seems operational and replies with "Good" and the issuance
happened before it's being added to OneCRL.
If the cert itself has not been revoked by its issuer, "Good" is an
entirely reasonably response...
I don't find a reference why this intermediate had been added to
OneCRL, but I think this deserves more clarification what's going on
OneCRL additions normally have an associated bug but I can't see one for
https://crt.sh/mozilla-onecrl (which parses the OneCRL JSON feed)
Senior Research & Development Scientist
dev-security-policy mailing list