On 08/02/18 15:50, Gervase Markham via dev-security-policy wrote:
On 08/02/18 13:47, Hanno Böck wrote:
Is a revoked intermediate cert a license for operating a yolo CA that
signs everything? Given the fragility of revocation checking I'd find
that a problematic precedent.

In this case, the certificates are revoked in Firefox via OneCRL and
Chrome via CRLSets (AIUI) and so the revocations are guaranteed to be

The OCSP seems operational and replies with "Good" and the issuance
happened before it's being added to OneCRL.

If the cert itself has not been revoked by its issuer, "Good" is an
entirely reasonably response...

I don't find a reference why this intermediate had been added to
OneCRL, but I think this deserves more clarification what's going on

OneCRL additions normally have an associated bug but I can't see one for

https://crt.sh/mozilla-onecrl (which parses the OneCRL JSON feed) suggests https://bugzilla.mozilla.org/show_bug.cgi?id=1432467.

Rob Stradling
Senior Research & Development Scientist
dev-security-policy mailing list

Reply via email to