Ah, that's a good point! In Let's Encrypt's particular case, we guarantee that all of our CRL shards in a given "generation" share the same CRL Number, so detecting one shard substituted from a previous generation would be very easy. But I recognize that doing so is not required and could not be relied upon in the general case.
Aaron On Thu, Oct 6, 2022 at 12:43 PM Andrew Ayer <[email protected]> wrote: > On Thu, 6 Oct 2022 12:33:17 -0700 > "'Aaron Gable' via [email protected]" > <[email protected]> wrote: > > > An older but still sufficiently-recent version of a different shard > > would contain serials which also appear on the current version of > > that same different shard. These duplicate serials would immediately > > indicate that a substitution has occurred. > > What if the shard is empty? > > Regards, > Andrew > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEmnEreQ17EbO0g5YOdwoC1w3mAje0m4V%3DZMxXCeqw3sTqxjeg%40mail.gmail.com.
