Jean-Marc,
Jean-Marc Desperrier wrote:
https://wiki.mozilla.org/CA:Problematic_Practices#CRL_with_critical_CIDP_Extension
There's a problem with the validation of the info on that page.
The following recommendation "Our recommendation is to remove the
critical flag from the CIDP extension of your CRL." is extremly dangerous.
The only reason to include a CIDP extension in the CRL is when the CRL
*does not* cover all certs issued by the CA. Removing the critical flag
means that it will be accepted as a valid CRL for certs it doesn't cover.
The correct recommendation is to ask the CA to generate two CRLs,
including one without the CIDP that covers every currently valid certs
issued by the CA.
I agree. The person who wrote that page must have misunderstood the
meaning of the CRL Issuing Distribution Points extension. This extension
is required to be critical in RFC 3280 and 5280 for good reason - it
defines the scope of the CRL. Unless the client software understands the
scope, the CRL is meaningless to it. It should not be confused with a
full CRL.
_______________________________________________
dev-tech-crypto mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-crypto
