2009/2/25 Eddy Nigg <eddy_n...@startcom.org>: > > Or in other words - and lets put it a bit more mildly - they certainly never > tested their CRLs, at least not with the software this group cares about. > > But didn't Kyle say the CRLs are empty anyway (no revocations)? I couldn't > find any records either. This doesn't sound quite right. More investigations > needed here IMO. Review is due at the weekend...
There's a potential problematic practice here, which is "long time period between CRL issuance". I'm seeing issuance dates of October 6, 2008, with the next updates to be expected at April 4, 2009. I expect this is 180 days, though I don't feel like counting through my calendar to verify that. Neither of the CRLs show any currently-revoked certificates. This is NOT necessarily a failure of the CA's CRL mechanism, though, since they very easily could have no unexpired certificates which were revoked at the time the CRL was generated. Since I'm much more a guru with openssl than with NSS, I'll just post its output regarding the CRLs: ComSignCA.crl: KyleMac:comsign kyanha$ openssl crl -inform PEM -noout -text -in ComSignCA.crl Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: /CN=ComSign CA/O=ComSign/C=IL Last Update: Oct 6 13:18:54 2008 GMT Next Update: Apr 4 13:18:54 2009 GMT CRL extensions: X509v3 Authority Key Identifier: keyid:4B:01:9B:3E:56:1A:65:36:76:CB:7B:97:AA:92:05:EE:32:E7:28:31 X509v3 CRL Number: 9 No Revoked Certificates. Signature Algorithm: sha1WithRSAEncryption 82:3f:d6:08:0c:38:ed:6f:9d:0e:86:b6:c4:b6:ef:09:7a:3b: 0a:08:00:e2:db:77:95:58:bb:8e:ad:8d:7e:78:76:0b:27:d7: 1a:9f:52:52:12:c7:c7:d8:a6:57:e7:8a:23:44:2b:3f:2d:a9: 2b:44:15:ec:c1:ba:ff:3f:93:9d:93:f2:47:bf:a2:9f:9d:8f: 5e:c6:2f:ec:1a:49:ff:94:e5:f9:80:61:2b:43:b7:66:95:f6: a5:16:35:ff:7e:21:ee:52:2e:ce:e2:20:81:5b:b0:7a:df:ad: 31:d4:00:35:75:8a:92:3f:3f:fd:0e:8d:b0:48:3a:d2:be:82: e7:30:22:45:92:ef:98:b0:c4:6f:17:57:d3:94:6e:83:9b:be: f0:82:1f:b8:0a:9f:dc:ef:08:18:ef:36:50:d8:2e:1b:b5:8a: e0:6d:4c:09:5f:29:7d:5b:b6:dc:6f:2c:8a:cd:11:f4:7d:ec: 5a:7a:12:20:f5:af:da:d8:6e:11:9d:8d:02:7e:4d:9e:9a:dd: 54:99:53:01:ac:b2:08:c8:ff:2a:66:ae:ed:53:5a:18:e6:56: 58:2d:89:5b:c5:ec:82:c8:b5:76:67:fe:64:af:5b:a6:53:87: 46:66:74:18:6b:bd:21:b2:f2:57:8a:88:9f:f9:78:17:e5:7a: bb:a9:d1:94 ComSignSecuredCA.crl: KyleMac:comsign kyanha$ openssl crl -inform PEM -noout -text -in ComSignSecuredCA.crl Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: /CN=ComSign Secured CA/O=ComSign/C=IL Last Update: Oct 6 13:20:11 2008 GMT Next Update: Apr 4 13:20:11 2009 GMT CRL extensions: X509v3 Authority Key Identifier: keyid:C1:4B:ED:70:B6:F7:3E:7C:00:3B:00:8F:C7:3E:0E:45:9F:1E:5D:EC X509v3 CRL Number: 8 No Revoked Certificates. Signature Algorithm: sha1WithRSAEncryption 54:c3:34:37:1f:f2:2c:74:90:bb:96:ed:f0:d1:5b:ef:95:59: c8:9d:2e:e0:b6:a4:c4:7b:93:ca:df:9a:33:4a:f8:83:77:79: 60:67:1b:8a:6c:b8:d1:7f:6d:2f:1f:c1:22:db:c3:a9:e3:17: 0f:34:9c:76:58:14:7c:b7:90:e7:fe:af:7e:98:53:5e:06:5a: 15:df:a9:92:e4:ef:e2:f4:e5:7d:75:f0:75:07:69:b9:fe:c5: ab:f4:ca:e4:5e:7a:ab:69:8f:f2:df:53:b6:07:5c:b1:d0:99: 6f:59:51:7f:46:14:31:86:e8:4c:da:8b:07:f1:c4:0d:8b:e0: f0:b7:c5:50:e5:35:de:62:b8:14:4d:b1:b2:3a:06:91:2d:5c: e3:9c:83:60:e7:0f:a3:8e:7b:ea:23:35:6d:d3:5c:47:5f:75: b7:b2:40:8e:29:48:7a:34:2d:18:5e:38:77:6c:de:56:67:21: 05:fd:97:72:3c:af:1e:09:32:f1:8e:2b:6f:32:3a:af:6d:18: 71:a2:50:19:95:9b:28:93:27:0a:d4:61:b2:4b:e8:5d:10:05: f2:40:ab:31:39:b9:dd:5e:b3:f3:4a:38:5c:5e:61:1f:f2:2c: 22:ea:41:83:be:52:fe:00:55:1f:37:95:10:66:b4:42:ad:82: 0e:f3:32:29 -Kyle H -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto