2009/2/25 Eddy Nigg <eddy_n...@startcom.org>:
>
> Or in other words - and lets put it a bit more mildly - they certainly never
> tested their CRLs, at least not with the software this group cares about.
>
> But didn't Kyle say the CRLs are empty anyway (no revocations)? I couldn't
> find any records either. This doesn't sound quite right. More investigations
> needed here IMO. Review is due at the weekend...
There's a potential problematic practice here, which is "long time
period between CRL issuance". I'm seeing issuance dates of October 6,
2008, with the next updates to be expected at April 4, 2009. I expect
this is 180 days, though I don't feel like counting through my
calendar to verify that.
Neither of the CRLs show any currently-revoked certificates. This is
NOT necessarily a failure of the CA's CRL mechanism, though, since
they very easily could have no unexpired certificates which were
revoked at the time the CRL was generated.
Since I'm much more a guru with openssl than with NSS, I'll just post
its output regarding the CRLs:
ComSignCA.crl:
KyleMac:comsign kyanha$ openssl crl -inform PEM -noout -text -in ComSignCA.crl
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /CN=ComSign CA/O=ComSign/C=IL
Last Update: Oct 6 13:18:54 2008 GMT
Next Update: Apr 4 13:18:54 2009 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:4B:01:9B:3E:56:1A:65:36:76:CB:7B:97:AA:92:05:EE:32:E7:28:31
X509v3 CRL Number:
9
No Revoked Certificates.
Signature Algorithm: sha1WithRSAEncryption
82:3f:d6:08:0c:38:ed:6f:9d:0e:86:b6:c4:b6:ef:09:7a:3b:
0a:08:00:e2:db:77:95:58:bb:8e:ad:8d:7e:78:76:0b:27:d7:
1a:9f:52:52:12:c7:c7:d8:a6:57:e7:8a:23:44:2b:3f:2d:a9:
2b:44:15:ec:c1:ba:ff:3f:93:9d:93:f2:47:bf:a2:9f:9d:8f:
5e:c6:2f:ec:1a:49:ff:94:e5:f9:80:61:2b:43:b7:66:95:f6:
a5:16:35:ff:7e:21:ee:52:2e:ce:e2:20:81:5b:b0:7a:df:ad:
31:d4:00:35:75:8a:92:3f:3f:fd:0e:8d:b0:48:3a:d2:be:82:
e7:30:22:45:92:ef:98:b0:c4:6f:17:57:d3:94:6e:83:9b:be:
f0:82:1f:b8:0a:9f:dc:ef:08:18:ef:36:50:d8:2e:1b:b5:8a:
e0:6d:4c:09:5f:29:7d:5b:b6:dc:6f:2c:8a:cd:11:f4:7d:ec:
5a:7a:12:20:f5:af:da:d8:6e:11:9d:8d:02:7e:4d:9e:9a:dd:
54:99:53:01:ac:b2:08:c8:ff:2a:66:ae:ed:53:5a:18:e6:56:
58:2d:89:5b:c5:ec:82:c8:b5:76:67:fe:64:af:5b:a6:53:87:
46:66:74:18:6b:bd:21:b2:f2:57:8a:88:9f:f9:78:17:e5:7a:
bb:a9:d1:94
ComSignSecuredCA.crl:
KyleMac:comsign kyanha$ openssl crl -inform PEM -noout -text -in
ComSignSecuredCA.crl
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /CN=ComSign Secured CA/O=ComSign/C=IL
Last Update: Oct 6 13:20:11 2008 GMT
Next Update: Apr 4 13:20:11 2009 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:C1:4B:ED:70:B6:F7:3E:7C:00:3B:00:8F:C7:3E:0E:45:9F:1E:5D:EC
X509v3 CRL Number:
8
No Revoked Certificates.
Signature Algorithm: sha1WithRSAEncryption
54:c3:34:37:1f:f2:2c:74:90:bb:96:ed:f0:d1:5b:ef:95:59:
c8:9d:2e:e0:b6:a4:c4:7b:93:ca:df:9a:33:4a:f8:83:77:79:
60:67:1b:8a:6c:b8:d1:7f:6d:2f:1f:c1:22:db:c3:a9:e3:17:
0f:34:9c:76:58:14:7c:b7:90:e7:fe:af:7e:98:53:5e:06:5a:
15:df:a9:92:e4:ef:e2:f4:e5:7d:75:f0:75:07:69:b9:fe:c5:
ab:f4:ca:e4:5e:7a:ab:69:8f:f2:df:53:b6:07:5c:b1:d0:99:
6f:59:51:7f:46:14:31:86:e8:4c:da:8b:07:f1:c4:0d:8b:e0:
f0:b7:c5:50:e5:35:de:62:b8:14:4d:b1:b2:3a:06:91:2d:5c:
e3:9c:83:60:e7:0f:a3:8e:7b:ea:23:35:6d:d3:5c:47:5f:75:
b7:b2:40:8e:29:48:7a:34:2d:18:5e:38:77:6c:de:56:67:21:
05:fd:97:72:3c:af:1e:09:32:f1:8e:2b:6f:32:3a:af:6d:18:
71:a2:50:19:95:9b:28:93:27:0a:d4:61:b2:4b:e8:5d:10:05:
f2:40:ab:31:39:b9:dd:5e:b3:f3:4a:38:5c:5e:61:1f:f2:2c:
22:ea:41:83:be:52:fe:00:55:1f:37:95:10:66:b4:42:ad:82:
0e:f3:32:29
-Kyle H
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
