On 02/09/2012 01:20 AM, Brian Smith wrote: > I am also concerned about the filtering based on reason codes. Is it > realistic to expect that every site that has a key compromise to publicly > state that fact? Isn't it pretty likely that after a server's EE certificate > has been revoked, that people will tend to be less diligent about protecting > the private key and/or asking for the cert to be revoked with a new reason > code?
You're right, relying on revocation reasons is not a good idea. There are CAs that reportedly "don't know" how to use them: A quote from Lucky Green (http://lists.randombit.net/pipermail/cryptography/2011-December/001918.html): > Most (but not all) of the CAs that I worked with over the years did not > have anybody on the operations side full time that would know how to > place a revocation reason into the CRL. Which is why the majority of CRL > entries include an unspecified reason code or the ever popular reason > code "NULL". Even the CAs that do use revocation reasons in CRLs do not always put them in. For instance, GlobalSign did not state any reason for the certificates revoked due to compromise of their server by the alleged ComodoHacker. Ondrej -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
