Le vendredi 10 février 2012 01:32:47 UTC+1, Ondrej Mikle a écrit : [...] > A quote from Lucky Green > (http://lists.randombit.net/pipermail/cryptography/2011-December/001918.html): > > > Most (but not all) of the CAs that I worked with over the years did not > > have anybody on the operations side full time that would know how to > > place a revocation reason into the CRL.
What kind of CA are these? > > Which is why the majority of CRL > > entries include an unspecified reason code or the ever popular reason > > code "NULL". Before Google announce, what was the revocation reason used for? Nothing. One can use it to distinguish certificateHold and removeFromCrl reasons, but its use is seldom. One could eventually perform CRL partitionning, but I've never seen it in practice (and it's not really useful). So even if the revocation reason is taken into account during the revocation action, and stored in the CA database, outputing this reason in a CRL parsed by a machine that doesn't care about why a certificate has been revoked is useless. Now, after some thought (thanks, Jean-Marc), if Google could come up with an efficient mechanism so that revocation is really checked, that's cool. The "less than 100k" is a challenge, I'd like to see how it will be solved, given the large CA base and unequal technical expertise of them. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
