On 10/02/12 21:40 PM, Erwann Abalea wrote:
Le vendredi 10 février 2012 01:32:47 UTC+1, Ondrej Mikle a écrit :
[...]
A quote from Lucky Green
(http://lists.randombit.net/pipermail/cryptography/2011-December/001918.html):
Most (but not all) of the CAs that I worked with over the years did not
have anybody on the operations side full time that would know how to
place a revocation reason into the CRL.
What kind of CA are these?
:-)
Which is why the majority of CRL
entries include an unspecified reason code or the ever popular reason
code "NULL".
Before Google announce, what was the revocation reason used for? Nothing.
One can use it to distinguish certificateHold and removeFromCrl reasons, but
its use is seldom. One could eventually perform CRL partitionning, but I've
never seen it in practice (and it's not really useful).
So even if the revocation reason is taken into account during the revocation
action, and stored in the CA database, outputing this reason in a CRL parsed by
a machine that doesn't care about why a certificate has been revoked is useless.
Now, after some thought (thanks, Jean-Marc), if Google could come up with an efficient
mechanism so that revocation is really checked, that's cool. The "less than
100k" is a challenge, I'd like to see how it will be solved, given the large CA base
and unequal technical expertise of them.
What I surmised was happening was that Google were asking CAs to provide
a new CRL for their specifications alone with "really must stop these"
revocations in them.
So, any routine "compromise" or "replaced" or "not-sure" or NULL issues
aren't to be in there. Which gets it down to numbers less than 1000 for
the entire industry -- ones where the CA knows there is trouble.
Or, as Alexandre says, 231:
http://www.foo.be/cgi-bin/wiki.pl/2011-12-17_Certificate_Revocation_Reasons_2011
That's what I think they are doing. Partitioning at the legal/admin level.
I would do something different ;-) So would we all I guess...
iang
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
