[cabfpub] Revocation Information

Rob Stradling rob.stradling at comodo.com
Tue Sep 23 13:28:05 UTC 2014

On 23/09/14 14:07, Gervase Markham wrote:
> On 23/09/14 13:53, Tim Shirley wrote:
>> To clarify on question #1: are you looking for a set of URLs that
>> provide revocation information *only* for non-EE certificates?  Put
>> another way, would a CRL not be useful to you if it contained
>> revocation information for both EE and non-EE certificates in the
>> same file?
> Good question. I wasn't aware such CRLs existed.

Until the BRs put a stop to it, some CAs were issuing SSL certs directly 
from Roots with validity periods of up to 10yrs or so.  The expiry dates 
for some number of these SSL certs are still in the future.

> If it were possible to
> tell from the CRL which revocations were of which type, then this would
> be fine, but I suspect it is not.

Well, there's the "Issuing Distribution Point" CRL extension (see 
RFC5280 Section 5.2.5), which IIRC NSS chokes on.  This has an 
"onlyContainsCACerts" option.  Hardly any CAs use the IDP extension 
though, AFAIK, perhaps because RFC5280 Section 5 also says...
   "Conforming applications are not
    required to support processing of delta CRLs, indirect CRLs, or CRLs
    with a scope other than all certificates issued by one CA."

> Therefore, yes, the CRLs involved
> would need to contain _only_ information about non-EE certificates. (I
> mean, if there were one or two, that wouldn't be a disaster, but
> hundreds would be difficult.)

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

More information about the Public mailing list