[cabfpub] Revocation Information

Erwann Abalea erwann.abalea at opentrust.com
Tue Sep 23 14:39:52 UTC 2014

Le 23/09/2014 15:28, Rob Stradling a écrit :
> On 23/09/14 14:07, Gervase Markham wrote:
>> On 23/09/14 13:53, Tim Shirley wrote:
>>> To clarify on question #1: are you looking for a set of URLs that
>>> provide revocation information *only* for non-EE certificates?  Put
>>> another way, would a CRL not be useful to you if it contained
>>> revocation information for both EE and non-EE certificates in the
>>> same file?
>> Good question. I wasn't aware such CRLs existed.
> Until the BRs put a stop to it, some CAs were issuing SSL certs directly
> from Roots with validity periods of up to 10yrs or so.  The expiry dates
> for some number of these SSL certs are still in the future.

Even without issuing from the Root, a CA can issue EE and CA certs from
an intermediate CA. IIRC, nothing in the BR forbids that.

>> If it were possible to
>> tell from the CRL which revocations were of which type, then this would
>> be fine, but I suspect it is not.
> Well, there's the "Issuing Distribution Point" CRL extension (see
> RFC5280 Section 5.2.5), which IIRC NSS chokes on.  This has an
> "onlyContainsCACerts" option.  Hardly any CAs use the IDP extension
> though, AFAIK, perhaps because RFC5280 Section 5 also says...
>     "Conforming applications are not
>      required to support processing of delta CRLs, indirect CRLs, or CRLs
>      with a scope other than all certificates issued by one CA."

ANF does.

More information about the Public mailing list