[SSL Observatory] Diginotar broken arrow as a tour-de-force of PKI fail

Rob Stradling rob.stradling at comodo.com
Mon Sep 5 03:02:53 PDT 2011


On Monday 05 Sep 2011 10:53:50 Erwann ABALEA wrote:
> 2011/9/5 Gervase Markham <gerv at mozilla.org>:
<snip>
> > Then again:
> >   "The "unknown" state indicates that the responder doesn't know about
> >   the certificate being requested."
> > 
> > You would hope the responder would at least return that!
> 
> "Unknown" is understood as "bad" by relying parties, because it's not
> signed.

The "Unknown" certificate status is signed.

Perhaps you're confusing it with the "Unauthorized" OCSP Response error 
message, which is not-signed.

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online



More information about the Observatory mailing list