[SSL Observatory] Diginotar broken arrow as a tour-de-force of PKI fail
Erwann ABALEA
erwann at abalea.com
Mon Sep 5 03:49:00 PDT 2011
2011/9/5 Rob Stradling <rob.stradling at comodo.com>:
> On Monday 05 Sep 2011 10:53:50 Erwann ABALEA wrote:
>> 2011/9/5 Gervase Markham <gerv at mozilla.org>:
> <snip>
>> > Then again:
>> > "The "unknown" state indicates that the responder doesn't know about
>> > the certificate being requested."
>> >
>> > You would hope the responder would at least return that!
>>
>> "Unknown" is understood as "bad" by relying parties, because it's not
>> signed.
>
> The "Unknown" certificate status is signed.
>
> Perhaps you're confusing it with the "Unauthorized" OCSP Response error
> message, which is not-signed.
You're right. I had the expired "www.ietf.org" certificate example in
mind (for which VeriSign replies as "unauthorized").
--
Erwann.
More information about the Observatory
mailing list