[SSL Observatory] Diginotar broken arrow as a tour-de-force of PKI fail

Gervase Markham gerv at mozilla.org
Fri Sep 9 09:45:07 PDT 2011


On 09/09/11 03:15, Rob Stradling wrote:
> On Friday 09 Sep 2011 10:44:05 Erwann ABALEA wrote:
>> What can be answered to a request for an expired but not revoked
>> certificate? "Good" or "Revoked" are unacceptable, "Unknown" is also
>> false (the CA *knows* the state), and every other answer is not
>> signed.
> 
> I think "Good" would be the best match.  There would need to be a note to 
> explain that the profile reinterprets "Good" as "Not Revoked; Has Known Serial 
> Number".

I'd strongly disagree. :-) If someone has tampered with my clock such
that I don't notice a certificate has expired, and so I contact an OCSP
responder to ask about it, the last thing I want is a "Good" response.

If, in your scheme, we have to redefine "Good" as "Not Revoked; Has
Known Serial Number", then why can't we instead redefined "Revoked" as
"Not good; revoked or expired"?

Gerv



More information about the Observatory mailing list