[SSL Observatory] Diginotar broken arrow as a tour-de-force of PKI fail
Gervase Markham
gerv at mozilla.org
Fri Sep 9 09:45:07 PDT 2011
On 09/09/11 03:15, Rob Stradling wrote:
> On Friday 09 Sep 2011 10:44:05 Erwann ABALEA wrote:
>> What can be answered to a request for an expired but not revoked
>> certificate? "Good" or "Revoked" are unacceptable, "Unknown" is also
>> false (the CA *knows* the state), and every other answer is not
>> signed.
>
> I think "Good" would be the best match. There would need to be a note to
> explain that the profile reinterprets "Good" as "Not Revoked; Has Known Serial
> Number".
I'd strongly disagree. :-) If someone has tampered with my clock such
that I don't notice a certificate has expired, and so I contact an OCSP
responder to ask about it, the last thing I want is a "Good" response.
If, in your scheme, we have to redefine "Good" as "Not Revoked; Has
Known Serial Number", then why can't we instead redefined "Revoked" as
"Not good; revoked or expired"?
Gerv
More information about the Observatory
mailing list