[gtld-tech] ICANN CRL expired and not updated yet
gustavo.lozano at icann.org
Tue Jul 28 19:16:31 UTC 2015
On 7/27/15, 18:00, "gtld-tech-bounces at icann.org on behalf of Rubens Kuhl"
<gtld-tech-bounces at icann.org on behalf of rubensk at nic.br> wrote:
>BTW, shouldn't this be made https ?
RFC 5280 says:
* When certificates include a cRLDistributionPoints extension
with an https URI or similar scheme, circular dependencies can be
* CAs SHOULD NOT include URIs that specify https, ldaps, or
similar schemes in extensions...
* Relying parties that choose to validate the server's
certificate when obtaining information pointed to by an https URI in the
cRLDistributionPoints, authorityInfoAccess, or subjectInfoAccess extensions
MUST be prepared for the possibility that this will result in unbounded
While drafting draft-lozano-tmch-func-spec, I verified that
the leading CAs use http in the cRLDistrubitionPoint, therefore security
libraries may not be as well tested for https as for http in the
addition, I did not know if the TMCH CA would be used for something else
creating a circular dependency, therefore the decision was to follow the
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 5045 bytes
Desc: not available
More information about the gtld-tech