[gtld-tech] ICANN CRL expired and not updated yet
Gustavo Lozano
gustavo.lozano at icann.org
Tue Jul 28 19:16:31 UTC 2015
Rubens,
Comments inline.
On 7/27/15, 18:00, "gtld-tech-bounces at icann.org on behalf of Rubens Kuhl"
<gtld-tech-bounces at icann.org on behalf of rubensk at nic.br> wrote:
>
>
>BTW, shouldn't this be made https ?
>
RFC 5280 says:
* When certificates include a cRLDistributionPoints extension
with an https URI or similar scheme, circular dependencies can be
introduced...
* CAs SHOULD NOT include URIs that specify https, ldaps, or
similar schemes in extensions...
* Relying parties that choose to validate the server's
certificate when obtaining information pointed to by an https URI in the
cRLDistributionPoints, authorityInfoAccess, or subjectInfoAccess extensions
MUST be prepared for the possibility that this will result in unbounded
recursion....
While drafting draft-lozano-tmch-func-spec, I verified that
the leading CAs use http in the cRLDistrubitionPoint, therefore security
libraries may not be as well tested for https as for http in the
extension. In
addition, I did not know if the TMCH CA would be used for something else
creating a circular dependency, therefore the decision was to follow the
advice
in RFC5280.
Regards,
Gustavo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5045 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/gtld-tech/attachments/20150728/c6715ef9/smime.p7s>
More information about the gtld-tech
mailing list