[gtld-tech] ICANN CRL expired and not updated yet

Gustavo Lozano gustavo.lozano at icann.org
Tue Jul 28 19:16:31 UTC 2015


Comments inline.

On 7/27/15, 18:00, "gtld-tech-bounces at icann.org on behalf of Rubens Kuhl"
<gtld-tech-bounces at icann.org on behalf of rubensk at nic.br> wrote:

>BTW, shouldn't this be made https ?

RFC 5280 says: 

* When certificates include a cRLDistributionPoints extension
with an https URI or similar scheme, circular dependencies can be

* CAs SHOULD NOT include URIs that specify https, ldaps, or
similar schemes in extensions...

* Relying parties that choose to validate the server's
certificate when obtaining information pointed to by an https URI in the
cRLDistributionPoints, authorityInfoAccess, or subjectInfoAccess extensions
MUST be prepared for the possibility that this will result in unbounded

While drafting draft-lozano-tmch-func-spec, I verified that
the leading CAs use http in the cRLDistrubitionPoint, therefore security
libraries may not be as well tested for https as for http in the
extension. In
addition, I did not know if the TMCH CA would be used for something else
creating a circular dependency, therefore the decision was to follow the
in RFC5280.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5045 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/gtld-tech/attachments/20150728/c6715ef9/smime.p7s>

More information about the gtld-tech mailing list