Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
DigiNotar revocation date?
38 views
Skip to first unread message
Ralph Holz (TUM)
May 9, 2012, 8:05:47 AM5/9/12
to mozilla-dev-s...@lists.mozilla.org
Hi,
We're trying to find out the reason again why DigiNotar, when they revoked their certs, inserted an invalidity date that was 1 month later than the revocation date. I seem to recall this was discussed in this group; I'd much appreciate if someone could help me out here.
Thanks,
Ralph
We're trying to find out the reason again why DigiNotar, when they revoked their certs, inserted an invalidity date that was 1 month later than the revocation date. I seem to recall this was discussed in this group; I'd much appreciate if someone could help me out here.
Thanks,
Ralph
Erwann Abalea
May 9, 2012, 10:06:57 AM5/9/12
to mozilla-dev-s...@lists.mozilla.org
Le mercredi 9 mai 2012 14:05:47 UTC+2, Ralph Holz (TUM) a écrit :
> Hi,
>
> We're trying to find out the reason again why DigiNotar, when they revoked their certs, inserted an invalidity date that was 1 month later than the revocation date. I seem to recall this was discussed in this group; I'd much appreciate if someone could help me out here.
1 month *later*? Are you sure?
> Hi,
>
> We're trying to find out the reason again why DigiNotar, when they revoked their certs, inserted an invalidity date that was 1 month later than the revocation date. I seem to recall this was discussed in this group; I'd much appreciate if someone could help me out here.
1 month *earlier* would be OK, and the only way to correctly do it.
When producing a CRL, you cannot have a certificate with a revocation date earlier than the lastUpdate field of a previous CRL.
Imagine a CA producing a CRL at date D1, and the certificate X is not present in this CRL.
At date D2 (D2 > D1), you learn than certificate X was compromised at date D0 (D0 < D1).
If you produce a CRL at date D3 (D3 > D2), you cannot declare certificate X as revoked at date D0 (since D0 < D1). You can only declare X as revoked at D2, and add an extension (invalidityDate) specifying D0.
This is imposed by X.509. Paragraph 8.5.2.4 (Invalidity date extension), note 2.
Carsten.D...@t-systems.com
May 9, 2012, 10:13:26 AM5/9/12
to eab...@gmail.com, ralph...@gmail.com, mozilla-dev-s...@lists.mozilla.org
Just out of the top of my head:
Someone correct me if I am wrong, but as far as I can remember the dutch government urgently requested some grace period as they needed to migrate their infrastructure to another vendor. Maybe this is the reason you are seeking for?
Carsten
Someone correct me if I am wrong, but as far as I can remember the dutch government urgently requested some grace period as they needed to migrate their infrastructure to another vendor. Maybe this is the reason you are seeking for?
Carsten
Ralph Holz (TUM)
May 11, 2012, 8:30:33 AM5/11/12
to mozilla.dev.s...@googlegroups.com, mozilla-dev-s...@lists.mozilla.org
On Wednesday, May 9, 2012 4:06:57 PM UTC+2, Erwann Abalea wrote:
> > We're trying to find out the reason again why DigiNotar, when they revoked their certs, inserted an invalidity date that was 1 month later than the revocation date. I seem to recall this was discussed in this group; I'd much appreciate if someone could help me out here.
>
> 1 month *later*? Are you sure?
Yes, this is an excerpt from that original CRL:
> > We're trying to find out the reason again why DigiNotar, when they revoked their certs, inserted an invalidity date that was 1 month later than the revocation date. I seem to recall this was discussed in this group; I'd much appreciate if someone could help me out here.
>
> 1 month *later*? Are you sure?
Serial Number: 022E35B1ACD40F040C444DF32A7B8DE6
Revocation Date: Aug 29 16:31:26 2011 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
CA Compromise
Invalidity Date:
Sep 26 12:00:00 2011 GMT
The new CRL is corrected:
Serial Number: 022E35B1ACD40F040C444DF32A7B8DE6
Revocation Date: Aug 29 16:31:26 2011 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
CA Compromise
Invalidity Date:
Aug 29 16:31:26 2011 GMT
Ralph Holz (TUM)
May 11, 2012, 8:30:33 AM5/11/12
to mozilla-dev-s...@lists.mozilla.org, mozilla-dev-s...@lists.mozilla.org
On Wednesday, May 9, 2012 4:06:57 PM UTC+2, Erwann Abalea wrote:
> > We're trying to find out the reason again why DigiNotar, when they revoked their certs, inserted an invalidity date that was 1 month later than the revocation date. I seem to recall this was discussed in this group; I'd much appreciate if someone could help me out here.
>
> 1 month *later*? Are you sure?
>
> 1 month *later*? Are you sure?
Ralph Holz (TUM)
May 11, 2012, 8:30:57 AM5/11/12
to mozilla.dev.s...@googlegroups.com, eab...@gmail.com, mozilla-dev-s...@lists.mozilla.org, ralph...@gmail.com
Hi,
Could be! Thanks!
Ralph Holz (TUM)
May 11, 2012, 8:30:57 AM5/11/12
to mozilla-dev-s...@lists.mozilla.org, eab...@gmail.com, mozilla-dev-s...@lists.mozilla.org, ralph...@gmail.com
0 new messages