On 09/16/2011 12:55 AM, Fabian Hugelshofer wrote:
> manually issuing CRLs
> for a certain CA is not possible because the CRL has to be singed by the
> CA that issued the certificates.
Wow, that is a major SSL limitation indeed! If this is true, we either
must implement a custom black list functionality in Squid or customize
OpenSSL to allow any trusted CA to revoke any certificate. Since there
are too many OpenSSL versions, the former is probably more practical.
>>> What would you use to identify the certificates?
>>> - Serial number?
>>> - Serial number and common name?
>>> - Serial number and issuer?
>>> - Fingerprint (might not be available in each case)?
>>
>>
>> I hope somebody already answered these important questions in general
>> CRL context!
>
> CRLs use the serial number in combination with the issuer.
If we implement a custom black list, we can be flexible and support all
of the above. To start with, I guess we should block all certificates
with DigiNotar in the chain.
Thank you,
Alex.
P.S. I hope there is some IETF group that has started working on
adjusting SSL to be more prepared for the world where CAs can be
compromised!
Received on Fri Sep 16 2011 - 14:36:31 MDT
This archive was generated by hypermail 2.2.0 : Tue Sep 20 2011 - 12:00:04 MDT