Rather odd: http://crl.identrust.com


#1

Sorry: Why is the http://crl.identrust.com/DSTROOTCAX3CRL.crl the way to view info?


#2

Because we don’t like infinite loops?


#3

CRL Distribution Point
Distribution Point Name:
Full Name:
URL=http://crl.identrust.com/DSTROOTCAX3CRL.crl

LOGIC says that a CRL, like certificates, are always signed, so they can be served over plain HTTP but HTTPS is not replayable (at least the protocol makes it sufficiently improbable in real-world scenarios to make replay attacks possible to perform).

Related:
https://tools.ietf.org/html/rfc6486


https://www.schneier.com/academic/paperfiles/paper-pki-ft.txt

And (@TCM above comment) the loop is a Windows issue generally.


#5

I’m not aware of any public CA that uses HTTPS for CRLs. This and the Microsoft article you linked to indicates that compatibility with HTTPS CRL URLs is not good enough in the TLS ecosystem for it to be a viable option. (Not to mention the infinite loop you’d run into - In order to load a CRL, you need to have loaded the CRL for the certificate that HTTPS server uses, etc.)

Also worth mentioning: Let’s Encrypt doesn’t use CRLs for end-entity certificates at all. The IdenTrust CRL would only be relevant in a scenario where Let’s Encrypt’s cross-signed intermediate certificate is revoked, which is unlikely to happen (… I hope).


#6

@pfg https://www.imperialviolet.org/2011/03/18/revocation.htm

Not meant to answer your different points. Just related.


#7

I’m aware of that article, how does it relate to this topic? Revocation via CRLs is just as broken (this is mentioned in the article). HTTPS would have no impact on this.


#8

Having an offline root, then using the intermediate CAs to generate actual certificates works fine and is, I believe, what you are doing.

My point is that SINCE your project is giving short life certs to users this matter may be of interest to debate further.


#9

That’s correct, but I’m not sure how it relates to this topic.

Short-lived certificates have the advantage of dying a natural death sooner than a typical 1-year certificate, so a key compromise typically doesn’t put users at risk quite as long even if revocation is broken, but I’m not entirely sure where you’re going with this, and how it relates to CRLs or OCSP.


#10

I may or may not be “going” some place. But at least we are thinking over things with others; which is what the community is about.


#11

Actually, I’m not thinking anything with this topic. Only thing that springs to mind is a topicstarter who claims A and when things are questioned, begins about topic B, ignoring topic A, where topic A and B are seemingly unrelated, but no explanation is given about the relationship…

So, let me be on topic then: how’s the weather in New York this time a year?


#12

@Osiris - Your comment is nasty. But that is your right.
As I stress above this is a forum not a PHD thesis. And I will stop posting on this totally unpleasant forum.


#13

My way of working on an issue is to ASK questions leading to questions. And I stop, here.


#14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.