A certificate revocation list (CRL) is a list of certificates that have been revoked and hence should not be trusted.
Questions tagged [crl]
54 questions
28
votes
3 answers
Does any technology prevent a CA unilaterally revoking a certificate?
As far as I can tell, a CA is in a position to unilaterally revoke a certificate via the standard mechanisms (CRL, OCSP).
In an increasingly TLS world, what current technology stops a CA shutting down a service they don't like?
Phil Lello
- 1,122
- 10
- 15
25
votes
3 answers
Is publishing CRLs over HTTP a potential vulnerability?
I noticed that at least one major CA (Comodo) publishes their CRL over HTTP rather than HTTPS.
This seems to me to be somewhat of a vulnerability, as an attacker could hijack the HTTP connection that seeks to download the CRL and when HSTS is in use…
user
- 7,670
- 2
- 30
- 54
17
votes
4 answers
CRL over HTTPS: is it really a bad practice?
On the Internet, I can find several statements done over the years claiming that serving a X.509 CRL over HTTPS is a bad practice because either
it causes a chicken-and-egg problem when checking for the TLS certificate and
it is simply a waste of…
SquareRootOfTwentyThree
- 670
- 5
- 12
14
votes
2 answers
Definitions for CRL Reasons
Is there any authoritative definition of the various reasons possible in a CRL file? Section 6.3.2(b) of RFC5280 lists a…
Bratchley
- 243
- 2
- 6
11
votes
1 answer
Should I use a Certificate Revocation List?
I've been trying to provide security to my API.
I will issue certificates to my clients to access my API through a TLS channel. So it'll be a SSL-Client Authentication.
I'm wondering, should I use CRL on my server? Why?
Note: I'll use my own CA and…
efkan
- 342
- 3
- 13
11
votes
1 answer
Are revoked certificates removed from CRLs after expiration? Why is this secure?
If a certificate is revoked before its expiry time and added to a CRL, is it removed from the CRL after the certificate validity period expires? RFC 5280 seems to imply this:
A complete CRL lists all unexpired certificates, within its scope,
that…
malexmave
- 213
- 1
- 9
9
votes
1 answer
How well do current browsers handle certificate revocation?
I am a Firefox user and recently stumbled upon the Liu, Yabing, et al. "An end-to-end measurement of certificate revocation in the web's PKI." Proceedings of the 2015 Internet Measurement Conference. ACM, 2015 study and after a moment of worry, I…
Cobalt Scales
- 123
- 9
7
votes
3 answers
X509 CRL suspended certificates and openssl ca comand
In CRL X509 format we have "Hold Instruction code" for a list of suspended certificates. I know that "its use is strongly deprecated for the Internet PKI", but in my own private CA, I want to use it.
Openssl has a ca command where I can do all the…
5
votes
1 answer
Does Firefox use OCSP?
And if it does use Online Certificate Status Protocol, is there a way to disable it, so that it uses CRL instead?
leeand00
- 1,297
- 1
- 13
- 21
5
votes
1 answer
Which CRL should an intermediate CA crlDistributionPoint contain?
Given a root certificate authority (CA) and an intermediate CA signed by the root:
Which CRL should the crlDistributionPoints contain to for the intermediate CA? The root CA's CRL or the intermediate CA's CRL?
It makes sense that each certificate…
Brad303
- 153
- 3
4
votes
1 answer
Mail Signing Certificate – What are the impacts when revocated?
Suppose I open a signed mail on 1st January 2000, signature is OK.
What about this two cases :
1) If next CRL is to be published one week later, I found it strange that it is “probably” valid until next CRL, this mean that I should wait one week to…
crypto-learner
- 697
- 1
- 7
- 17
4
votes
3 answers
How are CRLsets more secure?
Google Chrome doesn't do typical CRL/OSCP checks, instead it depends on CRLsets. In simple terms, Google scoops up the CRLs from most CAs, trims them down and delivers the CRLset to the browser via the update mechanism. They claim this is more…
Scott Helme
- 3,178
- 3
- 21
- 32
4
votes
0 answers
Openssl cms verify signature with timestamp and crl
I've used OpenSSL cms to sign the data and generate a detached signature. As per my requirements, I need to timestamp the signature as well, so that if the certificate expired, verification of signature can be done. The generated timestamp is also…
saurabh
- 723
- 1
- 4
- 12
4
votes
1 answer
Under what conditions is the Client trying "the next" CRL Distribution Point?
We've got a scenario where the CRL is distributed to 2 different Locations.
One ist accessable from a private network and not from the internet.
The other one is asseccable from the internet but not from the private network.
So to make sure that…
mnnhrt
- 41
- 1
4
votes
0 answers
Will WinVerifyTrust return true for a file signed by a revoked certificate, before it was revoked?
I've seen mentions online that drivers that were signed by certificates that were later revoked are still trusted by Windows' driver integrity. Apparently if the file was signed before the revocation date it's still trusted.
Does this apply at the…
homer321
- 41
- 1