Highest Voted 'crl' Questions - IT Security Stack Exchange

28

votes

3 answers

Does any technology prevent a CA unilaterally revoking a certificate?

As far as I can tell, a CA is in a position to unilaterally revoke a certificate via the standard mechanisms (CRL, OCSP). In an increasingly TLS world, what current technology stops a CA shutting down a service they don't like?

certificates ocsp crl

asked Mar 16 '16 at 19:00

Phil Lello

1,122
10
15

25

votes

3 answers

Is publishing CRLs over HTTP a potential vulnerability?

I noticed that at least one major CA (Comodo) publishes their CRL over HTTP rather than HTTPS. This seems to me to be somewhat of a vulnerability, as an attacker could hijack the HTTP connection that seeks to download the CRL and when HSTS is in use…

tls certificate-revocation crl

asked Nov 08 '14 at 17:00

user

7,670
2
30
54

17

votes

4 answers

CRL over HTTPS: is it really a bad practice?

On the Internet, I can find several statements done over the years claiming that serving a X.509 CRL over HTTPS is a bad practice because either it causes a chicken-and-egg problem when checking for the TLS certificate and it is simply a waste of…

tls public-key-infrastructure x.509 crl

asked Jan 06 '21 at 10:08

SquareRootOfTwentyThree

670
5
12

14

votes

2 answers

Definitions for CRL Reasons

Is there any authoritative definition of the various reasons possible in a CRL file? Section 6.3.2(b) of RFC5280 lists a…

certificates public-key-infrastructure certificate-authority x.509 crl

asked Nov 25 '17 at 23:31

Bratchley

243
2
6

11

votes

1 answer

Should I use a Certificate Revocation List?

I've been trying to provide security to my API. I will issue certificates to my clients to access my API through a TLS channel. So it'll be a SSL-Client Authentication. I'm wondering, should I use CRL on my server? Why? Note: I'll use my own CA and…

authentication certificates certificate-authority certificate-revocation crl

asked Apr 20 '15 at 10:29

efkan

342
3
13

11

votes

1 answer

Are revoked certificates removed from CRLs after expiration? Why is this secure?

If a certificate is revoked before its expiry time and added to a CRL, is it removed from the CRL after the certificate validity period expires? RFC 5280 seems to imply this: A complete CRL lists all unexpired certificates, within its scope, that…

public-key-infrastructure crl

asked Nov 06 '17 at 09:33

malexmave

213
1
9

9

votes

1 answer

How well do current browsers handle certificate revocation?

I am a Firefox user and recently stumbled upon the Liu, Yabing, et al. "An end-to-end measurement of certificate revocation in the web's PKI." Proceedings of the 2015 Internet Measurement Conference. ACM, 2015 study and after a moment of worry, I…

web-browser firefox certificate-revocation ocsp crl

asked Oct 11 '19 at 09:13

Cobalt Scales

123
9

7

votes

3 answers

X509 CRL suspended certificates and openssl ca comand

In CRL X509 format we have "Hold Instruction code" for a list of suspended certificates. I know that "its use is strongly deprecated for the Internet PKI", but in my own private CA, I want to use it. Openssl has a ca command where I can do all the…

certificates openssl crl

asked Apr 25 '16 at 13:26

Fausto Carvalho Marques Silva

73
8

5

votes

1 answer

Does Firefox use OCSP?

And if it does use Online Certificate Status Protocol, is there a way to disable it, so that it uses CRL instead?

firefox ocsp crl

asked Jun 23 '16 at 19:23

leeand00

1,297
1
13
21

5

votes

1 answer

Which CRL should an intermediate CA crlDistributionPoint contain?

Given a root certificate authority (CA) and an intermediate CA signed by the root: Which CRL should the crlDistributionPoints contain to for the intermediate CA? The root CA's CRL or the intermediate CA's CRL? It makes sense that each certificate…

certificate-authority openssl x.509 crl

asked Nov 14 '15 at 18:53

Brad303

153
3

4

votes

1 answer

Mail Signing Certificate – What are the impacts when revocated?

Suppose I open a signed mail on 1st January 2000, signature is OK. What about this two cases : 1) If next CRL is to be published one week later, I found it strange that it is “probably” valid until next CRL, this mean that I should wait one week to…

certificates public-key-infrastructure digital-signature certificate-revocation crl

asked Feb 06 '15 at 13:31

crypto-learner

697
1
7
17

4

votes

3 answers

How are CRLsets more secure?

Google Chrome doesn't do typical CRL/OSCP checks, instead it depends on CRLsets. In simple terms, Google scoops up the CRLs from most CAs, trims them down and delivers the CRLset to the browser via the update mechanism. They claim this is more…

chrome certificate-revocation ocsp crl

asked Apr 15 '14 at 07:29

Scott Helme

3,178
3
21
32

4

votes

0 answers

Openssl cms verify signature with timestamp and crl

I've used OpenSSL cms to sign the data and generate a detached signature. As per my requirements, I need to timestamp the signature as well, so that if the certificate expired, verification of signature can be done. The generated timestamp is also…

openssl digital-signature timestamp crl cms

asked Apr 26 '20 at 21:43

saurabh

723
1
4
12

4

votes

1 answer

Under what conditions is the Client trying "the next" CRL Distribution Point?

We've got a scenario where the CRL is distributed to 2 different Locations. One ist accessable from a private network and not from the internet. The other one is asseccable from the internet but not from the private network. So to make sure that…

tls public-key-infrastructure crl

asked Mar 07 '19 at 10:08

mnnhrt

41
1

4

votes

0 answers

Will WinVerifyTrust return true for a file signed by a revoked certificate, before it was revoked?

I've seen mentions online that drivers that were signed by certificates that were later revoked are still trusted by Windows' driver integrity. Apparently if the file was signed before the revocation date it's still trusted. Does this apply at the…

windows public-key-infrastructure crl

asked Apr 20 '16 at 13:48

homer321

41
1

Questions tagged [crl]