Ticket #123 (reopened defect)

Opened 12 years ago

Last modified 10 years ago

debathena-ssl-certificates should include a CRL

Reported by: broder Owned by:
Priority: low Milestone: The Distant Future
Component: -- Keywords:
Cc: Fixed in version:
Upstream bug:

Description

From: Jeffrey I. Schiller <jis@MIT.EDU>
To: Anders Kaseorg <andersk@MIT.EDU>
Cc: scripts-moira@MIT.EDU
Subject: Re: One of your Certificates is Compromised [help.mit.edu #629346]
Date: Sun, 18 May 2008 17:15:39 -0400

Thanks. I didn't check to see if a new certificate had been issued. I
have published a CRL at http://ca.mit.edu/mitca.crl (I believe it can
be references via https as well, but it is a signed object so this
isn't necessary).

Of course if people don't import this CRL into their browser, it
doesn't do much good (though once imported into Firefox, it will be
automatically updated if the user sets it that way).

                        -Jeff

Unfortunately, ca-certificates-java apparently throws "some absurd error" if you include a CRL in the pack of certificates, and it's not really clear if including a CRL via update-ca-certificates is even meaningful.

We should find out if it is meaningful, and if it is, file a bug about ca-certificates-java.

Change History

comment:1 Changed 11 years ago by jdreed

  • Component set to --
  • Milestone set to IAP 2010

comment:2 Changed 11 years ago by broder

  • Status changed from new to closed
  • Resolution set to wontfix

Apparently mitcert-issued certs now include a CRL in them, which means that this will be a completely moot point in one year, if it's not already.

comment:3 Changed 11 years ago by andersk

  • Status changed from closed to reopened
  • Resolution wontfix deleted

Does the CRL Distribution Points URL actually get used by anything?

comment:4 Changed 10 years ago by jdreed

  • Milestone changed from Summer 2010 (Lucid Deploy) to The Distant Future
Note: See TracTickets for help on using tickets.