Closed Bug 101038 Opened 23 years ago Closed 22 years ago

deltaCRL being treated as full CRL

Categories

(Core Graveyard :: Security: UI, defect, P1)

Product:
Core Graveyard
Component:
Security: UI
Version:
1.0 Branch
Platform:
x86
Windows 2000
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED FIXED
Milestone:
psm2.2

People

(Reporter: cfu, Assigned: rangansen)

References

Details

This is a bug that PSM treats a deltaCRL as a full CRL.  It ignores the
criticality of the delta CRL extension.
Here is how to reproduce:
0. get a new profile
1. to get a cert, go to http://cfu [Enrollment] [Directory] to enroll for a
cert. uid="test1", password="test1".
2. to revoke the cert, go to https://cfu [Revocation] and revoke the test1 cert
3. wait 20+ minutes, go to http://cfu [Retrieval][import crl], "Display the CRL
information," select "deltaCRL", you should see your cert in there.
4. go to http://cfu [Retrieval][import crl] and "Import the latest deltaCRL to
your browser.

when I "Manage Cerfificates" on N6, I expect to see the cert just revoked to be
"verified", because N6 currently does not understand deltaCRL, and thus should
detact the criticality of the extension and leave it; however, I saw the cert
NOT verified, which tells me that N6 is not doing the right thing, and worse, is
treating a deltaCRL as a full CRL.

FYI, it has been confirmed that the binary imported into the browser indeed is a
deltaCRL with "critical" bit turned on.
a few things to ponder:
we could
A. at download, detect the unrecognized extension, and just throw it away and
tell user that it's not viable
or
B. allow to download, but not use it.
->rangan
Assignee: ssaux → rangansen
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P1
Target Milestone: --- → Future
Actually, NSS does not handle/support delta CRLs right now. So, what should
happen is that a delta CRL should never the allowed to be imported unless they
are supported [Bug# 103946]. Making this bug depend on 103946.
Depends on: 103946
*** Bug 95640 has been marked as a duplicate of this bug. ***
Status: NEW → ASSIGNED
Target Milestone: Future → 2.2
*** Bug 95469 has been marked as a duplicate of this bug. ***
I think this bug has been fixed because the underlying NSS
bug 103946 has been fixed.

NSS and PSM still don't recognize delta CRLs, but they no
longer treat delta CRLs as full CRLs.
I think so - it doesn't let me download delta crls any more..
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
*** Bug 95641 has been marked as a duplicate of this bug. ***
Verified.
Status: RESOLVED → VERIFIED
Product: PSM → Core
Version: psm2.1 → 1.0 Branch
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.