We need a live example of a site with a revoked cert in OneCRL to test against, to ensure that the full stack is working. One step is to create a site purely for testing, using a certificate that we will block. This is similar to https://revoked.badssl.com, but we specifically want a cert that has not been revoked by other means. The next step would be to stage an entry in Kinto for this cert. Lastly, I would like to then test against this entry in TLS Canary to ensure, on every run, that we are testing with a working OneCRL mechanism. Filing this bug to track the progress of the above.
Looks like bug 1300977 already did this via OneCRL, so no point in doing again.
Status: ASSIGNED → RESOLVED
Last Resolved: 7 months ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1300977
Note that revoked.badssl.com is revoked via OCSP in addition to being included in OneCRL , so unless you turn off OCSP and the site doesn't staple, you have the possibility of a false-negative. Note: The site does not staple OCSP at this time .  https://crt.sh/?id=30883525  https://observatory.mozilla.org/analyze.html?host=revoked.badssl.com#tls
Excellent catch, JC, thank you! For the test, I can disable OCSP. I can follow up with April to inquire about stapling and if this will ever happen to the test site in the future.
You need to log in before you can comment on or make changes to this bug.