Collaborate Disseminate
I’ve done quite a bit of reading about PKI in ADCS and CRL/OCSP, but I can’t seem to find an answer to a small couple of questions I still have:
It is clear to me that even with OCSP in place, you still need a (delta) CRL (OCSP relies on … Continue reading PKI – CRL and OCSP
At a high level the way secure boot functionality works is by embedding the hash of the company’s root cert in ROM. Then the OS image itself is signed with a key that chains up to the root cert embedded in the ROM. For exampl… Continue reading How to handle compromised certs in a secure boot flow?
As far as I can tell:
It is possible to generate a private keyring (i.e. signing private key, plus associated encryption private key and authentication private key) entirely on an OpenPGP Smartcard (i.e. without ever export… Continue reading OpenPGP SmartCard: generate revocation certificate on-card?
Microsoft publishes their untrusted certificates as disallowedcerts.stl Warning: direct download.
It is ASN.1 encoded. After decoding it there is a list of sequences like so:
SEQUENCE {
OCTETSTRING dfbdd… Continue reading Understanding Microsoft list of disallowed certificates
OCSP responses have a ‘nextUpdate’ field, which is the expected time for the new revocation update and that the current revocation can be considered valid. The revocations can be cached by the intermediate cert servers, which I have seen … Continue reading OCSP, CRLs, crlset – Revocation Delivery and Attacks
I don’t really understand why the approach towards checking the validity of certificates is “valid until proven otherwise” (aka revocation lists).
In my opinion this is kind of weird. A CA has to manually keep track of all t… Continue reading Why are CRLs used instead of "valid certificates lists" and inner workings of CRLs
My antivirus noted gcp.gvt2.com certificate is expired today, gvt2.com alegently used by google analytics.
It might to do with Google distrust of Symantec https://security.googleblog.com/2018/03/distrust-of-symantec-pki-immediate.html. Is … Continue reading Google certificate gcp.gvt2.com untrusted / expired?
I’m currently beginning analysis in this field and stumbled across the thread titled: “Comparison and difference between CAs”
The question seems largely unresolved. Does there exist any product or feature comparison list acr… Continue reading Product & Feature Comparison of EJBCA, Active Directory Certificate Services, or Entrust Authority Security Manager?
When I launch my Windows, certificate revocation checks are performed. These occur once when explorer.exe is launched then periodically, every 40 minutes approximately, to 5 IPs. Most of these target Microsoft, Google or Akam… Continue reading Certificate Authentication from untrusted IP address
I’m using OpenSSL to verify a signed code in a custom PKI. How can I verify the CRL of each node of the cert hierarchy.
My hierarchy is : RootCA -> SubCA1 -> SubCA2 -> EndUser. I can verify the CRL for one depth chain :
~/$… Continue reading openssl CLI – verify CRL of an entire certification chain