|
|
|
|
|
|
by tialaramex
2523 days ago
|
|
|
Not a bug, but let's say a "shortcoming". EJBCA felt they'd clearly documented what this did, their users not so much. And the defence against this stuff is curiosity - which is internal process. If you issue lots of certificates (say, more than a dozen) and you find that the "64-bit" integers in them actually only vary in 63 bits you ought to be suspicious. If Actalis (or other CAs) had declared "Hi, we found out about this after two weeks when we looked at our serial numbers more closely" instead of waiting for the problem with EJBCA to get called out explicitly I'd have _way_ more sympathy. Likewise if you're sure you are implementing 3.2.2.4.6 AgreedāUpon Change to Website, curiosity would suggest it's worth taking a look at some of those agreed upon changes and how they were verified, and how some failed. No failures at all? Well that's weird, let's look more closely - oh, we're counting 404 errors as success. Oops. (Yes a real public CA did this and in their case they did find it before someone else reported it). |
|
|