there is this McAfee maintained list of known CAs. I would like to use this list in a way which is possibly not intended.
I have a rule which decides if some requests can pass without authentication. This is mostly for Firefox's checks for updates, i.e.
Sometimes there are clients which insist to check for CRLs for themselves, namely the Cisco WebEx Client. Dogmatically it hard-failed when the certificate changed and the CRL URI was not on my white list.
On the other hand: exactly this CRL URI is in "Known CAs". What I do not know: can I use this list like in
URL is in list "Known CAs"
to shorten my manually maintained white list?
we do have the CRL URLs in the database, so it should not be a big deal to make a list of CRL URLs. Anyway this will only help bypassing the CRL URLs for CAs we have in the trusted list, it will not help getting access to CRLs apart from that. Maintaining a list with any CRL URL that may exist won't be possible I think.
it would be of much help to have only the CRL URLs of the CAs which are in the trusted list.
Actually I do not even want my users to grab CRLs from CAs not in the trusted list whithout me explicitly whitelisting these. :-)