On 10/23/13 3:14 PM, Eddy Nigg wrote:

In the case of EV certs, Mozilla is still checking the CRL when the
OCSP URI is not provided.

Since when does Firefox check CRLs? I believe it never did except if
configured manually (which is probably almost never).



For EV certs Firefox has always checked the CRL when the OCSP AIA URI was not provided. EV treatment would not be given if current revocation information was not obtained.

However, the code change to remove the CRL check is now targeted for Firefox 28.
https://bugzilla.mozilla.org/show_bug.cgi?id=585122#c34
This will have the affect of requiring OCSP for EV certs. If a valid OCSP response is not obtained (either via OCSP stapling or via the OCSP AIA URI), then EV treatment will not be given.

Kathleen

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to