On 10/23/13 3:14 PM, Eddy Nigg wrote:
In the case of EV certs, Mozilla is still checking the CRL when the
OCSP URI is not provided.
Since when does Firefox check CRLs? I believe it never did except if
configured manually (which is probably almost never).
For EV certs Firefox has always checked the CRL when the OCSP AIA URI
was not provided. EV treatment would not be given if current revocation
information was not obtained.
However, the code change to remove the CRL check is now targeted for
Firefox 28.
https://bugzilla.mozilla.org/show_bug.cgi?id=585122#c34
This will have the affect of requiring OCSP for EV certs. If a valid
OCSP response is not obtained (either via OCSP stapling or via the OCSP
AIA URI), then EV treatment will not be given.
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy