Kathleen Wilson wrote: > In the case of EV certs, Mozilla is still checking the CRL when the OCSP URI > is not provided.
Which CRL? Where does it come from? > Though, I believe the plan is to stop checking CRL in the > future... > https://bugzilla.mozilla.org/show_bug.cgi?id=585122#c34 > "Instead of checking explicitly for an OCSP responder URI in the AIA > extension, let's simply remove the support for downloading CRLs from Firefox's > EV checking. That will have the effect of enforcing that all certs in the > chain have an OCSP AIA extension, except possibly for the end-entity > certificate if the server stapled the end-entity OCSP response. I agree with > the CA representatives that a missing OCSP AIA URL isn't harmful when a > stapled OCSP response is provided. So, I am OK with allowing that exception, > at least for now." Anyone writing such a non-sense surely is on NSA's payroll. Ciao, Michael. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
