Virtually every CA relying party agreement (RPA) that I know stipulates that a user must validate the SSL using CRL or OCSP in order to place any reliance on the certificate.
Removal of that capability from browsers renders those RPAs useless, and effectively removes warranties from the SSL sector. -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+s.davidson=quovadisglobal....@lists.mozilla.org] On Behalf Of Brian Smith Sent: Monday, October 28, 2013 4:15 PM To: Rick Andrews Cc: dev-security-policy@lists.mozilla.org Subject: Re: Netcraft blog, violations of CABF Baseline Requirements, any consequences? On Mon, Oct 28, 2013 at 11:31 AM, Rick Andrews <r.andr...@computer.org> wrote: > Brian, you seem to be saying that revocation checking adds value only when > there's an attacker involved. If that's your point, I disagree. There are > cases in which a CA revokes a certificate because the site has misrepresented > itself, and revocation serves as a warning to the client. Thanks for the clarification. Could you give an example where such a revocation would be useful to know about to a Firefox user to the extent where the cost of doing the revocation checking is justified? So far, I'm of the opinion when there's no attacker, there's no problem (no harm, no foul). Cheers, Brian -- Mozilla Networking/Crypto/Security (Necko/NSS/PSM) _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
