On 10/28/2013 09:51 PM, From Brian Smith:
On Mon, Oct 28, 2013 at 12:27 PM, Stephen Davidson
<s.david...@quovadisglobal.com> wrote:
Virtually every CA relying party agreement (RPA) that I know stipulates that a
user must validate the SSL using CRL or OCSP in order to place any reliance on
the certificate.
Removal of that capability from browsers renders those RPAs useless, and
effectively removes warranties from the SSL sector.
Aren't these RPAs already useless?
Anyway, AFAICT Mozilla didn't agree to any RPA agreement with any CA.
Also, our users have not agreed to any such agreements. Perhaps it
worthwhile to clarify this by forbidding such requirements on relying
parties as part of our CA policy.
Actually you did by adding a root who's policy Mozilla ought to know
fairly well. Mozilla is a relying and/or acts as a relying party on
parts of the obligations and on behalf of the user. A user using a
software that doesn't check revocation (knowingly) may NOT rely on a
certificate.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
XMPP: start...@startcom.org
Blog: http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
