Changing the subject line because compliance is at the heart of this issue. I also would like to thank Brian for his comment below, because it seems we're discussing less the merits of CRLs and more rationalizing the cost to implement. Regarding the merits, here's a simple case that I hope will illustrate the importance of CRLs: - Site admin: someone hacked my server and probably took my private key and SSL certificate - CA: okay, generate a new key pair and send over the signing request and we'll get you a new certificate; in the mean time we'll issue a CRL so nobody uses the old cert anymore - Mozilla: meh, I don't see the big deal, I'm sure everything will be fine if I continue to allow the cert anyway So, to put it another way, the decision to use a revoked cert is not Mozilla's to make - - the decision to revoke has to be respected. Here's why: - Cert thief: cool, all Firefox users will still recognize this cert so now I can sell it on the black market! Since this cert is for a high value target, I should be able to get some good money for it. I'll start the bidding at $50,000. So...if Mozilla can't implement CRL support because of staffing issues and priorities, that's fine. Actually it's completely understandable. In the meantime, Mozilla is not 5280 compliant--and that should be a big deal.
... I hope you can understand
how a software engineer would have trouble arguing in favor of such an expensive feature as CRL fetching (or even OCSP fetching) without a valid argument in favor of doing it. Right now we're lacking valid arguments for doing it. Cheers, Brian |
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy