On 10/29/13 5:20 AM, fhw...@gmail.com wrote:
Changing the subject line because compliance is at the heart of this
issue. I also would like to thank Brian for his comment below, because
it seems we're discussing less the merits of CRLs and more rationalizing
the cost to implement.
<snip>
So...if Mozilla can't implement CRL support because of staffing issues
and priorities, that's fine. Actually it's completely understandable. In
the meantime, Mozilla is not 5280 compliant--and that should be a big deal.
Please see https://wiki.mozilla.org/CA:ImprovingRevocation
There is also an interesting research paper attached to that page about
revocation.
Folks are working towards adding a revocation-push mechanism so that
Firefox preloads certain revocation information for intermediate and
end-entity certificates. I started the discussion about which types of
revocations should be included for intermediate certs here:
https://groups.google.com/d/msg/mozilla.dev.security.policy/cNd16FZz6S8/t3GwjaFXx-kJ
There will be a similar discussion for end-entity cert revocations, I
just haven't started it yet.
The goal is for the revocation-push mechanism to be used instead of
traditional CRL checking, for reasons described in the wiki page and the
research paper.
In my opinion, the sequence in which certain changes (like ripping out
the CRL user interface) could have been better, such as happening after
the revocation-push mechanism was in place. But, in my opinion, we are
heading the right direction -- there will be revocation checking, it
just will be done in a better and more efficient way.
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy