I was hoping to see more responses on this issue. Does that mean people agree it's a problem but aren't sure what to do about it? Is it a small problem because Firefox already does OCSP and all the CA's do too? Or...? Thanks.
I think that is correct, Matthias. What's more is that anyone who issues an end-entity cert will be unable to stop FF from using that cert in the future--without OCSP setup--until the expiration date. (I'll need someone to correct me on that.) I gotta believe there are people out there who issue(d) CRL's thinking that they are now protected when in reality they are not.
Am 29.10.2013 19:37, schrieb Kathleen Wilson:
> The goal is for the revocation-push mechanism to be used instead of > traditional CRL checking, for reasons described in the wiki page and the > research paper. Everyone with a "self-made" CA will be completely cut off from revocation checking, except there is an OCSP responder? Matthias _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy |
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy