Given the current Heartbleed situation, wouldn't it be appropriate to turn on hard fail for revocation checking so that unknown status results in the cert being rejected.
I am seeing people suggest that a CA be dropped from the root for their alleged improper handling of revocation. If revocation matters so much that it must be enforced on CAs then it matters enough to turn on hardfail for a major server coding error. Every platform is vulnerable because the server key can be extracted in certain situations. A browser does not need to use OpenSSL to be vulnerable to the OpenSSL bug. -- Website: http://hallambaker.com/ _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
