On Wed, Jun 22, 2016 at 06:18:51PM +0000, Steve wrote: > CAs are running OCSP responders up to the root tier. Once a CA is > terminated in a standards-compliant and densely interoperable way from > participating in a trusted discovery path to an embedded root, it should no > longer be in the scope of business of root trust store owners.
The BRs actually require both OCSP and CRL distribution point for subordinate CA certifiates. But most CA certificates don't have OCSP information, most do have the CRL distribution point. But as far as I know nobody checks the OCSP reply of the intermediate CAs, only the subscriber certificate is checked. Most people don't download CRL information, and it's clearly going to give a worse user expierence if have to download it when we establish a connection. There are CA certificates that don't that have either OCSP or CRL information in it, so there really is no way to actually check them. It's clear that CA certificates do get revoked, so we need to have some way to check it. Since we don't even have a list of all CA certificates, we can't go and check all of them ourself to see if any of them are revoked. So we need to have at least all such certificates disclosed to start with, including the revoked ones. Kurt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy