That's why Mozilla has a policy to disclose all such CAs through OneCRL. Seems like unnecessary information to disclose the CA as part of OneCRL and as part of the Salesforce program.
-----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla .org] On Behalf Of Kurt Roeckx Sent: Wednesday, June 22, 2016 2:31 PM To: Steve <steve.me...@gmail.com> Cc: mozilla-dev-security-pol...@lists.mozilla.org; Eric Mill <e...@konklone.com>; Kathleen Wilson <kwil...@mozilla.com>; Rob Stradling <rob.stradl...@comodo.com>; Peter Bowen <pzbo...@gmail.com>; Ben Wilson <ben.wil...@digicert.com> Subject: Re: Intermediate certificate disclosure deadline in 2 weeks On Wed, Jun 22, 2016 at 06:18:51PM +0000, Steve wrote: > CAs are running OCSP responders up to the root tier. Once a CA is > terminated in a standards-compliant and densely interoperable way from > participating in a trusted discovery path to an embedded root, it > should no longer be in the scope of business of root trust store owners. The BRs actually require both OCSP and CRL distribution point for subordinate CA certifiates. But most CA certificates don't have OCSP information, most do have the CRL distribution point. But as far as I know nobody checks the OCSP reply of the intermediate CAs, only the subscriber certificate is checked. Most people don't download CRL information, and it's clearly going to give a worse user expierence if have to download it when we establish a connection. There are CA certificates that don't that have either OCSP or CRL information in it, so there really is no way to actually check them. It's clear that CA certificates do get revoked, so we need to have some way to check it. Since we don't even have a list of all CA certificates, we can't go and check all of them ourself to see if any of them are revoked. So we need to have at least all such certificates disclosed to start with, including the revoked ones. Kurt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
