I think the vision is that in the long run, OneCRL would be based on the Salesforce data.
Sent from my iPhone. Please excuse brevity. > On Jun 22, 2016, at 16:56, Jeremy Rowley <jeremy.row...@digicert.com> wrote: > > That's why Mozilla has a policy to disclose all such CAs through OneCRL. > Seems like unnecessary information to disclose the CA as part of OneCRL and > as part of the Salesforce program. > > -----Original Message----- > From: dev-security-policy > [mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla > .org] On Behalf Of Kurt Roeckx > Sent: Wednesday, June 22, 2016 2:31 PM > To: Steve <steve.me...@gmail.com> > Cc: mozilla-dev-security-pol...@lists.mozilla.org; Eric Mill > <e...@konklone.com>; Kathleen Wilson <kwil...@mozilla.com>; Rob Stradling > <rob.stradl...@comodo.com>; Peter Bowen <pzbo...@gmail.com>; Ben Wilson > <ben.wil...@digicert.com> > Subject: Re: Intermediate certificate disclosure deadline in 2 weeks > >> On Wed, Jun 22, 2016 at 06:18:51PM +0000, Steve wrote: >> CAs are running OCSP responders up to the root tier. Once a CA is >> terminated in a standards-compliant and densely interoperable way from >> participating in a trusted discovery path to an embedded root, it >> should no longer be in the scope of business of root trust store owners. > > The BRs actually require both OCSP and CRL distribution point for > subordinate CA certifiates. But most CA certificates don't have OCSP > information, most do have the CRL distribution point. > > But as far as I know nobody checks the OCSP reply of the intermediate CAs, > only the subscriber certificate is checked. > > Most people don't download CRL information, and it's clearly going to give a > worse user expierence if have to download it when we establish a connection. > > There are CA certificates that don't that have either OCSP or CRL > information in it, so there really is no way to actually check them. > > It's clear that CA certificates do get revoked, so we need to have some way > to check it. > > Since we don't even have a list of all CA certificates, we can't go and > check all of them ourself to see if any of them are revoked. > So we need to have at least all such certificates disclosed to start with, > including the revoked ones. > > > Kurt > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy