Jakob Bohm <jb-mozi...@wisemo.com> writes: >This tells me that Firefox OCSP defaults are *insecure* and reaffirms my >impression that Firefox has completely dropped the ball on CRL handling >(Since the security-on setting is for OCSP only).
No, it tells me that the Firefox developers applied common sense (OK, the people doing Firefox *crypto* applied common sense, the people doing the Firefox UI are another story altogether). It's also not much different from what Chrome and others are doing. Revocation checking is one of the places where PKI theory has to confront reality, and comes in for a rude shock. It's a cost/benefit tradeoff, CRL checking for general sites is pretty much pointless and has a high cost, non- stapled OCSP the same. For high-value certs like CAs it may be worth it, or at least creating the impression you're doing something may give you warm fuzzies so it could be worth doing. So what Firefox and Chrome and others are doing is simply acknowledging practical reality. Peter. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy