Ka-Ping Yee wrote: > On Tue, 7 Nov 2006, Eddy Nigg (StartCom Ltd.) wrote: > >> I'm afraid, but this isn't something the browser vendor controls, only >> the CA. Not feasible. >> > > But if certificate revocation is going to work, doesn't it have to be > implemented by the browser? Couldn't there be a role for Mozilla to > play here? > First of all, revocation checking is working. Actually also here there is some improvement to make, because you have to import the CRL manually. OCSP is turned _off_ by default, I think. An improvement would be to use the CRL distribution points identifier and import the CRL automatic. Same is true for OCSP (if there is a OCSP service URL in the certificate, it should be used).
However CRL's are issued by the CA, the browser vendor doesn't have any function here. -- Regards Signer: Eddy Nigg, StartCom Ltd. Phone: +1.213.341.0390
_______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
