Ben Bucksch wrote:
Well, I guess this discussion is somewhat pointless and your views about SSL are certainly unique. Also one browser vendor can't force such a change onto the PKI model, I guess. However there is one thing I'd like to answer:If the above is accepted, it would need subtle UI changes, maybe small changes to NSS, maybe changes to the SSL PKI model (removal of expiry, keep only revocation).
Currently Mozilla software doesn't enforce CRL or OCSP checking and by default both are _OFF_! You can't turn expiry on or off and therefore a issued certificate, once it expires, issues a warning. Obviously there is a good reason why certificates expire (except the ones valid for ten years as some get sold today), because validation performed of a domain may very likely be not valid within a short time...domain names change ownership and people change names and addresses. Therefore a CA would have to revoke almost all certificates within a short period of time (lets say one year), if the party isn't interested in renewing it. This would make CRL's balloon to huge sizes, which in turn would slow down traffic enormously! Imagine when connecting to an SSL enabled web site your browser has to download a CRL of a few megabytes and even beyond.
-- Regards Signer: Eddy Nigg, StartCom Ltd. Phone: +1.213.341.0390
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security