On 4/11/2013 1:26 PM, Rick Andrews wrote:
Sid Stamm suggested dev.security...
-----Original Message-----
From: Ian Melven [mailto:imel...@mozilla.com]
you might also try asking this on mozilla.dev.tech.crypto :)
Sid was wrong :-) The guys who know the technical guts of our crypto
implementation are over in m.d.tech.crypto
AFAIK we do not download CRLs based on certs, but will update CRLs the
user has manually specified. We've talked about improving CRL handling
as part of a comprehensive reform of revocation checking but have yet to
solve the performance and space requirements of CRLs.
We do support OCSP and are in the process of adding support for OCSP
stapling to improve performance, security, and privacy. Lack of an OCSP
response is not fatal however, because in general OCSP has not been
reliable enough for that. However, cautious users can change the mozilla
pref security.OCSP.require to true if they wish the lack of an OCSP
reponse to be fatal.
For anything more detailed (timelines, bug numbers) you'll need to go
bug the .tech.crypto folks.
-Dan Veditz
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security