Nelson B Bolyard wrote:
Presently, A user must initiate the first fetch of a CRL from the CA.
CRLs are fetched asynchronously from cert chain validation.
CRLs are stored on disk locally, IIRC. After fetching the first one,
mozilla clients will fetch subsequent CRLs automatically on a periodic
basis
The user is able to configure the update interval on initial import.
(or as indicated by NextUpdate), IIRC, not triggered by new cert
chain validation. Once a mozilla client has the first CRL for the CA,
it will always check the most recently stored CRL thereafter, IINM.
The user has the option not to enable automatic updating.
In this case the stored CRL will be used, regardless of its age, until
it gets manually updated by a new manual import.
OCSP checking may be enabled or disabled by the user. It is presently enabled
by default in FF2 builds, IINM,
It is not yet enabled by default, but we would like to enable it,
hopefully soon.
Kai
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
