Nelson, Frank and Kai: Because of your terrific feedback and Nelson's comment below about the fact that client revocation is actively being discussed another colleague here in Verisign Engineering has joined this group. His name is Rick Andrews and he will not only be monitoring the discussions but also providing direct feedback and input to the discussions. Rick is extremely knowledgeable in this area and I know he is looking forward to being an active participant.
Thank you all again for your input. Gary. > -----Original Message----- > From: Nelson B Bolyard > Sent: Tuesday, August 08, 2006 8:59 AM > To: Krall, Gary > Cc: dev-tech-crypto@lists.mozilla.org > Subject: Re: OCSP/CRL handling in Firefox > > > Gary Krall wrote: > > > I'm curious to know what FF does in this regard. Does it > fall-back to > > CRLs when it cannot connect to our OCSP server? If not are > there any > > plans to implement something like this in the future? > > Handling of OCSP and CRLs is rather separate. > > Presently, A user must initiate the first fetch of a CRL from the CA. > CRLs are fetched asynchronously from cert chain validation. > CRLs are stored on disk locally, IIRC. After fetching the > first one, mozilla clients will fetch subsequent CRLs > automatically on a periodic basis (or as indicated by > NextUpdate), IIRC, not triggered by new cert chain > validation. Once a mozilla client has the first CRL for the > CA, it will always check the most recently stored CRL > thereafter, IINM. > > OCSP checking may be enabled or disabled by the user. It is > presently enabled by default in FF2 builds, IINM, but > disabled by default in older versions. > OCSP fetching is done on demand, triggered by each cert chain > validation. > There is presently no OCSP cache. This is a known issue. > > I'm not sure how the OCSP and CRL checking interact when both > are enabled. > I'm hoping our revocation expert will speak up here. > > mozilla clients' revocation is an area very much in active > development right now, with new things being planned for > upcoming releases. So now is a good time to participate in > this discussion. > > -- > Nelson B > > _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
