GaryK wrote: > .NET CLR 2.0.50727; .NET CLR 1.1.4322),gzip(gfe),gzip(gfe) > Injection-Info: m73g2000cwd.googlegroups.com; posting-host=65.205.251.51; > posting-account=bqHXlg0AAABIeE5JRZLSrHSri2ZbRXKH
What's all that stuff? > I am a technical director at VeriSign and was asked a question that > Gerv recommended that I post to this mailist. > > As you know, VeriSign has spent a fair of time, money and effort to > roll out our OCSP service which is currently supported as an option in > FF. Having said that we're also continuing to publish CRLs/CSRs (which > is also expensive), and we put both AIA and CDP extensions in most of > the certs we issue. The reason why we do this is that in RFC2560 (the > one describing OCSP), Section 5 "Security Considerations", says: > > "For this service to be effective, certificate using systems must > connect to the certificate status service provider. In the event such a > connection cannot be obtained, certificate-using systems could > implement CRL processing logic as a fall-back position." > > I'm curious to know what FF does in this regard. Does it fall-back to > CRLs when it cannot connect to our OCSP server? If not are there any > plans to implement something like this in the future? I'm having a deja-vu experience here. You sent this exact message before on 2006-08-07 news://news.mozilla.org:119/[EMAIL PROTECTED] and there was quite a thread of responses at that time, including one of mine, news://news.mozilla.org:119/[EMAIL PROTECTED] to which you replied news://news.mozilla.org:119/[EMAIL PROTECTED] Is there something different about this latest inquiry that I'm missing? > Since we have both of this to the standard we want to make sure that > clients are taking full advantage of both and if not why not? > > Thanks for the help. I'm guessing that your request somehow got resent accidentally. -- Nelson B _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto