Rob Stradling wrote, On 2008-10-12 23:01: > Nelson, does NSS ever attempt to check the revocation status of a built-in > Root Certificate if that Root Certificate contains CRLDP(s) and/or OCSP > URI(s) ?
Good question. The answer is somewhat complex. :-/ As you may know, NSS has two separate bodies of code for building certification paths and validating them. Firefox uses both implementations at different times. The old one checks OCSP only for EE certs, and does CRL checks for any certs issued by any CA for which it has a CRL, but does not automatically fetch CRLs. So the answer to your question for the old implementation is: no. The new one is capable of checking OCSP and CRLs at every level, and eventually will have the ability to fetch CRLs when a CDP extension is found in a cert. With the new implementation, all this checking is under the application's control, so that application can choose to do revocation checking on CAs, or not, and can choose to do OCSP, or CRLs, or both, or none. I would expect that when the application has told it to use both revocation protocols on all certs (including CA certs) the code would check revocation information for any cert that was both (a) not trusted, and (b) not self-issued. So I would expect that it would not check the revocation status of any root CA cert, whether built in or not. But I am not sure what it does. I will attempt to investigate that. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto