Michael Ströder wrote, On 2009-02-10 00:27: > Nelson B Bolyard wrote: >> This is probably a policy question, but: are we willing to accept CAs >> that use CRLs that we cannot parse? > > I'd say no. > >> Does this CA also implement OCSP? Can we justify this on the grounds >> that we do implement OCSP, and that OCSP will effectively displace CRLs >> as the preferred revocation channel? > > I'd say no. Use of OCSP should not be made mandantory.
No one has proposed anything that would make OCSP mandatory. At the present time, we support OCSP and "full" CRLs. We do not support "partitioned" CRLs. Very few CAs use partitioned CRLs. Support of partitioned CRLs is separate from support for CRLDP and fetching of CRLs from URLs in CRLDP extensions. Support for One of those does not automatically imply support for the other. Recently, a CA that uses partitioned CRLs applied to admission to the Mozilla/NSS root CA list. Our choices appear to be: 1) Do not admit their root until support for partitioned CRLs is done. (There is no active plan of record to do that work at this time.) 2) IF they also support OCSP, admit them on that basis 3) If not, admit their root anyway, knowing that their CRLs will not work with NSS, not even when CRLDP work is done. I think the last option is not a good choice. I'm OK with either of the others. The responses I've seen don't seem to clearly indicate which of the above 3 choices are acceptable. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
