On 2009-07-22 05:59 PDT, Varga Viktor wrote: >> FF 3.5.0 and FF 3.5.1 do not support fetching of certs from AIA extension >> URIs, nor fetching of CRLs from CDP extension URIs. The code to fetch >> certs from AIA URIs is present, but Firefox has not yet put it into use. > > What was the cause to disable it??
Disable it? It's a new feature in NSS. New NSS features are almost never enabled by default. That policy is required for backwards binary compatibility. Firefox must enable it. It doesn't take much software to do so, but it must be done and Firefox hasn't done it yet. >> The code to do CRL fetching is not yet present in FF 3.5.0 or 3.5.1, but >> has been made available in a new version of NSS that is not yet being >> used in FF 3.5.x. I expect this will change before the end of 2009, >> and CDP fetching will be put to use. I expect that will happen sooner >> than the fetching of certs from AIA URIs. > > If the CDP and AIA fetch is enabled, willdo the code fetch multiple CDP, > AIA fields, and try the second ont he list, if the first is unaccessible? Actually, I think it tries them in reverse order. Not sure. It tries them until it finds a CRL that is a full CRL, not a partial CRL. It determines this by the presence or absence of a critical IDP extension in the fetched CRL. Any CRL with a critical IDP extension is treated as a partial (a.k.a "partitioned") or indirect or delta CRL, which are not supported by NSS, and are ignored. > regards. > Viktor Varga > Netlock Kft. -- 12345678901234567890123456789012345678901234567890123456789012345678901234567890 00000000011111111112222222222333333333344444444445555555555666666666677777777778 -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
