Firefox uses OCSP but, by default, any response other than a definite
"is revoked" response is treated as "is not revoked". There is a user
pref that allows the user to change that, so that any response other
than "is not revoked" is treated as "is revoked".
IMO, we need to be smarter about that.
Here's a straw man:
OK:
200 response with OK
No response (network problems)
Not OK:
200 response with revocation
400 response (OCSP responder actively denying response)
500 response (OCSP responder broken)
What do people think? Putting 400 and 500 in "not OK" makes it harder to
inject a failure in order to get Firefox to pass a cert. Although one
can still inject an OCSP tryLater <sigh>.
Gerv
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
