Sorry, wrong thread. Expect to see a security blog post about revocation soon, summarizing some recent work :)
On Sat, Nov 21, 2015 at 11:59 AM, Richard Barnes <rbar...@mozilla.com> wrote: > I took a hack at the blog post. I kept your outline, but ended up > text-editing a bunch of it. I think it's pretty good now. > > On Thu, Jul 31, 2014 at 10:07 PM, Richard Barnes <rbar...@mozilla.com> > wrote: > >> Hi all, >> >> We in the Mozilla PKI team have been discussing ways to improve >> revocation checking in our PKI stack, consolidating a bunch of ideas from >> earlier work [1][2] and some maybe-new-ish ideas. I've just pressed "save" >> on a new wiki page with our initial plan: >> >> https://wiki.mozilla.org/CA:RevocationPlan >> >> It would be really helpful if people could review and provide feedback on >> this plan. >> >> There's one major open issue highlighted in the wiki page. We're >> planning to adopt a centralized revocation list model for CA certificates, >> which we're calling OneCRL. (Conceptually similar to Chrome's CRLsets.) >> In addition to covering CA certifcates, we're also considering covering >> some end-entity (EE) certificates with OneCRL too. But there are some >> drawbacks to this approach, so it's not certain that we will include this >> in the final plan. Feedback on this point would be especially valuable. >> >> Thanks a lot, >> --Richard >> >> [1] https://wiki.mozilla.org/CA:ImprovingRevocation >> [2] https://www.imperialviolet.org/2012/02/05/crlsets.html >> _______________________________________________ >> dev-security-policy mailing list >> dev-security-pol...@lists.mozilla.org >> https://lists.mozilla.org/listinfo/dev-security-policy >> > > -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
