Duane wrote:
So, you're going to have multiple roots simultaneously in effect. You
could have avoided that by using only key IDs and not issuer name and
serial number in your authority key IDs, as recommended by RFC 3280.
I haven't had time to check this RFC yet, I will be shortly...
IMO, one of the requirements should be that the CA claims that all their
certs conform to RFC 3280. It's THE standard for certs and CRLs on the
internet. Don't just assume that OpenSSL and whatever instructions you
found on how to use it will automatically be RFC compliant, because
well, I have seen VERY few openSSL-generated certs that were.
The most common problem being that most of them have BOTH a keyID AND
an issuer-name-and-serial-number in their authority key IDs. Somewhere
there's an example page that shows doing it that way, and all the
openSSL users follow it, not knowing what the RFC says.
You really don't want to be asking MF to add new root certs for you
to mozilla every few months IMO. Looks to me like you'll need to ask
that two be added. And hopefully not too many more soon thereafter.
Actually we're asking for 3 maybe 4, by maybe depends how long the
current policy debate takes.
The issue isn't number, it's frequency. Your favorite competitor has
LOTS of roots in the list. Frequency of new requests is extremely low,
years between them.
Once a mozilla user "primes the pump" by loading the first CRL, then yes,
the rest can be loaded automatically.
MS IE does this checking regardless if it's been primed or not, I've
added the URL to the website regardless.
Um, IINM, checking CRLs is a feature that is turned on in the advanced
options part of the Internet Control panel, and is OFF by default
(probably for the same reason as in mozilla). BTW, I will shortly start
a thread here about the issue of turning CRL and OCSP checking on by
default. Please join that thread also.
--
Nelson B
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
