Jean-Marc Desperrier wrote:
Nelson B wrote:
Duane wrote (quoting me):
> I was under the impression, that mozilla (the browser) was like MS IE in
> that it automatically checked based on CRL urls in certificates...
Once a mozilla user "primes the pump" by loading the first CRL, then yes, the rest can be loaded automatically.
But there is no code to extract the CRLDP from the cert in Mozilla, it's not even displayable in Mozilla.
If there were someone working on PSM, I wish it would have a good place on his todo list.
Currently not only PSM but also NSS only support full CRLs, but not CRLDP. There is already some code in NSS to extract the DP from a cert, but it isn't currently used.
The cert verification currently works something like this. Feel free to look at the source in lib/certhigh/certvfy.c, in CERT_VerifyCertificate for more details .
1) check for trust in certX.db . With explicit trust, all other tests are short-circuited.
2) check signature against issuer
3) check serial number against issuer's full CRL, if the CRL is available in any PKCS#11 module
4) check for OCSP, by making an outgoing connection.
All checks are repeated for each cert in the cert chain, except for OCSP which is currently only done on the leaf.
Generally, NSS avoids making outgoing connections during PKI operations. The OCSP check is one exception to the rule. I'm not sure that we want to add other exceptions to go fetch CRLs from the network within that blocking cert verification function. Also, most applications want to perform the networking (download) themselves.
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
