So much of this dialogue is focussed on SSL.
That's actually part of the intent - the environment is one of the ordinary user, who by definition does not adjust the defaults and doesn't really do more than the immediate. I'd suspect that corporate users are outside that focus?
(Above, I suspect you mean "open Internet".)
> Many commercial CA's run
significant businesses issuing certificates to end users, such as employees and business partners. In these circumstances, revocation is not unusual as employees leave companies and as business relationshops change. More revocations are pretty mundane.
You raise an interesting point. Yes, that would be an obvious case for revocation. It would apply to email primarily (routine), and to a lesser extent code signing and web serving (rare).
Such companies are by their nature outside the "default user." That is, if they are capable of issuing certs and demanding revocations, then they are also capable of adjusting defaults and doing security.
If one were to conclude that revocations were outside the activities of ordinary users, then the policy for MF root list additions could be simplified to ignore the sophistication of the CA's revocation process.
Is that possible? I can't judge. I suppose it would depend on whether the browser automatically followed the CRL / OCSP routine, and therefore participated in revocations without the user being aware?
iang _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
