Nelson B wrote:
nice description!
Some CAs have huge CRLs. Some CAs have broken OCSP responders. These
make for bad user experience. So, IMO a single global pref that turns
them on or off for all CAs is less desirable that something that allows
them to be used where they work (that is, for those CAs with which they
work well) and not where they don't.
If one were to take the "sign off on CA" approach,
then that could be the signal to attempt the OCSP.
The user could be asked on seeing a new CA "do
you want to accept this CA, and by the way, OCSP
is available / not available."
The presence of OCSP, then as presented to the
user, might be a positive signal.
A nice feature might be to add a [check OCSP]
button onto the cert display. This would be easy
from a workability point of view, but I don't think
it would do much for grannie. Still, it might be
a useful interim step on the way to getting a full
system.
Just thinking out loud here...
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
