On 5/9/05, Jean-Marc Desperrier <[EMAIL PROTECTED]> wrote:Well, OCSP can bring problems too. I really think this would be used in a situation with a large number of users and small number of revoked certificates, where CRL work well.
I understand that your expectation is there are and will be relatively few extension publishers. I think that the less checking you do on the way into the process (authentication) the more revocations you will have and the larger your CRLs will be. Further as the number of users of FF increases this will become an economic pain point.
But only cached OCSP responses can handle the load we're talking about here. And if you think about it the right way, cached OCSP responses are just like producing individual CRL for each certificate.
A 15kb crl has room for revocation information for more than 400 certificates. With a 10% revocation rate, that mean we're OK for up to 4000 publishers. If it goes over that, using an internal CA means there's no cost involved in resolving the problem by creating a new CA so that no single CA ever emits so large a number of certs that the crl are at risk of becoming unmanageable.
Either way, they are problems to solve. The current code can not get CRL on-demand, it must have them available before the validation, and the OCSP code has several restrictions, it blocks the process and does not support proxies.
One solution can be for the page where the extension is available to push the CRL to the browser before starting the extension installation. If no up to date CRL is provided, the installation just won't work.
Another question is, do we check the validity only at installation or later too ?
What do you do with a piece of code signed by a certificate that you have as revoked once the certificate has expired?
And how do you solve that with OCSP ? You keep certs indefinitly in the OCSP responder ? Anyway the current signature implementation in Mozilla has no way of verifying signatures after the cert has expired.
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
