Gervase Markham wrote:
On a related point, can we perhaps use this new high/low assurance bit
in the cert store as something to hang cert revocation off? If you want
to be in the high assurance store, you have to have a working OCSP
server defined in your certs, or something like that?
That would be to impact the definition of "high" assurance
with the policy aspects of getting OCSP going. Until OCSP
is up and going and shown to be a really good idea, it is
not a good idea to link it to another area of uncertainty.
The unintended consequences of that might actually make
either of "high" assurance or OCSP more difficult to get
going.
If one wanted to signal that OCSP was correlated to "high"
assurance, maybe the notion is to put another little icon
on the status bar that said "OCSP in action." Then, as
time goes on, we could see if that became a good signal of
quality or not?
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security
