Gervase Markham wrote:On a related point, can we perhaps use this new high/low assurance bit
Uh, what new high/low assurance bit? Has someone already committed to implement this, and we've agreed to take the patch? :-)
You know what I mean :-) If we have a new high/low assurance bit...
1. A number of "high assurance" CAs do not have OCSP set up. In doing my CA list at
http://www.hecker.org/mozilla/ca-certificate-list
(which covers only new CAs applying for inclusion) I tried to track down information on CA's OCSP services; as you'll note, it's not that common. However providing CRLs is almost universal, but...
OK... so could we stipulate OSCP or CRLs?
2. Neither Firebird nor Thunderbird have CRL checking (let alone OCSP validation) turned on by default; it must be manually enabled by users (e.g., by clicking on a link to a CRL -- try one of the ones on the page referenced above). This is a big product gap that needs to be filled, e.g., by recruiting some more NSS/PSM developers.
Sure. Although one could argue that the fact that we don't take advantage of it yet is no reason not to stipulate it...
Gerv _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
