* This approach is also not dependent on SSL, much less on CA revocation of SSL certs. It's also presumably significant faster to detect and shutdown sites than an approach based on OCSP validation of certs, since IIRC the current state of OCSP is that the timeframe for revocation is driven by the schedule for issuance of CRLs, i.e., the results of an OCSP check are not necessarily any more up to date than the results of a CRL check.
Even if that's true, it could not be in the future. And I would hope such events would be rare enough to cause an out-of-time CRL update and corresponding OCSP update.
Gerv _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
