Eddy Nigg a écrit :
If Firefox really uses the CRLDP
No, it has never used the CRLDP to download the CRL.
People need to import the CRL manually and then activate the
auto-update, and nobody does it. What's more if the CRL becomes outdated
for some reason, there will be no warning.
The
Brian, you seem to be saying that revocation checking adds value only when
there's an attacker involved. If that's your point, I disagree. There are cases
in which a CA revokes a certificate because the site has misrepresented itself,
and revocation serves as a warning to the client.
+jeremy.rowley=digicert.com@lists.mozilla
.org] On Behalf Of Jeremy Rowley
Sent: Monday, October 28, 2013 1:29 PM
To: 'Brian Smith'; 'Rick Andrews'
Cc: dev-security-policy@lists.mozilla.org
Subject: RE: Netcraft blog, violations of CABF Baseline Requirements, any
consequences?
There are lots of occasions:
1
Yes, surely only someone insidious and evil and who hates Freedom would
ever support such an security-hostile idea as a 1-4KB OCSP response,
rather than a 50MB CRL. It's likely that the Legion of Cryptographic Doom
have compromised OCSP, likely using the World Bank to infiltrate the
On 10/24/2013 08:01 PM, From Kathleen Wilson:
For EV certs Firefox has always checked the CRL when the OCSP AIA URI
was not provided. EV treatment would not be given if current
revocation information was not obtained.
If Firefox really uses the CRLDP, then I suggest to keep that option
Kathleen Wilson wrote:
In the case of EV certs, Mozilla is still checking the CRL when the OCSP URI
is not provided.
Which CRL? Where does it come from?
Though, I believe the plan is to stop checking CRL in the
future...
https://bugzilla.mozilla.org/show_bug.cgi?id=585122#c34
Instead of
On Thu, October 24, 2013 2:47 pm, Michael Ströder wrote:
Kathleen Wilson wrote:
In the case of EV certs, Mozilla is still checking the CRL when the OCSP
URI
is not provided.
Which CRL? Where does it come from?
Though, I believe the plan is to stop checking CRL in the
future...
On 10/23/13 12:31 PM, Kathleen Wilson wrote:
On 10/22/13 1:19 PM, Eddy Nigg wrote:
I've been on the sidelines for most of this and other discussions here,
however I don't think this is correct at all - if the server doesn't
provide a correct stapled response, the browser must still be able to
On 08.10.2013 07:16, Kaspar Brand wrote:
On 06.10.2013 20:52, Brian Smith wrote:
In the abstract, I support the removal of the EV indicator for certs
from CAs that don't meet our requirements for OCSP, including the
requirement that OCSP responders must return a signed unknown or
signed
Kaspar Brand wrote:
Another 10 days have passed without any apparent sign of Mozilla's
willingness to address the case of the non-existence of an OCSP
responder for the Cybertrust SureServer EV CA.
And since CRL support was dropped in recent Firefox/Seamonkey releases there's
no revocation
10 matches
Mail list logo
