I am a technical director at VeriSign and was asked a question that Gerv recommended that I post to this mailist.
As you know, VeriSign has spent a fair of time, money and effort to roll out our OCSP service which is currently supported as an option in FF. Having said that we're also continuing to publish CRLs/CSRs (which is also expensive), and we put both AIA and CDP extensions in most of the certs we issue. The reason why we do this is that in RFC2560 (the one describing OCSP), Section 5 "Security Considerations", says: "For this service to be effective, certificate using systems must connect to the certificate status service provider. In the event such a connection cannot be obtained, certificate-using systems could implement CRL processing logic as a fall-back position." I'm curious to know what FF does in this regard. Does it fall-back to CRLs when it cannot connect to our OCSP server? If not are there any plans to implement something like this in the future? Since we have both of this to the standard we want to make sure that clients are taking full advantage of both and if not why not? Thanks for the help. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
