Rick Andrews wrote: > I know that FF allows you to choose a CRL and it will check status > against that CRL when it finds a cert issued by the CRL issuer. Does > anyone know if FF uses the CDP in the cert or the cert's issuer name > as a key to find the CRL?
I assume you are talking about the "Revocation Lists" feature exposed in the Options > Advanced > Certificates UI. It uses the cert's issuer name. In particular, it uses CERT_CheckCRL, which calls cert_CheckCertRevocationStatus, which calls AcquireDPCache, which looks things up by issuer name. I didn't look to see Whether we allow multiple CRLs for a given issuer name. > The reason I ask is in regards to partitioned CRLs, where a CA could, > for example, have one CRL for odd serial numbers and one for even. > The CA would put the appropriate CDP in each cert, but would that > confuse FF? I'm not sure. The "Revocation Lists" feature is somewhat unmaintained and may be removed. > Same question about OCSP responses and AIA. Currently, Firefox uses the first OCSP responder URL listed in the end-entity's cert's AIA for doing OCSP fetches. > Does anyone know the answers for IE? I am not sure exactly what IE does, but IIRC Microsoft has very good documentation on MSDN regarding revocation checking in Windows. Cheers, Brian -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
