Re: New wiki page on certificate revocation plans

I took a hack at the blog post. I kept your outline, but ended up text-editing a bunch of it. I think it's pretty good now. On Thu, Jul 31, 2014 at 10:07 PM, Richard Barnes wrote: > Hi all, > > We in the Mozilla PKI team have been discussing ways to improve revocation >

Re: New wiki page on certificate revocation plans

Sorry, wrong thread. Expect to see a security blog post about revocation soon, summarizing some recent work :) On Sat, Nov 21, 2015 at 11:59 AM, Richard Barnes wrote: > I took a hack at the blog post. I kept your outline, but ended up > text-editing a bunch of it. I

Re: New wiki page on certificate revocation plans

On 07/08/14 23:17, fhw...@gmail.com wrote: Curious to know the process by which cert holders will get their certs‎ added to these lists. How much of that flow and the necessary security measures have been worked out? Cert holders get their certs added to CRLs maintained by their CA. Cert

Re: New wiki page on certificate revocation plans

http://dev.chromium.org/Home/chromium-security/crlsets says: The limit of the CRLSet size is 250KB Have Mozilla decided what the maximum OneCRL size will be? On 01/08/14 03:07, Richard Barnes wrote: Hi all, We in the Mozilla PKI team have been discussing ways to improve revocation checking in

Re: New wiki page on certificate revocation plans

On Aug 7, 2014, at 9:47 AM, Rob Stradling rob.stradl...@comodo.com wrote: http://dev.chromium.org/Home/chromium-security/crlsets says: The limit of the CRLSet size is 250KB Have Mozilla decided what the maximum OneCRL size will be? No, we haven't. The need for a limit largely depends on

Re: New wiki page on certificate revocation plans

-cry...@lists.mozilla.org; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: New wiki page on certificate revocation plans On Aug 7, 2014, at 9:47 AM, Rob Stradling rob.stradl...@comodo.com wrote: http://dev.chromium.org/Home/chromium-security/crlsets says: The limit of the CRLSet size

Re: New wiki page on certificate revocation plans

I am generally in favour of this plan - I think it's the right way to go. I am not sure we will ever get to hard-fail for plain OCSP, but I am very happy for that to be a data-driven decision somewhere down the line. On 01/08/14 03:07, Richard Barnes wrote: There's one major open issue

Re: New wiki page on certificate revocation plans

On Jul 31, 2014, at 11:23 PM, Jeremy Rowley jeremy.row...@digicert.com wrote: This is great. Thanks Richard! Thanks go to the whole team. This was very much a group effort. For OneCRL and the EE certs, establishing parameters around when an EE is eligible for inclusion would give

RE: New wiki page on certificate revocation plans

This is great. Thanks Richard! For OneCRL and the EE certs, establishing parameters around when an EE is eligible for inclusion would give guidance to CAs about when to report revocations. Is the OneCRL intended for when the cert is compromised because of a breach of the CA? Or can high