.NET CLR 2.0.50727; .NET CLR 1.1.4322),gzip(gfe),gzip(gfe)
Complaints-To: [EMAIL PROTECTED]
Injection-Info: m73g2000cwd.googlegroups.com; posting-host=65.205.251.51;
posting-account=bqHXlg0AAABIeE5JRZLSrHSri2ZbRXKH
I am a technical director at VeriSign and was asked a question that
Gerv recommended that I post to this mailist.
As you know, VeriSign has spent a fair of time, money and effort to
roll out our OCSP service which is currently supported as an option in
FF. Having said that we're also continuing to publish CRLs/CSRs (which
is also expensive), and we put both AIA and CDP extensions in most of
the certs we issue. The reason why we do this is that in RFC2560 (the
one describing OCSP), Section 5 "Security Considerations", says:
"For this service to be effective, certificate using systems must
connect to the certificate status service provider. In the event such a
connection cannot be obtained, certificate-using systems could
implement CRL processing logic as a fall-back position."
I'm curious to know what FF does in this regard. Does it fall-back to
CRLs when it cannot connect to our OCSP server? If not are there any
plans to implement something like this in the future?
Since we have both of this to the standard we want to make sure that
clients are taking full advantage of both and if not why not?
Thanks for the help.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
