Gervase Markham wrote: > [...] >> If we see >> cooperation from CA's in quickly revoking those certs which are >> vulnerable, that would be enough to convince mozilla the right way to >> solve the problem is to depend on option 1 and fix revocation in the >> existing browsers. >> >> This is an opportunity to show that PKI infrastructure really works. It >> is by far the best solution. > > The difficulty is that, according to initial reports and scans, only > about 20% of the certs concerned have an OCSP URL.
Well, CRL can also be made to scale properly to handle a large number of revocation, but this requires a few operationnal changes. - CA level change = CA splitting, don't issue too many certs under the same CA, use a new CA once it has issued too many certs (the threshold should be below 10 000 certs). The alternative in order to avoid changing the CA constantly would be CRL splitting, changing the CRL distribution points, and setting the critical Issuing Distribution Point in the crl with an URL that matches the CRL DP. But this is not supported by all implementions, and especially maybe only by Fx 3 and not Fx 2. - Client level change = Download CRL as you need them to check some certificate, not systematically. This would also require to automatically use the CRL DP to download certs, and not use manual configuration which would have became unmanageable. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
