Gervase Markham wrote: > Jean-Marc Desperrier wrote: >> Well, CRL can also be made to scale properly to handle a large number of >> revocation, but this requires a few operationnal changes. > > ...which presumably have to be made before you issue the certs?
Yes, but the reason why only 20% of the certs have an OCSP URL might largely being due to the operational constraint of being able to answer the number of OCSP requests that will come therafter. >> The alternative in order to avoid changing the CA constantly would be >> CRL splitting, changing the CRL distribution points, and setting the >> critical Issuing Distribution Point in the crl with an URL that matches >> the CRL DP. But this is not supported by all implementions, and >> especially maybe only by Fx 3 and not Fx 2. > > Fx 3 does not, as far as I know, support CRL DPs. They are two subtly different things here and I was in fact referring to the second : - First, the ability to make use of the CRL DP to download a CRL. PSM doesn't do that, even on Fx3. Which is a pity since it means in practice Fx users will not check crl when accessing sites. It could change if Fx were preconfigured to download the CRLs of all the CAs it trusts. - Second, being able to apply a CRL only for certs when the CRL's IDP extension content matches the CRL DP of the cert. I think libpkix must have added support for that in NSS 3.12 and Fx3. Older NSS version will reject the CRL because they'll see the critical IDP extension that they do not handle. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
