Ni Nuno, nponte wrote:
Hi,We are running a CA that has thousands of revoked certificates which leads to CRLs of several MBytes. On the next nenewal of the CA, we are thinking of partitioning the CRLs at each X number of issued certificates. The issued certificates will have different CRL Distribution Points (CDP) according to the partitions they are assigned. For example, for X=100, from certificate 1 to certificate 100, the CDP would be http://myca.com/crl/myca-0001.crl, from certificate 101 to 200 the CDP would be http://myca.com/crl/myca-0002.crl, and so on. My question: Is Mozilla/NSS/PSM prepared to support partitioned CRLs like the way described? In particular, if CRLs are cached, they must be able to merge several different partitions according to the CDP to create a unified view over the revocation universe of a CA. Regards, Nuno Ponte
At the present time, Mozilla/NSS/PSM do not support partitioned CRLs. Any CRL with the Issuing Distribution Point extension will be rejected as unsupported.
There is work underway to enhance the CRL support in NSS 3.12.x and support this extension. The CRL caching takes the multiple distribution points into account. You can already see of of the code ifdef'ed for this in crl.c and certi.h . Check for the words "XCRL". When this support is completed, your revocation scheme will work properly with Firefox. I do not have an ETA for this support unfortunately.
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
