Hi Julien,
Thanks for your reply.
Is there any ticket filed in bugzilla where I can track
developments on this issue?
Regards,
Nuno
On Oct 20, 8:22 pm, Julien R Pierre - Sun Microsystems
<[EMAIL PROTECTED]> wrote:
> Ni Nuno,
>
>
>
> nponte wrote:
> > Hi,
>
> > We are running a CA that has thousands of revoked certificates
> > which leads to CRLs of several MBytes.
>
> > On the next nenewal of the CA, we are thinking of partitioning the
> > CRLs at each X number of issued certificates. The issued certificates
> > will have different CRL Distribution Points (CDP) according to the
> > partitions they are assigned.
>
> > For example, for X=100, from certificate 1 to certificate 100, the
> > CDP would behttp://myca.com/crl/myca-0001.crl, from certificate 101
> > to 200 the CDP would behttp://myca.com/crl/myca-0002.crl, and so on.
>
> > My question: Is Mozilla/NSS/PSM prepared to support partitioned
> > CRLs like the way described? In particular, if CRLs are cached, they
> > must be able to merge several different partitions according to the
> > CDP to create a unified view over the revocation universe of a CA.
>
> > Regards,
>
> > Nuno Ponte
>
> At the present time, Mozilla/NSS/PSM do not support partitioned CRLs.
> Any CRL with the Issuing Distribution Point extension will be rejected
> as unsupported.
>
> There is work underway to enhance the CRL support in NSS 3.12.x and
> support this extension. The CRL caching takes the multiple distribution
> points into account. You can already see of of the code ifdef'ed for
> this in crl.c and certi.h . Check for the words "XCRL". When this
> support is completed, your revocation scheme will work properly with
> Firefox. I do not have an ETA for this support unfortunately.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
