Eddy Nigg wrote:
On 02/03/2009 08:05 AM, Kaspar Brand:
Mozilla currently includes EV enabled roots of CAs which do not yet
provide OCSP respondes for their server certs.
Correct and this is a problem for both the CA and Mozilla...
It's supposed to do so, but current Firefox versions will happily show
the EV indicator if an EV end-entity cert doesn't include an OCSP
responder URI (see https://bugzilla.mozilla.org/show_bug.cgi?id=413997
and https://bugzilla.mozilla.org/show_bug.cgi?id=474606, and try
https://addons.mozilla.org).
....just imagine, the CA has to revoke an EV certificate and Mozilla
continues to happily show the green address bar. This isn't just a
problem for the relying party, this can be a big one for Mozilla (and
the CA).
We're talking with our existing CRL-based EV CAs as we speak to work out
a better solution for 3.1, now that the underlying NSS validation code
is (correctly) treating absence of CRL (albeit due to our own lack of
CRLDP support, until recently patent encumbered) as a failure for EV
purposes. One option is to implement base-bones CRLDP in time, another
is to pre-load those CRLs and then employ the already existent (with one
bug that has a patch) CRL auto-update mechanism, and yet another is to
encourage those CAs to move to OCSP ahead of schedule.
As the options resolve themselves, you can be assured that I'll be back
in here to update the situation.
Johnathan
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
