On 02/03/2009 01:47 PM, Johnathan Nightingale:
We're talking with our existing CRL-based EV CAs as we speak to work out a better solution for 3.1, now that the underlying NSS validation code is (correctly) treating absence of CRL (albeit due to our own lack of CRLDP support, until recently patent encumbered) as a failure for EV purposes. One option is to implement base-bones CRLDP in time,
Which I would applaud...additionally CRLs could function as a fall back in case OCSP failed.
is to pre-load those CRLs and then employ the already existent
Which should be discouraged since there are other CAs relying on CRLs, additionally the CAs couldn't move the CRLs to a different URL.
bug that has a patch) CRL auto-update mechanism, and yet another is to encourage those CAs to move to OCSP ahead of schedule.
For EV I fail to understand the logic for not implementing OCSP at this stage. It should have been made mandatory right from the start. Some CAs have it for years already...
-- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
