Our esteemed kathleen95...@yahoo.com wrote on 2009-02-09 10:44 PST: > As per the CA Schedule at https://wiki.mozilla.org/CA:Schedule > Hongkong Post is the next request in the queue for public discussion. > > Hongkong Post (a national government CA under the law of Hong Kong > Special Administrative Region of China) has applied to add one new > root CA certificate to the Mozilla root store, as documented in the > following bug: > > https://bugzilla.mozilla.org/show_bug.cgi?id=408949
Katleen (and others): What is the resolution to the issue with critical CRL IDP extensions in this CA's CRLs? As reported in https://bugzilla.mozilla.org/show_bug.cgi?id=408949#c27 this CA uses partitioned CRLs with CRL IDP extensions marked critical. NSS does not handle partitioned CRLs at this time, and any CRLs with critical CRL IDP extensions are rejected due to the presence of unknown critical extensions. At present, this causes no problem because Firefox and NSS do not automatically fetch CRLs using the CRL DP extension. But we're working on that, and when we implement it, it may well cause problems. It is much less likely to cause problems for CAs that are NOT approved for EV than for CAs that ARE approved for EV, so one relevant question is: is this CA intended to be approved for EV? This is probably a policy question, but: are we willing to accept CAs that use CRLs that we cannot parse? Does this CA also implement OCSP? Can we justify this on the grounds that we do implement OCSP, and that OCSP will effectively displace CRLs as the preferred revocation channel? -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
