On 02/13/2009 05:58 AM, Nelson B Bolyard:
Recently, a CA that uses partitioned CRLs applied to admission to
the Mozilla/NSS root CA list. Our choices appear to be:
1) Do not admit their root until support for partitioned CRLs is done.
(There is no active plan of record to do that work at this time.)
2) IF they also support OCSP, admit them on that basis
3) If not, admit their root anyway, knowing that their CRLs will not
work with NSS, not even when CRLDP work is done.
I think the last option is not a good choice. I'm OK with either of
the others. The responses I've seen don't seem to clearly indicate
which of the above 3 choices are acceptable.
Obviously #2 would be preferred. On the other hand, we lived without any
revocation checking before FF3 by default, why should we require it now?
From the CA point of view, I wouldn't want to be in the situation of
#3, neither if we look at it from the Mozilla side. At least in pre FF3
we had OCSP and CRL support, but the user had to enabled either of it
manually. The CP/CPSs of CAs require usually revocation checking by the
relying party, but with a software which doesn't support it at all, it's
not reasonable to expect out-of-band revocation checking by the relying
party. That's the main difference, hence #3 is kind of irresponsible,
because it's known not to work.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog: https://blog.startcom.org
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
