On Feb 13, 11:58 am, Nelson B Bolyard <nel...@bolyard.me> wrote: > Michael Ströder wrote, On 2009-02-10 00:27: > > > Nelson B Bolyard wrote: > >> This is probably a policy question, but: are we willing to accept CAs > >> that use CRLs that we cannot parse? > > > I'd say no. > > >> Does this CA also implement OCSP? Can we justify this on the grounds > >> that we do implement OCSP, and that OCSP will effectively displace CRLs > >> as the preferred revocation channel? > > > I'd say no. Use of OCSP should not be made mandantory. > > No one has proposed anything that would make OCSP mandatory. > At the present time, we support OCSP and "full" CRLs. > We do not support "partitioned" CRLs. > Very few CAs use partitioned CRLs. > > Support of partitioned CRLs is separate from support for CRLDP and > fetching of CRLs from URLs in CRLDP extensions. Support for One of > those does not automatically imply support for the other. > > Recently, a CA that uses partitioned CRLs applied to admission to > the Mozilla/NSS root CA list. Our choices appear to be: > > 1) Do not admit their root until support for partitioned CRLs is done. > (There is no active plan of record to do that work at this time.) > 2) IF they also support OCSP, admit them on that basis > 3) If not, admit their root anyway, knowing that their CRLs will not > work with NSS, not even when CRLDP work is done. >
Given that at present time, Mozilla supports OCSP and "full" CRL. If supporting OCSP is one basis for admission of the CA root, should there be a choice that 4) If the CA support "full" CRL, admit the CA on that basis too. > I think the last option is not a good choice. I'm OK with either of > the others. The responses I've seen don't seem to clearly indicate > which of the above 3 choices are acceptable. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
