At 7:58 PM -0800 2/12/09, Nelson B Bolyard wrote: >Recently, a CA that uses partitioned CRLs applied to admission to >the Mozilla/NSS root CA list. Our choices appear to be: > >1) Do not admit their root until support for partitioned CRLs is done. >(There is no active plan of record to do that work at this time.) >2) IF they also support OCSP, admit them on that basis >3) If not, admit their root anyway, knowing that their CRLs will not >work with NSS, not even when CRLDP work is done. > >I think the last option is not a good choice. I'm OK with either of >the others. The responses I've seen don't seem to clearly indicate >which of the above 3 choices are acceptable.
A Mozilla policy that says "we allow trust anchors for which we cannot do revocation checking" seems wrong. #2 seems fine to me. So does #1, although I would not want that policy to accelerate the implementation of partitioned CRLs unless we see many other CAs using them. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
