Paul Hoffman wrote:
At 7:58 PM -0800 2/12/09, Nelson B Bolyard wrote:
Recently, a CA that uses partitioned CRLs applied to admission to
the Mozilla/NSS root CA list. Our choices appear to be:
1) Do not admit their root until support for partitioned CRLs is done.
(There is no active plan of record to do that work at this time.)
2) IF they also support OCSP, admit them on that basis
3) If not, admit their root anyway, knowing that their CRLs will not
work with NSS, not even when CRLDP work is done.
I think the last option is not a good choice. I'm OK with either of
the others. The responses I've seen don't seem to clearly indicate
which of the above 3 choices are acceptable.
A Mozilla policy that says "we allow trust anchors for which we cannot
do revocation checking" seems wrong.
Well, yes, but as Eddy pointed out for the past 10+ years we've had a
policy that basically amounted to the same thing, at least from the
point of view of the typical user -- yes, we supported manual
configuration and loading of CRLs, but the number of people who did that
(or who understood what it meant to do it) was likely extremely small.
Having said that, it is true that we are taking revocation more
seriously nowadays (and rightly so, in my opinion). Given that, here are
my brief thoughts:
* For EV certs we should definitely make revocation by default a priority.
* For non-EV certs I'd be willing to live with Nelson's option #3 in the
near term, if we can get the technical issues clarified (e.g., the
question Jean-Marc Desperrier had) and can work out some sort of plan
with the CA for addressing the issue in the longer term.
#2 seems fine to me. So does #1,
although I would not want that policy to accelerate the implementation
of partitioned CRLs unless we see many other CAs using them.
I think implementation of partitioned CRLs is already blocked by
insufficient developer resources, independent of what our policy might
say on the matter.
Frank
--
Frank Hecker
hec...@mozillafoundation.org
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
