Jean-Marc Desperrier wrote:
Frank Hecker wrote:
[...] Am I right that someone
who wished to check revocation status on EE certs in Firefox could just
download the full CRL and use that? [...]
The right word is indeed *could*.
The address of that CRL *does not* appear inside the certificate, and
the adresse of the the CRl that does appear is not usable for Firefox.
I understand. My immediate concern was not with the ease of finding the
full CRL, but with whether it would work if a user found it.
As we're all aware, enabling revocation using CRLs has been and still is
a "power user" feature for Firefox and other Mozilla-based products. So
my concern right now is not with ease of use for typical users, but with
whether power users will be able to enable CRL-based revocation for
Hongkong Post if they have the necessary information regarding where to
find the correct CRL.
(We already publish such information ourselves, e.g., as part of the
pending list, and we could do this in a more standard way, e.g., by
putting together a list of CRLs for all included CAs and publishing this
on www.mozilla.org.)
It's a quite strong deterrent for the use of CRL for that CA with
Firefox, and I'd really prefer to see a statement from that CA that they
will change the profile of their cert to also include the full CRL as an
alternative, as soon as possible.
See my subsequent post in reply to Nelson for my comments on this issue.
Frank
--
Frank Hecker
hec...@mozillafoundation.org
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
