ma...@e-mice.net wrote re ignoring CRLs with the IDP extension:
This approach makes a lot of sense to the implementation because if the implementation could know whether the certificate is on the list, it has already supported CIDP and the question itself is not a question any more. Right?
I'm not the expert here, so I'll have to defer to others on how the language of RFC 5280 should be interpreted. I have no problem with NSS ignoring CRLs with CIDP extensions in the context of CRLDP support; however I think that (e.g.) Firefox should not treat this as an error but should proceed as if no CRL were ever seen. (I think it's OK to show an error message when the user manually loads a CRL into Firefox, but I question whether it is useful and right to do so when the error is a side-effect of auto-fetching a CRL from a CRL distribution point.)
I'd assume that FF should keep supporting manual import of CRLs in its future release. Hongkong Post could advise users to import the full CRL, instead of the partitioned CRLs, so that the certificate would not be always treated as unknown status. That would be consistent with the wording of the RFC too.
I can't speak for the NSS developers, however speaking personally I see no reason to drop support for manual import of CRLs.
Frank -- Frank Hecker hec...@mozillafoundation.org -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
