ma...@e-mice.net wrote:
Hongkong Post is seriously looking into this suggestion right now.
However, I can imagine that the decision will be very tough because,
you know, traditionally revocation checking is done by the application
developer or none. I have doubt whether most of application developers
who rely on Hongkong Post certificate can support both CRLs in the
CRLDP extension.
I understand your concern. Both RFC 3280 and RFC 5280 clearly allow for
multiple names to be listed with the CRL DP extension; however they also
say that
If the DistributionPointName contains multiple values, each name
describes a different mechanism to obtain *the same CRL*. For
example, the same CRL could be available for retrieval through both
LDAP and HTTP. [emphasis added]
(The relevant language is the same in both RFC 3280 and RFC 5280.)
So it may be that an implementation could conform to both RFC 3280 and
5280 and *not* support the case where the DistributionPointName includes
two HTTP URIs, one pointing to a full CRL and one to a partitioned CRL.
As you note, we could make NSS support this case, but it might not work
with other implementations.
As I wrote before, if we include the Hongkong Post root in Mozilla
products and Hongkong Post does not change its current practices, then
it is possible that at some point in the future certificates issued by
Hongkong Post will no longer work with Firefox and other Mozilla-based
products. Since Honglong Post would be (as far as we know) the only CA
included in Mozilla that uses partitioned CRLs, and since we have no
commitment at this time to support partitioned CRLs, we would not fix
the problem ourselves. It would be the responsibility of Hongkong Post
to change its own practices if it wished to have its certificates
continue to be recognized in Firefox, etc.
Frank
--
Frank Hecker
hec...@mozillafoundation.org
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
