To summarize this discussion, only one concern has been raised in regards to this request. In particular, Hongkong Post issues both a full CRL and a partitioned CRL. Currently Firefox handles full CRLs, but not partitioned CRLs. The end-entity certs chaining up to this root include a cRLDistributionPoints extension that references the URL for a partitioned CRL. Hongkong Post also maintains a full CRL that works correctly when manually loaded into Firefox.
The end-entity certs chaining up to this root work in Firefox today, and people who want revocation checking can import the full CRL to enable it. In this respect they are no different than any other non-EV CA not supporting OCSP. It is possible that at some point in the future certificates chaining up to this root will no longer work with Firefox and other Mozilla- based products. Since Mozilla has no commitment at this time to support partitioned CRLs, it would be the responsibility of Hongkong Post to change its own practices if necessary to have its certificates continue to be recognized in Firefox. Recommendations have been provided in this discussion thread in regards to how Hongkong Post can avoid the potential problems in the future. Hongkong Post is strongly encouraged to continue investigation into this. However, this concern is not considered a show-stopper in regards to inclusion of this root. This concludes the first public discussion about Hongkong Post’s request to add one new root CA certificate to the Mozilla root store, as documented in the following bug: https://bugzilla.mozilla.org/show_bug.cgi?id=408949 I will post a summary of the request and my recommendation in the bug. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
