On 2009-10-07 13:33 PDT, Eddy Nigg wrote: >> And in the absence of >> that trust, checking a cert for revocation is pretty tough. :) > > Check it out. If the root is trusted and the client cert has an OCSP AIA > URI it checks.
Given that Firefox trusts NO roots for issuing client certs, Firefox CANNOT check that client certs are valid (issued by CAs trusted for client auth). So, what are the alternatives? Well, I suppose Firefox could check to see if a client cert is valid as a server cert. That would be utterly bogus. I wonder if it's doing that. That would be a BUG. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
