Robert Relyea wrote: > 7. libpkix can actually fetch CRL's on the fly. The old code can only > use CRL's that have been manually downloaded. We have hacks in PSM to > periodically load CRL's, which work for certain enterprises, but not > with the internet.
I am not too concerned with the fetching stuff. Fetching is not a hard problem to solve other ways, AFAICT. > OCSP responses are cached, so OCSP fetching on common intermediates > should not be a significant performance hit. Chrome is using this > feature (we know because we've had some intermediates in were > revoked). When I browse with libpkix enabled (which also enables the intermediate fetching), connecting to HTTPS websites (like mail.mozilla.com). Also, Chrome only uses libpkix on Linux, right? Like I said in my other message, my main concern is that libpkix is huge and we don't have a lot of people lined up to maintain it or even understand it. Ryan's comments are encouraging though. - Brian -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
