I took a hack at the blog post. I kept your outline, but ended up text-editing a bunch of it. I think it's pretty good now.
On Thu, Jul 31, 2014 at 10:07 PM, Richard Barnes <rbar...@mozilla.com> wrote: > Hi all, > > We in the Mozilla PKI team have been discussing ways to improve revocation > checking in our PKI stack, consolidating a bunch of ideas from earlier work > [1][2] and some maybe-new-ish ideas. I've just pressed "save" on a new > wiki page with our initial plan: > > https://wiki.mozilla.org/CA:RevocationPlan > > It would be really helpful if people could review and provide feedback on > this plan. > > There's one major open issue highlighted in the wiki page. We're planning > to adopt a centralized revocation list model for CA certificates, which > we're calling OneCRL. (Conceptually similar to Chrome's CRLsets.) In > addition to covering CA certifcates, we're also considering covering some > end-entity (EE) certificates with OneCRL too. But there are some drawbacks > to this approach, so it's not certain that we will include this in the > final plan. Feedback on this point would be especially valuable. > > Thanks a lot, > --Richard > > [1] https://wiki.mozilla.org/CA:ImprovingRevocation > [2] https://www.imperialviolet.org/2012/02/05/crlsets.html > _______________________________________________ > dev-security-policy mailing list > dev-security-pol...@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
