Deacon, Alex wrote:
1) Although the option to perform cert validation (either via OCSP or CRL)
should be a user configurable option, I believe that the application should
ship with this option turned ON by default.
It would be nice, but I wonder how many users would complain about all the sites not working ... A lot of OCSP servers have been incorrectly (and that includes Verisign's). I think the option should be off by default for clients, certainly for CRLs, which get very large and are not suitable from most clients at low bandwidth under any circumstances.
2) The decision as to what mechanism the client should use to validate a
cert needs to be dictated by the CA, not the user, using the CDP and/or AIA
extension. So instead of a ca-by-ca config as you describe, I would rather
see something like this - * If there is only a CDP , then the browser should fetch the CRL.
This could be implemented in PSM. It would have to download the CRL and import it to the local database.
* If there is only a AIA extension, then the browser should send an OCSP
request.
Currently NSS will automatically do an OCSP check if the AIA extension is present. This occurs even if the cert was checked against a CRL also.
* If there is both an AIA and CDP extension, the browser must send an OCSP request first. If OCSP fails, then it should then fall back to using a CRL.
This would require code changes to NSS. Currently the policy is to always check CRLs first (among the locally available ones in the database), then OCSP (if enabled).
3) All CRL's and OCSP responses should be cached locally by the browser, ideally the cert/crl cache would be separate from the standard web cache (which can be flushed/turnedoff/etc) The browser should never hit the wire if it already has access to a "fresh" (current non-expired) CRL or OCSP response.
There is already a local (in-memory) cache in NSS for full CRLs. There is not one yet for OCSP responses.
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
