John Gardiner Myers wrote:
For reasons you mention, even checking against the latest currently available CRL is at most "best effort".
I fully concur this is only "best effort". This is BTW exactly what I wrote in my message.
But it's the level of "best effort" that *can* be achieved.
I don't get why you want to settle for a "best effort" that is lower than that.
Because the cost (denial of service) far exceeds the benefit (negligible).
I think that not doing that would be what law calls "gross negligence".
Nonsense. A reasonable risk assessment would show that it is reasonable and prudent to use CRLs past the nextIssue date in cases where it is not possible to obtain a newer CRL. The law does not require one to take every possible countermeasure, regardless of cost.
So nextUpdate is really a minimum for the amount of time one should use cached CRLs.
I can't follow your logic here.
How do you go from "even checking against the latest currently available CRL is not perfect" to "So I don't need to do it, and worse solution are OK" ?
You are drawing a line in the sand, saying "beyond here is unsafe". I'm pointing out that your line is arbitrary and has no particular sigificance in the continum of risk. The risk is not appreciably less just before the nextUpdate than it is just after the nextUpdate.
The risk after the nextUpdate does not justify a complete denial of service. If there were an age where the risk did justify such a denial of service, it would depend on a policy setting unrelated to nextUpdate.
"Even if I wait until the traffic light is green for pedestrian, there might be a car that won't respect it, so I won't care and I'll cross at the red light" ?
Your analogy is flawed. Traffic lights are intended to control crossing. nextUpdate is not intended to control the time beyond which one should reject all certs.
And even if it did, the information at hand is not analogous. We are talking about a failure case, such as when the traffic light is off.
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
