On 10/23/2013 10:31 PM, From Kathleen Wilson:
I'm not sure I understand your message. Are you saying that even if
OCSP stapling is used, the certs must have the OCSP URI in them, in
case the server's stapled response doesn't work, and the browser needs
to fallback to the OCSP URI in the cert?
Yes, exactly. Also servers can be configured the easiest by having it
simply use the included OCSP URI in the certificate.
In the case of EV certs, Mozilla is still checking the CRL when the
OCSP URI is not provided.
Since when does Firefox check CRLs? I believe it never did except if
configured manually (which is probably almost never).
Are you saying that (instead of the above proposal) the revocation
checking should do the following?
1) Check for OCSP stapling response from server.
2) If cannot get a valid OCSP stapling response, then use OCSP URI in
AIA to try to get OCSP response.
3) If these attempts fail, then check CRL.
4) If both OCSP and CRL fail, then EV treatment will not be given.
That really would be perfect (I think the best it can get with current
implementations). However IMO the fallback to normal OCSP is a must.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
XMPP: [email protected]
Blog: http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
