On 10/24/2013 08:01 PM, From Kathleen Wilson:
For EV certs Firefox has always checked the CRL when the OCSP AIA URI was not provided. EV treatment would not be given if current revocation information was not obtained.
If Firefox really uses the CRLDP, then I suggest to keep that option still open .... meaning if no stapled OCSP response, use the normal pointers and if that fails use CRL. Remove EV (and the "secure" UI indicators if you want from any other certificate) when certificate status can't be verified.
-- Regards Signer: Eddy Nigg, StartCom Ltd. XMPP: [email protected] Blog: http://blog.startcom.org/ Twitter: http://twitter.com/eddy_nigg _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
