> Yes, surely only someone insidious and evil and who hates Freedom would > > ever support such an security-hostile idea as a 1-4KB OCSP response, > > rather than a 50MB CRL. It's likely that the Legion of Cryptographic Doom > > have compromised OCSP, likely using the World Bank to infiltrate the IETF > > with members of the Secret Illuminati (which even the regular Illuminati > > don't know about), and only CRLs can save us from the impending saucer > > people who will break our crypto and control our minds with houseplants.
Please keep it civil, Ryan. I'm afraid you've stooped to the same level as the person you were criticizing. > > Please keep it civil, Michael, and please provide technical discussions, > > rather than emotional pleas or accusations. > > > > OCSP and CRLs both represent ways to obtain revocation information. Thus, > > for EV, it's should "always" be possible to obtain fresh information. > > > > CRLs and OCSP offer no security advantage unless enabled for 'hard fail', > > which cannot be enabled by default, and which few users (if any) have ever > > enabled. The security gains absent hard fail are illusions (... not > > tricks), and so Firefox, which was not implemented hard-fail by default > > and will not implement hard fail by default, it's a perfectly practical > > decision. I agree with Jeremy that there are security benefits to revocation checking, even without hard-fail, and that they are not illusions. If a CA can serve an OCSP response to a browser before the browser gives up, the user may be alerted to a revoked certificate and may then choose to avoid the web site. A number of CAs have been actively working to improve the performance of their CA infrastructures, and have made significant improvements. -Rick _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
