This is good information, Kathleen, and I'm certainly in favor of making improvements. I do wish there was more info on the report author and any affiliations he might have. That said I can't find clear, unambiguous detail on what CRL capabilities are actually working in Firefox, and for which versions. There was some talk at one time how CRL never worked anyway or some such thing but I think we need clarification on that now. The worst case here is that some capabilities are missing from current (and future) versions and the worst case for missing functionality could be very bad indeed. Thanks.
On 10/29/13 5:20 AM, fhw...@gmail.com wrote: > Changing the subject line because compliance is at the heart of this > issue. I also would like to thank Brian for his comment below, because > it seems we're discussing less the merits of CRLs and more rationalizing > the cost to implement. > <snip> > > So...if Mozilla can't implement CRL support because of staffing issues > and priorities, that's fine. Actually it's completely understandable. In > the meantime, Mozilla is not 5280 compliant--and that should be a big deal. > > Please see https://wiki.mozilla.org/CA:ImprovingRevocation There is also an interesting research paper attached to that page about revocation. Folks are working towards adding a revocation-push mechanism so that Firefox preloads certain revocation information for intermediate and end-entity certificates. I started the discussion about which types of revocations should be included for intermediate certs here: https://groups.google.com/d/msg/mozilla.dev.security.policy/cNd16FZz6S8/t3GwjaFXx-kJ There will be a similar discussion for end-entity cert revocations, I just haven't started it yet. The goal is for the revocation-push mechanism to be used instead of traditional CRL checking, for reasons described in the wiki page and the research paper. In my opinion, the sequence in which certain changes (like ripping out the CRL user interface) could have been better, such as happening after the revocation-push mechanism was in place. But, in my opinion, we are heading the right direction -- there will be revocation checking, it just will be done in a better and more efficient way. Kathleen _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy | ||
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
