Perhaps instead I should have said it's a minus-seventeen-years exploit? :-) Seriously, though, anyone who has ever issued a CRL was basically wasting valuable electrons on something that doesn't get used (by FF--don't know about the others). Or to put it another way, everyone could stop issuing CRLs immediately and have no appreciable impact on Internet security. I think that would surprise many people.
On 11/02/2013 12:32 AM, From [email protected]:
> So if this really is the case, it seems to me that this constitutes a > zero day vulnerability in Firefox. I don't mean to sound alarmist > but...??? > It's not since it's always been like this and one of the reasons CAs must provide OCSP revocation capability. It would be however /nice/ to have a CRL fallback... -- Regards Signer: Eddy Nigg, StartCom Ltd. XMPP: [email protected] Blog: http://blog.startcom.org/ Twitter: http://twitter.com/eddy_nigg _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy | ||
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
