I think what you've said here, Brian, is basically what I was looking for. Actually I wanted you to tell me I'm completely misinformed and these are the ways people will be protected. I'm thinking it might be appropriate to have some sort of communique sent out to the CA's so that all of them understand this situation, can adjust their practices as necessary, and can educate their customers so the customers can make informed decisions. We all know there are people out there who think "well if something goes wrong I can just revoke the certificate or something". That thinking is flat out wrong. Let me add that I am genuinely concerned about what this can mean for FF and maybe all browsers. I think there are admins and regulators and other "security folk" who might impose restrictions on Mozilla's products. I shudder to think anyone would say "for maximum security you should use MSIE".
On Fri, Nov 1, 2013 at 4:00 PM, <[email protected]> wrote: --
I agree with everything quoted above. Don't waste your time with CRLs if you care only about browsers. Work on deploying OCSP stapling if you think revocation checking is important. Cheers, Brian Mozilla Networking/Crypto/Security (Necko/NSS/PSM) | ||
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
