On 11/02/2013 02:00 AM, From Brian Smith:
Does the end-entity certificate have an EV policy OID from any of our EV CAs? If so, verify that the certificate is valid for that policy OID, trusting only that CA's root. During this validation, check OCSP, and fall back to CRLs using CRLDP.
Thanks for confirming this, Brian.
The normal certificate checking path does not do CRL fetching, and it *never* has. So, for any CA that isn't in our EV program, Firefox has never done CRL fetching.
But the code would actually exist to do that in that case.
The CABForum EV guidelines have required EV CAs to support OCSP for a very long time.
Absolutely.
So, there's no justification for Firefox to fall back to CRL fetching for EV certificate verification any more.
I don't really agree with that however - I've been an advocate to certificate status checking along the lines Firefox apparently has done for EV certificates. No infrastructure can be 100% perfect and for this I think the fallback to CRLs is quite useful.
In numbers I assume that's small a minority and in case of EV I also assume that the CRLs are fairly thin, not affecting performance a lot. Of course I'd like to see this for all certificates, not only EV really.
-- Regards Signer: Eddy Nigg, StartCom Ltd. XMPP: [email protected] Blog: http://blog.startcom.org/ Twitter: http://twitter.com/eddy_nigg _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
