On Wed, Dec 11, 2013 at 3:47 PM, <[email protected]> wrote: > Well let's be clear about one thing: in Firefox land (as in others) there > is no such thing as revocation; there is only changing the code. >
Changing the code is required because currently-standardized revocation mechanisms don't work effectively or in a reasonable way. As far as our support for currently-standardized revocation mechanisms go, we do support OCSP stapling in Firefox and we even currently still support fetching OCSP responses from CA's websites. As far as our support for future revocation mechanisms go, we are currently doing the foundational work to add new features for making OCSP stapling more effective and also better-performing, and we will work with others in standards organizations to get such improvements standardized and widely deployed. Getting to a state where revocation checking is effective and performant requires CAs, server software developers, server administrators, and clients (browsers) to cooperate. The more cooperation there is, the better things will work. People who are system administrators of websites should enable OCSP stapling. If your web server doesn't support OCSP stapling then please ask your vendor to add OCSP stapling support. If your CA issued you a certificate without an OCSP responder URI then please ask your CA to replace it with one that has an OCSP responder URI. Then you will have minimized the future work you need to do to support effective revocation mechanisms. Cheers, Brian _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
