On Thursday, April 10, 2014 7:31:29 PM UTC+1, Jon D wrote: > On Thu, Apr 10, 2014 at 10:55:17 -0700, Dave Cridland wrote: > > I absolutely agree; however I'd also suggest that the point is moot. > > The question isn't whether or not people should have known, or even > > did know, that StartCom's business model is based around charging fees > > for revocations. > > > It doesn't matter whether anyone thinks this is fair or not - I think > > it's a dangerous business practise, and I'm surprised that it's > > considered in line with §2 of Mozilla's CA Certificate Maintenance > > Policy, but that again is largely irrelevant. > > Given that Mozilla no longer checks CRLs anyway, the discussion in > general may be largely irrelevant: > https://bugzilla.mozilla.org/show_bug.cgi?id=867465#c12 >
CRLs are a fairly painful method for a browser to check certificate status, as well as lagging behind (they're large - very large right now - and infrequently updated). I'd personally prefer these to be background-downloaded and used as a fallback instead of pass-on-fail OCSP, but hey. > OCSP is still alive and kicking, but it has some pretty notable issues > regarding how easy it is to make it soft-fail: > https://www.imperialviolet.org/2012/02/05/crlsets.html > If you're arguing that Mozilla should start distributing a CRL of sorts of sites that it deems important, I'm impressed. Yes, OCSP can fail sometimes, and adds an additional initial time. Firefox at least does pass-on-fail by default; sensible users will have turned on fail-on-fail. > In light of all of this, removal of the CA from Mozilla for this would > be a bit out of proportion. After all, if a certificate is revoked in > the forest and no one is around to watch, is it really revoked? You're assuming that removal of the CA from Mozilla only affects Firefox. Firstly, the effects are very different on an email client like Thunderbird. There, the OCSP "overhead" is trivial. Secondly, the CA list from Mozilla is used by Debian, Ubuntu, and others who defer trust anchor maintenance to Mozilla. Even if Firefox dropped revocation checking entirely - which would be very foolish in my opinion - it would still affect thousands of applications. As a final point, the status quo in the Mozilla policy is that revocations must be supported; I am not, and do not intend, arguing for any kind of policy change. Dave. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
