Although certificate revocation is funded by the certificate subscriber, revocation is for the billions of relying parties. These are the parties that don't know anything about Heartbleed or any other threat that could jeopardize a certificate or a website.
In the CP and/or CPS, the CAs generally have a relying party agreement which says don't trust the certificate unless you have checked the certificate status (i.e. CRL or OCSP). How can the relying party effectively meet this obligation, if the correct certificate status is not responded? Bruce. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
