On 2015-12-04 02:55, Jakob Bohm wrote:
How huge and unwieldy are CRLs really, especially if letting the computer (NSS/Firefox) do the updating?
Individual CRLs are in the range of a few kB to a few MB. For the CA that issues the subscriber certificates they have a maximum validity of 10 days but should be updated at least every 7 days.
The problem is that you want to check that CRLs before you send anything to that site, so either you need to download that CRL during the handshake, delaying the whole thing, of you would need to download all the CRLs beforehand and update them regularly.
If you want to download them before you connect, you have a problem that you don't know them all. You only know about the root CAs, not the intermediate ones. But you do cache the intermediates that you've seen.
Downloading for all the intermediates would be in the order of several GB a week that you need to download.
Kurt _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
