I think the vision is that in the long run, OneCRL would be based on the Salesforce data.
Sent from my iPhone. Please excuse brevity. > On Jun 22, 2016, at 16:56, Jeremy Rowley <[email protected]> wrote: > > That's why Mozilla has a policy to disclose all such CAs through OneCRL. > Seems like unnecessary information to disclose the CA as part of OneCRL and > as part of the Salesforce program. > > -----Original Message----- > From: dev-security-policy > [mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla > .org] On Behalf Of Kurt Roeckx > Sent: Wednesday, June 22, 2016 2:31 PM > To: Steve <[email protected]> > Cc: [email protected]; Eric Mill > <[email protected]>; Kathleen Wilson <[email protected]>; Rob Stradling > <[email protected]>; Peter Bowen <[email protected]>; Ben Wilson > <[email protected]> > Subject: Re: Intermediate certificate disclosure deadline in 2 weeks > >> On Wed, Jun 22, 2016 at 06:18:51PM +0000, Steve wrote: >> CAs are running OCSP responders up to the root tier. Once a CA is >> terminated in a standards-compliant and densely interoperable way from >> participating in a trusted discovery path to an embedded root, it >> should no longer be in the scope of business of root trust store owners. > > The BRs actually require both OCSP and CRL distribution point for > subordinate CA certifiates. But most CA certificates don't have OCSP > information, most do have the CRL distribution point. > > But as far as I know nobody checks the OCSP reply of the intermediate CAs, > only the subscriber certificate is checked. > > Most people don't download CRL information, and it's clearly going to give a > worse user expierence if have to download it when we establish a connection. > > There are CA certificates that don't that have either OCSP or CRL > information in it, so there really is no way to actually check them. > > It's clear that CA certificates do get revoked, so we need to have some way > to check it. > > Since we don't even have a list of all CA certificates, we can't go and > check all of them ourself to see if any of them are revoked. > So we need to have at least all such certificates disclosed to start with, > including the revoked ones. > > > Kurt > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
