On Friday, February 3, 2017 at 7:26:14 AM UTC-8, Jakob Bohm wrote: > > No, I am suggesting that while *still* listing it as a problematic > practice for an edge case from a few few CAs, Mozilla offers those few > CAs an easier way out, while at the same time obtaining for both itself > and any other implementors (such as Google's BoringSSL and Microsoft's > CNG) a table of the only values that code for that edge case will need > to handle. > > I was also suggesting, that if, after gathering data, the resulting > table is very small, using the table in code might be easier than > coding an algorithm that matches certificates to issuers and CRLs for > all the needed non-identical cases. This however would be an > implementation choice, as any other algorithm giving correct results > would solve the problem. >
There is a bug to "Make OneCRL name comparisons encoding agnostic"... https://bugzilla.mozilla.org/show_bug.cgi?id=1330968 But we'll still call it out as a problematic practice. Cheers, Kathleen _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
