Ka-Ping Yee wrote: > But if certificate revocation is going to work, doesn't it have to be > implemented by the browser? Couldn't there be a role for Mozilla to > play here?
There already are mechanisms for that. CRL and OCSP. Unfortunately they are not on by default (various issues with CAs and the technologies themselves). I've personally turned OSCP on and have encountered only one or two sites that I was unable to access because of these issues. On the other hand, OCSP is apparently not used by very many CAs (or wasn't when I checked a couple of years ago). The crypto people would probably know more about the situation know, and how feasible/usable it would be to turn these on. -- Heikki Toivonen _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
