Eddy Nigg (StartCom Ltd.) wrote: >> No-one is saying it is. But it is also pretty unlikely that a >> certificate would be revoked close to its expiration date. > > And what if it does happen?
Like everything, it's a trade-off - keeping revoked certificates in CRLs has a cost (download time and bandwidth, requirement to keep key secret) vs. the potential gain of being able to send a stronger warning signal in this rather rare case. > The fact that connections to expired certificates are allowed by most if > not all browser vendors contributes to this problem, if this certificate > is removed from the CRL...than it's just an expired certificate which > was once valid, compared to a certificate which is actually revoked. Indeed. For Firefox 3, we plan to treat revoked and expired equally, preventing access in both cases. Does that address your concern? > Well, I was also reading your "CAB Forum meeting report" and it's indeed > a step into the right direction...But still, I think the principal > question about the character of this organization just remains. > Currently only webtrust accredited auditors can perform the EV audit if > I understood correctly...(Correct me if I'm wrong). It's true in the same way that only Webtrust-accredited auditors can perform Webtrust audits. :-) > But what really surprises me is, that why such principal and important > decisions about the type and nature of the proposed forum weren't made > at its founding? Why weren't openness (in respect to participation, > audits, etc) one of the key conditions for Mozilla? It's easy to say such things with the benefit of hindsight. We have been a voice for openness in the Forum since the beginning; after all, to begin with, the Guidelines were going to be confidential. It took quite a long time to change that. Gerv _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
