On 12/10/2009 12:13, Rob Stradling wrote:
On Saturday 10 October 2009 16:05:32 Boris Zbarsky wrote:
Some of them can handle something on the order of
1-2 OCSP requests per second, last it was tested (when AMO ended up down
because the CA couldn't handle the OCSP requests for it).
The EV Guidelines say that "The CA MUST operate and maintain its CRL and/or
OCSP capability with resources sufficient to provide a
commercially-reasonable response time for the number of queries generated by
all of the EV Certificates issued by the CA".
Sounds like a business requirement to me. This is one of the things
about these documents that leaves one a bit cold; they frequently
blunder out of their territory of competence without realising it,
creating all sorts of problems for the future.
That CA clearly fell short of this requirement.
It is ... surely a thing of customer <--> CA relationship. If there are
insufficient resources, the customer experience will be crap.
If the market isn't working here, then there is something wrong with the
market, and creating a requirement in a dry dusty document is pretty
close to the worst thing to do.
iang
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
