Nelson B Bolyard wrote:
Frank Hecker wrote, On 2009-02-23 11:30:
I have no problem with NSS ignoring CRLs with CIDP extensions in the
context of CRLDP support; however I think that (e.g.) Firefox should not
treat this as an error but should proceed as if no CRL were ever seen.
(I think it's OK to show an error message when the user manually loads a
CRL into Firefox, but I question whether it is useful and right to do so
when the error is a side-effect of auto-fetching a CRL from a CRL
distribution point.)
Displaying of such UI (or not) is a PSM issue, of course.
Understood.
The functions in NSS by which CRLs are imported from application memory
into NSS will certainly not go away. Whether Firefox will continue to
support manual import is a PSM question, not NSS.
Ditto.
Based on the discussion so far, my understand is as follows: In the near
term Hongkong Post's certificates will work OK in Firefox et.al. with
the default settings (i.e., no CRL checking), and users wanting to do
revocation checking can manually import the full CRL.
In the longer term, when CRL DP support gets implemented in NSS, it
appears that this situation won't change: NSS will ignore the CRL with
the CIDP extension when trying to auto-fetch a CRL based on the CRL DP
extension in Hongkong Post certificates, and (assuming PSM doesn't throw
an error based on this) the certificates will work with default Firefox
et.al. settings (with no revocation checking being done, of course).
Again, users wanting to do revocation checking can manually import the
full CRL.
Based on this, my conclusion is that Hongkong Post's use of CRLs with
the CIDP extension is not an issue that would prevent our including the
root. I'll wait on Kathleen's recommendation and then make a final decision.
Frank
--
Frank Hecker
hec...@mozillafoundation.org
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
