Note in that regard that I have some open questions in particular about CA evaluation criteria relating to notification of certificate revocation (i.e., via CRLs or OCSP). I haven't time to look into this deeply, so I'm somewhat unclear on whether CRL checking and/or OCSP validation is or will be enabled by default. If CRLs and OSCP are not used by default then (to play devil's advocate) I claim that there is no point in having CA evaluation criteria relating to CRLs or OCSP, since this policy is intended for typical users (per the meta-policy) and typical users will never end up using CRLs and OCSP.
The stories for CRLs and OCSP are separate.
OCSP is turned off by default. That is a defect, and should be fixed ASAP. There are some dependencies that need to get fixed, such as the fact that presently OCSP doesn't work for users who sit behind firewalls and must use proxies. When OCSP is turned on, it should just work. That means that CAs must already be doing it (or offering CRLs) correctly.
CRLs are not fetched on demand, but rather are fetched in a scheduled fashion. Once fetched, checking of the locally stored CRL is always enabled and cannot be disabled. However, the scheduled CRL fetching must be configured for each CA manually. The act of fetching the first CRL establishes the schedule with which it is subsequently fetched. It's very simple to do, but most users don't do it.
There's another criteria-related issue [...]
namely the issue of what level of verification a CA really should be doing at the time of certificate issuance.
I'll reply to this is a separate message. -- Nelson B
_______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
