Gervase Markham wrote:
There's been some discussion of revocation services deep in other threads.
I think understanding these is important, and I suspect my knowledge is
too limited; does anyone have a link to a primer?
What proportion of CAs run a revocation service?
Don't have numbers, but historically it's been a very large portion.
What proportion of them use OCSP?
Can someone summarise the issues with turning on OCSP in Firefox by
default?
In my view, it's a PSM/NSS (lack of) integration issue. There needs to
be some way for NSS to tell PSM that PSM (or perhaps netlib) should
establish a connection to a given URL and send a given request and return
the result, and put the current SSL socket/operation on hold until that's
done. PSM would handle all the C++ XPCom whathaveyou, and netlib would
handle proxies as it does with other http requests.
In the absense of that interface, NSS today tries to directly connect to
the OCSP server, which fails to take the browser's proxy configuration
into account (hence doesn't work through proxies) and which sometimes
hangs the browser for a while (waiting for the OCSP responder).
Does Firefox support CRLs? Can it get them automatically? Why doesn't
it? Are they too big?
CRLs tend to be big. Some are megabytes. Not something your average
dial-up user wants to download very often. Not something we should
download automatically for all CAs that offer them, IMO.
In recognition of this, Netscape/mozilla browsers have always taken the
strategy (always = since CRL support first began) that they would let
the user decide which CRLs to download, on a CA by CA basis, and then
would automate the re-download of new CRLs from those CAs on a user-
selected schedule/frequency.
The PSM UI for this could be enhanced to make it easier to get started.
Just another of the many ways PSM could be made better.
If CRLs are a pain to fetch, could we have a scheme where being
suspicious of an SSL site (according to some sort of phishing detector)
triggered a CRL download?
IMO, OCSP is the right answer, queries and responses are short and sweet.
We (NSS and PSM developers :) just need to work out how to make OCSP
queries work better in mozilla browsers.
Some CAs have huge CRLs. Some CAs have broken OCSP responders. These
make for bad user experience. So, IMO a single global pref that turns
them on or off for all CAs is less desirable that something that allows
them to be used where they work (that is, for those CAs with which they
work well) and not where they don't.
--
Nelson B
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
