Frank Hecker wrote:
Also note that OCSP responders can be run by organizations other than
CAs; this is what the folks at openvalidation.org do. However usually
such services are based on the data in published CRLs, and hence aren't
any more up to date than those CRLs.
I've spoken with a number of CAs that operate OCSP responders, and if
memory serves, all their OCSP responders work that way. They derive
their info from the issuer's latest CRL. Their value is not being more
up-to-date than the CRLs, but in being much faster to query (smaller
messages, less memory required) than downloading the CRLs.
Note that for a few CAs the CRLs are rather big; the extreme case of
this is the DoD PKI with millions of certs issued. For that reason DoD
is moving to online validation; see the following Government Computer
News story:
http://www.gcn.com/24_6/dodcomputing/35282-1.html
Which says in part:
DOD searched for products to speed up the validation process, which
currently requires users to download more than 30M of data and takes
longer than an hour. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
They're talking about CRLs.
At least one proposed form of DOD online validation has the client send
the entire cert chain it received to a remote validator, and the remote
validator returns a decision on the whole chain. This requires a secured
channel to the validator, secured by some other means than the PKI being
validated. And it makes the validator a bottleneck and a single point of
failure. Not the best design I've seen. Haven't yet seen any proposals
to do that outside of DOD yet. No plans to do that in mozilla, AFAIK.
One key issue is knowing where to download the CRL from. As I understand
it the certificate can contain information about this (just as there's a
certificate field for OCSP info) but I don't think NSS yet understands
it. Again I'll defer to the developers for the complete answer.
NSS never initiates the fetching of CRLs on its own, for reasons I
mentioned in my previous post in this thread. Programs (mostly servers)
that want to use CRLs arrange to fetch them on their own. But NSS
certainly can read the cert extension that contains the CRL's URL, and
PSM could ask NSS for that URL.
Today CRL handling begins in PSM the first time it sees a download of
a MIME content type that says "This is a CRL". mozilla/PSM UI does not
facilitate the user findint the URL, AFAIK. The user has to find the
URL and visit it, and then CRL auto-updating begins. PSM could fetch the
CRL's URL from the cert via NSS and then provide a button or other means
to kick off fetching the URL.
--
Nelson B
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
