Some CAs have huge CRLs. Some CAs have broken OCSP responders. These make for bad user experience. So, IMO a single global pref that turns them on or off for all CAs is less desirable that something that allows them to be used where they work (that is, for those CAs with which they work well) and not where they don't.
Yes, that makes sense. It's beginning to look like there are various bits of root cert-specific metadata we are going to need to set and store.
Would it be feasible, were we to make the division between high and low (for want of better terms) assurance root certs, to require that high assurance roots only sign certs containing an OCSP URL to a working OCSP responder?
After all, whether we access it or not is our problem to solve. When we do, if we fail to get an OCSP response, perhaps we can demote the connection to low assurance.
Gerv _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
