Rick Andrews wrote:
I know that FF allows you to choose a CRL and it will check status
against that CRL when it finds a cert issued by the CRL issuer. Does
anyone know if FF uses the CDP in the cert or the cert's issuer name
as a key to find the CRL?
I assume you are talking about the Revocation Lists feature exposed in the
Options Advanced Certificates UI.
It uses the cert's issuer name. In particular, it uses CERT_CheckCRL, which
calls cert_CheckCertRevocationStatus, which calls AcquireDPCache, which looks
things up by issuer name. I didn't look to see Whether we allow multiple CRLs
for a given issuer name.
The reason I ask is in regards to partitioned CRLs, where a CA could,
for example, have one CRL for odd serial numbers and one for even.
The CA would put the appropriate CDP in each cert, but would that
confuse FF?
I'm not sure. The Revocation Lists feature is somewhat unmaintained and may
be removed.
Same question about OCSP responses and AIA.
Currently, Firefox uses the first OCSP responder URL listed in the end-entity's
cert's AIA for doing OCSP fetches.
Does anyone know the answers for IE?
I am not sure exactly what IE does, but IIRC Microsoft has very good
documentation on MSDN regarding revocation checking in Windows.
Cheers,
Brian
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto