106
edits
CA/Forbidden or Problematic Practices: Difference between revisions
Jump to navigation
Jump to search
CA/Forbidden or Problematic Practices (view source)
Revision as of 01:56, 13 January 2009
, 13 January 2009CRL with critical CIDP Extension clarifications
(CRL with critical CIDP Extension clarifications) |
|||
| Line 47: | Line 47: | ||
=== CRL with critical CIDP Extension === | === CRL with critical CIDP Extension === | ||
Currently Firefox | Currently Firefox handles "full" CRLs, but not "partitioned" CRLs. Partitioned CRLs are identified by the presence of a CRL Issuing Distribution Point (CIDP) extension flagged as critical. Firefox is not presently able to load CRLs with critical CIDP extensions. When attempting to load a CRL with a critical CIDP extension, Firefox will return the error code ffffe095, which is equivalent to the negative decimal number -8043. According to the [http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html NSS Error Codes] this error corresponds to SEC_ERROR_CRL_UNKNOWN_CRITICAL_EXTENSION. | ||
The NSS team is | The NSS team hopes to eventually implement partitioned CRLs, and when that work is done, Firefox should allow CRLs with critical CIDP extensions. However, even when that is done, older versions of Firefox will still not be able to load CRLs with critical CIDP extensions. | ||
Our recommendation is to | Our recommendation is to not put critical CIDP extensions into full CRLs, and to make full CRLs available for download when practical. | ||