31
edits
NSS libPKIX Brainstorming: Difference between revisions
→Identified Tasks for the Next Release
| Line 128: | Line 128: | ||
*Implement an option that will turn on OCSP cert verification for leaf cert or a whole chain. Sometimes users prefer to limit the cert chain verification time. One of the ways to achieve this is by limiting network I/O by switching off OCSP cert verification for non-leaf certificates. | *Implement an option that will turn on OCSP cert verification for leaf cert or a whole chain. Sometimes users prefer to limit the cert chain verification time. One of the ways to achieve this is by limiting network I/O by switching off OCSP cert verification for non-leaf certificates. | ||
*NIST cert validation policy. There are a couple of differences in how NIST treats the presence of a CRL, compared to NSS (for more info see [bug 233806]) : | *NIST cert validation policy. There are a couple of differences in how NIST treats the presence of a CRL, compared to NSS (for more info see [[https://bugzilla.mozilla.org/show_bug.cgi?id=233806 bug 233806]) : | ||
**if an issuer CRL is not present, this is considered an error (cert revoked). | **if an issuer CRL is not present, this is considered an error (cert revoked). | ||
** if a CRL has a nextUpdate that is before the date against which a certificate is being verified, this is considered an error. | ** if a CRL has a nextUpdate that is before the date against which a certificate is being verified, this is considered an error. | ||