MozillaWiki

CA:EV Revocation Checking: Difference between revisions

Page Discussion

CA:EV Revocation Checking (view source)

Revision as of 21:33, 29 January 2008

85 bytes added ,  29 January 2008
→‎Irrelevant properties
Line 27: Line 27:


==Irrelevant properties==
==Irrelevant properties==
* it does not matter if the root explicitly contains a policy extension with the associated policy OID. Why? It is expected that most roots will not contain it.
* It does not matter if the root explicitly contains the EV extension. It only matters that the End Entity (EE) certificate, and the certificate chain leading up to the root, all have the EV extension explicitly specified or inherited by policy.


* it does not matter if the certificate carries information about CRL download locations (CRLDP) for revocation checking. Why? The certificate verification engine (NSS) in Firefox is unable to download CRLs on demand. Consequently, Firefox will not rely on CRLs for EV related revocation checking. Even if a server certificate contains a CRLDP, even if a CRL is already locally available, NSS will ignore it for its EV revocation tests. (This behavior may change in a future version of NSS and or Firefox.)
* it does not matter if the certificate carries information about CRL download locations (CRLDP) for revocation checking. Why? The certificate verification engine (NSS) in Firefox is unable to download CRLs on demand. Consequently, Firefox will not rely on CRLs for EV related revocation checking. Even if a server certificate contains a CRLDP, even if a CRL is already locally available, NSS will ignore it for its EV revocation tests. (This behavior may change in a future version of NSS and or Firefox.)
Lord
118

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/81452"