Re: Browser security warning

Hi Yngve,


Yngve N. Pettersen wrote:
> 
> On Wed, 27 Dec 2006 22:18:10 +0100, Doyle, Bill <wdoyle@mitre.org> wrote:
> 
>>
>>
>> It has been fun and interesting working this thread and thanks for
>> helping me see some of the issues. Hope that someone else can step in
>> about use of OCSP/CRL or I need to go off for some research.
> 
> Opera 8+ uses OCSP checking by default for the site certificate, 
> provided that the CA supports. In 9.x various errors result in a 
> lowering of the security level, but no warning or error (as opposed to 
> 8.5x). This modification was done because of stability problems on 
> several OCSP responders during 2006.
> 
> AFAIK, IE7 for Vista also uses OCSP and/or CRL by default. I do not 
> think MS activated it in IE7 for XP (separate components). IE6 have the 
> ability, but it is disabled by default.
> 
> Mozilla/firefox have the capability to check OCSP and (AFAIK, limited) 
> CRL, but I am unsure about whether or not they have enabled it in FF2 
> (it is not enabled by default in 1.x)
> 
> Revocation checking is part of the Extended Validation checks performed 
> by the browser. See http://cabforum.org for more on that.

I realise that the browsers are getting pretty good at including
the ability to do OSCP but my question remains as to how often that
actually happens.

Presumably the ssl-server-cert has to include the relevant AIA
extension to trigger this? I've no good feeling for how common
that extension is in certs, nor for whether or not any inerop
issues have arisen with it - do you know?

Ta,
S.

> 
> --Sincerely,
> Yngve N. Pettersen
> 
> ********************************************************************
> Senior Developer                     Email: yngve@opera.com
> Opera Software ASA                   http://www.opera.com/
> Phone:  +47 24 16 42 60              Fax:    +47 24 16 40 01
> ********************************************************************
> 
> 

Received on Thursday, 28 December 2006 15:05:04 UTC