- From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Date: Thu, 21 Feb 2008 14:45:14 +0000
- To: Johnathan Nightingale <johnath@mozilla.com>
- CC: W3 Work Group <public-wsc-wg@w3.org>
Johnathan Nightingale wrote: > If it helps clarify at all, our behaviour in FF3 is to check OCSP > responders if they are provided, but to assume "no response -> no > revocation" unless a non-default option "When an OCSP server connection > fails, treat the certificate as invalid" is chosen. This is less > PKI-perfect than treating a lack of OCSP response as a hard fail, but > that switch creates a fair bit of messy for the web as it currently is. Sounds reasonable to me. > I find this email a little odd, though, so I might be missing some > context. IETF shouldn't need people to turn off OCSP checking in > Firefox, given what I've said above. I guess maybe the thing that's > conspiring to keep non-US connections from succeeding might just be > timing out instead, in which case they could be seeing long load times > as the connections time out, which could seem like failure. But that > requires them to be using a very specific window of Firefox 3 betas, > since we've dialed down the connection timeouts on OCSP for exactly this > reason. :) Most of the context is semi-pro-IETF-whingers venting about things happening during the switch-over between the old and new secretariat companies;-) Otherwise it seems to involve Safari, but the mails don't always say. One guy blamed Akamai! I doubt there's anything here really for UA implementers (at least those who've done as you describe above). It reflects more on OCSP as a service and PKI generally as requiring too much client side config. (Cue mail from PHB about XKMS:-) Cheers, S.
Received on Thursday, 21 February 2008 14:45:31 UTC