[cabfpub] Web Security Context: User Interface Guidelines

Gervase Markham gerv at mozilla.org
Wed Sep 19 09:05:28 UTC 2012

On 18/09/12 18:46, Rick Andrews wrote:
>>> negotiation, the end-entity certificate presented or one of the
>>> intermediate certificates in the certificate chain are found to
>>> have been revoked, error signaling of class danger (6.4.3 Danger
>>> Messages) MUST be used."
>> Do you think that Firefox doesn't do that?
>> Gerv
> Back in June there was a thread about revocation checking in Firefox
> in which you and Bob Relyea indicated that FF uses two different
> libraries, and one of those libraries did not check intermediates.

The text says "are found to have been revoked". It's a UI document, not 
a document which mandates revocation checking. If Firefox finds a 
certificate to be revoked, it always signals an error, and so complies 
with this document. Your beef, as I understand it, is that it's possible 
for Firefox not to find a certificate revoked which has, in fact, been 
revoked, because it doesn't check (in the case of intermediates).

You are already aware that we are working to improve our story in this 
area, as I have said before.


More information about the Public mailing list