Confirm, administrator
5,526
edits
Changes
no edit summary
When a CA revokes an end-entity certificate due to a security concern, Mozilla should give an Untrusted Connection error for websites with that SSL certs.
https://wiki.mozilla.org/CA:ImprovingRevocation#Preload_Revocations_of_Certain_End-Entity_Certificates
|Feature users and use cases=There are currently three use cases this feature addresses:
# A CA is no longer trusted (in its entirety), so needs to be treated as revoked.
# The key of an end-entity certificate belonging to a high-profile entity is compromised (e.g. a bank, government, etc.), so needs to be treated as revoked.
Instead of spinning up and releasing a binary update, we simply add entries as appropriate to the Browser CRL. Next time the user's browser pings us for updates, we ship them the new Browser CRL and the changes instantly take effect. |Feature requirements=# The ability to revoked revoke (and treat as revoked) root certificates, intermediate certificates, and end-entity certificates.
# The ability to use specific keys to identify which certificates to treat as revoked.
# The ability to undo a block should one be applied erroneously
|Feature non-goals=This will not serve the same purpose as shipping a white-list of all intermediate certificates, which is another proposal under discussion.
|Feature implementation plan=Previously this feature request was called "Cert BLocklist via Update Ping"
https://wiki.mozilla.org/Security/Features/Cert_Blocklist_via_Update_Ping
