MozillaWiki

CA/Revocation Checking in Firefox: Difference between revisions

Page Discussion

CA/Revocation Checking in Firefox (view source)

Revision as of 21:55, 14 August 2019

147 bytes removed ,  14 August 2019
m
deleted sentence that wasn't entirely correct, and was unnecessary.
(→‎OCSP: UpdateOCSP GET reference)
m (deleted sentence that wasn't entirely correct, and was unnecessary.)
Line 49: Line 49:


Like OCSP must-staple, short-lived certificates are another fast-path option for websites, since a supporting browser will skip all revocation checks. Using short-lived certificates instead of a must-staple extension also removes the need to send an OCSP response in the handshake.
Like OCSP must-staple, short-lived certificates are another fast-path option for websites, since a supporting browser will skip all revocation checks. Using short-lived certificates instead of a must-staple extension also removes the need to send an OCSP response in the handshake.
Unfortunately, the adoption of short-lived certificates has been hampered by current  CA/Browser Forum rules requiring OCSP for all certificates.


Firefox does not perform any form of revocation checking for certificates with a validity period of less than 10 days. That period is configurable via the security.pki.cert_short_lifetime_in_days preference.
Firefox does not perform any form of revocation checking for certificates with a validity period of less than 10 days. That period is configurable via the security.pki.cert_short_lifetime_in_days preference.
Kathleen Wilson
Confirmed users, Administrators
5,526

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/1216556"