Confirmed users, Administrators
5,526
edits
CA:ImprovingRevocation: Difference between revisions
Jump to navigation
Jump to search
→Remove CRL Checking via CRLDP
| Line 106: | Line 106: | ||
=== Remove CRL Checking via CRLDP=== | === Remove CRL Checking via CRLDP=== | ||
Remove CRL checking through CRLDP in the certificate (a.k.a CRL fetching). The normal certificate checking path does not do CRL fetching, and it never has. So, for any CA that isn't enabled for EV treatment, Firefox has never done CRL fetching. Firefox has only done CRL checking for EV certs as per the following logic. The source code for this is here: | Remove CRL checking through CRLDP in the certificate (a.k.a. CRL fetching). The normal certificate checking path does not do CRL fetching, and it never has. So, for any CA that isn't enabled for EV treatment, Firefox has never done CRL fetching. Firefox has only done CRL checking for EV certs as per the following logic. The source code for this is here: | ||
http://hg.mozilla.org/mozilla-central/annotate/ad2a5a4f53ec/security/manager/ssl/src/CertVerifier.cpp#l150 | http://hg.mozilla.org/mozilla-central/annotate/ad2a5a4f53ec/security/manager/ssl/src/CertVerifier.cpp#l150 | ||
| Line 119: | Line 119: | ||
Once that happens, for all practical purposes, Firefox will not have anything to do with CRLs. The only exception is that, if you use some specialized tools to important CRLs into Firefox's certificate database, then Firefox will recognize those specially-imported CRLs for a while. However, it is likely that that will stop too, when we switch to the new certificate validation library. | Once that happens, for all practical purposes, Firefox will not have anything to do with CRLs. The only exception is that, if you use some specialized tools to important CRLs into Firefox's certificate database, then Firefox will recognize those specially-imported CRLs for a while. However, it is likely that that will stop too, when we switch to the new certificate validation library. | ||
* Discussion: | * Discussion: [https://groups.google.com/d/msg/mozilla.dev.security.policy/zgXqG_P3RIg/RozDfvB5t04J In mozilla.dev.security.policy] | ||
* Code Change: | * Code Change: {{Bug|585122#c34}} | ||
* Dependencies: | * Dependencies: | ||
* Policy Change: | * Policy Change: Remove any reference to CRLs from [http://www.mozilla.org/projects/security/certs/policy/ Mozilla's CA Certificate Policy]. | ||
* Process Change: In the CA root inclusion checklist change the instructions about checking CRL to use crlutil. NSS users still may use CRL even though Firefox won't. | |||
=== Preload Revocations of Intermediate CA Certificates === | === Preload Revocations of Intermediate CA Certificates === | ||