58
edits
Add-ons/Expired-Certificate-Technical-Report: Difference between revisions
Add-ons/Expired-Certificate-Technical-Report (view source)
Revision as of 17:55, 12 July 2019
, 12 July 2019duplicate words
(corrected text about checking of certificate expiration) |
(duplicate words) |
||
| Line 18: | Line 18: | ||
* The server-side teams whose systems (e.g., Autograph) generate signatures knew the certificate was expiring, but did not see a problem because they had reason to believe that signing certificate dates were not checked by the client. | * The server-side teams whose systems (e.g., Autograph) generate signatures knew the certificate was expiring, but did not see a problem because they had reason to believe that signing certificate dates were not checked by the client. | ||
* The client-side teams whose code performs add-on validation knew that dates were not checked for end-entity certificates (we modified this behavior in | * The client-side teams whose code performs add-on validation knew that dates were not checked for end-entity certificates (we modified this behavior in [https://bugzilla.mozilla.org/show_bug.cgi?id=1267318 a previous outage]), but might not have realized that dates for intermediate certificates were still checked when invoking the [https://searchfox.org/mozilla-central/rev/7556a400affa9eb99e522d2d17c40689fa23a729/security/manager/ssl/nsIX509CertDB.idl#230-266 nsIX509CertDB] function in the core SSL library. | ||
* The crypto teams who maintain that SSL library simply provide an API and aren’t responsible for how client-side code uses that API. | * The crypto teams who maintain that SSL library simply provide an API and aren’t responsible for how client-side code uses that API. | ||
* The testing teams who ensure the quality of Firefox weren’t aware of the need for test coverage of expiring intermediate certificates. | * The testing teams who ensure the quality of Firefox weren’t aware of the need for test coverage of expiring intermediate certificates. | ||