Confirmed users, Administrators
5,526
edits
CA:ImprovingRevocation: Difference between revisions
→Proposed Changes under Discussion
| Line 104: | Line 104: | ||
Note: These changes may be in development while discussion is ongoing, because testing of ideas may be needed and/or implementation details may impact the direction or outcome of the discussion. | Note: These changes may be in development while discussion is ongoing, because testing of ideas may be needed and/or implementation details may impact the direction or outcome of the discussion. | ||
=== Remove CRL Checking via CRLDP=== | |||
Remove CRL checking through CRLDP in the certificate (a.k.a CRL fetching). The normal certificate checking path does not do CRL fetching, and it never has. So, for any CA that isn't enabled for EV treatment, Firefox has never done CRL fetching. Firefox has only done CRL checking for EV certs as per the following logic. The source code for this is here: | |||
http://hg.mozilla.org/mozilla-central/annotate/ad2a5a4f53ec/security/manager/ssl/src/CertVerifier.cpp#l150 | |||
# Does the end-entity certificate have an EV policy OID from any of the CAs that have been [http://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/src/nsIdentityChecking.cpp enabled for EV treatment.] | |||
# If yes, then verify that the certificate is valid for that policy OID, trusting only that CA's root. | |||
# During this validation, check OCSP, and fall back to CRLs using CRLDP. | |||
# If that validation succeeds, then return "Good EV certificate." | |||
# If that validation fails, check the certificate using the normal certificate checking path. | |||
The CABForum EV guidelines have required EV CAs to support OCSP for a very long time. So, there's no justification for Firefox to fall back to CRL fetching for EV certificate verification any more. Accordingly, to avoid various problems that CRLs pose on us, our users, and on CAs, we'll stop doing the fallback to CRLs for EV certificates very soon. | |||
Once that happens, for all practical purposes, Firefox will not have anything to do with CRLs. The only exception is that, if you use some specialized tools to important CRLs into Firefox's certificate database, then Firefox will recognize those specially-imported CRLs for a while. However, it is likely that that will stop too, when we switch to the new certificate validation library. | |||
* Discussion: ''Link to Discussion Thread'' | |||
* Code Change: ''Bugzilla Bug Number'' | |||
* Dependencies: | |||
* Policy Change: | |||
* Process Change: | |||
=== Preload Revocations of Intermediate CA Certificates === | === Preload Revocations of Intermediate CA Certificates === | ||