The information in https://wiki.mozilla .org/CA/Revocation_Checking_in_Firefox is largely up to date. In short, Firefox uses OCSP (either stapled or fetched) to check revocation for end-entity certificates. It uses a curated list called "OneCRL" to check revocation for intermediates and roots. We are actively developing "CRLite", which is essentially a way of compressing all known revocations into a small dataset that can be downloaded out-of-band, thus eliminating the privacy and performance issues with OCSP fetching. Firefox has not directly used CRLs for revocation for a number of years.
On Sat, Aug 31, 2024 at 1:17 AM 'Qianxin Cheng' via [email protected] <[email protected]> wrote: > Is Firefox still using CRL for certificate revocation, or if not, what > revocation mechanism does Firefox use to validate certificate validity? > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/902711c1-48e3-4d8b-adf2-b9a3e456cc64n%40mozilla.org > <https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/902711c1-48e3-4d8b-adf2-b9a3e456cc64n%40mozilla.org?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CAHP1u2iArK%3DDianCci2T8oPa%3DE_jMCofdogATHuuznLgQE6wyg%40mail.gmail.com.
