On Fri, Nov 1, 2013 at 2:08 PM, Eddy Nigg <[email protected]> wrote: > On 10/31/2013 09:41 PM, From Kathleen Wilson: >> >> That's true for non-EV. >> >> The validation path for EV is different. > > Which developer can confirm this? Where is the code for it? It's just news > for me and I'm a bit surprised, but enterily possible.
Here is the logic we *currently* use: Does the end-entity certificate have an EV policy OID from any of our EV CAs? If so, verify that the certificate is valid for that policy OID, trusting only that CA's root. During this validation, check OCSP, and fall back to CRLs using CRLDP. If that validation succeeds, then return "Good EV certificate." If that validation fails, check the certificate using the normal certificate checking path. The normal certificate checking path does not do CRL fetching, and it *never* has. So, for any CA that isn't in our EV program, Firefox has never done CRL fetching. The CABForum EV guidelines have required EV CAs to support OCSP for a very long time. So, there's no justification for Firefox to fall back to CRL fetching for EV certificate verification any more. Accordingly, to avoid various problems that CRLs pose on us, our users, and on CAs, we'll stop doing the fallback to CRLs for EV certificates very soon. Once that happens, for all practical purposes, Firefox will not have anything to do with CRLs. The only exception is that, if you use some specialized tools to important CRLs into Firefox's certificate database, then Firefox will recognize those specially-imported CRLs for a while. However, it is likely that that will stop too, when we switch to the new certificate validation library. The source code for this is here: http://hg.mozilla.org/mozilla-central/annotate/ad2a5a4f53ec/security/manager/ssl/src/CertVerifier.cpp#l150 Cheers, Brian -- Mozilla Networking/Crypto/Security (Necko/NSS/PSM) _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
