On 20/02/2019 00:40, Wayne Thayer wrote:
I have replaced some outdated information on Mozilla's wiki about
revocation checking [1] [2] with a new page on the wiki describing how
Firefox currently performs revocation checking on TLS certificates:
https://wiki.mozilla.org/CA/Revocation_Checking_in_Firefox
It also includes a brief description of our plans for CRLite.
Please respond if you have any questions or comments about the information
on this page. I hope it is useful, and I plan to add more details in the
future.
- Wayne
[1] https://wiki.mozilla.org/index.php?title=CA:RevocationPlan&redirect=no
[2]
https://wiki.mozilla.org/index.php?title=CA:ImprovingRevocation&redirect=no
Nice write up. Some minor issues:
1. Because generating the CRLite data will take some non-zero time,
the time stamp used by the client to check if a certificate is too
new for the CRLite data should be based on when the Mozilla server
requested the underlying CT data rather then when the data was
passed to the client.
2. While you mention the ability of attackers to omit OCSP stapling
in spoofed responses, you forget the additional problem that there
are still server software packages without upstream stapling support.
3. Don't forget Thunderbird (technically no longer a primary Mozilla
product, but still a major use of Mozilla certificate infrastructure).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
