Add a CRLite preference/mode to not evaluate OCSP
Categories
(Core :: Security: PSM, enhancement, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox84 | --- | fixed |
People
(Reporter: jcj, Assigned: keeler)
References
(Blocks 1 open bug)
Details
(Whiteboard: [psm-assigned])
Attachments
(1 file)
(deleted),
text/x-phabricator-request
|
Details |
During testing, we've wanted to evaluate the speed of OCSP versus CRLite, but when we start to experiment with user-feel, we need to be able to halt revocation checks before OCSP fires, since we've gotten an authoritative answer from CRLite.
This bug is to add a preference to stop the revocation check if CRLite gave an authoritative answer, and not do OCSP or the OCSP/CRLite telemetry.
We'd want to stop after this block:
We could do this as another stage in the CRLite enum, or we could make "Enforcing" do it, or we could add a new preference that is just "crlite is authoritative." I think all have pros/cons.
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 1•4 years ago
|
||
When the CRLite mode is "enforce" and a certificate is found to be covered by
CRLite, this patch makes it so the implementation will not fall back to
processing OCSP (whether stapled, cached, or fetched). This also updates
test_crlite_filters.js to use a more recent, realistic filter and stash.
Comment 3•4 years ago
|
||
bugherder |
Description
•