Closed Bug 1753071 Opened 3 years ago Closed 3 years ago

Add a CRLite mode where revocations are double-checked with OCSP

Categories

(Core :: Security: PSM, enhancement, P3)

Product:
Core
Component:
Security: PSM
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
99 Branch
Tracking Flags:
Tracking Status
firefox99 --- fixed

People

(Reporter: jschanck, Assigned: jschanck)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Bug 1753071 - Add a "confirm revocations" mode to CRLite. r=keeler
(deleted), text/x-phabricator-request
Details

We should add a “confirm revocations” mode for CRLite.

In this mode we would enforce CRLite for non-revocation results but we would double-check revocation results with OCSP. This mode would give users most of the performance and privacy benefits of CRLite, but it would eliminate the risk of blocking access to a site if CRLite mislabeled a certificate (as in Bug 1683525).

We should continue to collect telemetry about when CRLite and OCSP differ in this mode.

Pushed by jschanck@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/c0c057c5148c Add a "confirm revocations" mode to CRLite. r=keeler

https://hg.mozilla.org/mozilla-central/rev/c0c057c5148c

Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox99: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 99 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: