Closed
Bug 1753071
Opened 3 years ago
Closed 3 years ago
Add a CRLite mode where revocations are double-checked with OCSP
Categories
(Core :: Security: PSM, enhancement, P3)
Core
Security: PSM
Tracking
()
RESOLVED
FIXED
99 Branch
Tracking | Status | |
---|---|---|
firefox99 | --- | fixed |
People
(Reporter: jschanck, Assigned: jschanck)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
(deleted),
text/x-phabricator-request
|
Details |
We should add a “confirm revocations” mode for CRLite.
In this mode we would enforce CRLite for non-revocation results but we would double-check revocation results with OCSP. This mode would give users most of the performance and privacy benefits of CRLite, but it would eliminate the risk of blocking access to a site if CRLite mislabeled a certificate (as in Bug 1683525).
We should continue to collect telemetry about when CRLite and OCSP differ in this mode.
Assignee | ||
Comment 1•3 years ago
|
||
Pushed by jschanck@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/c0c057c5148c
Add a "confirm revocations" mode to CRLite. r=keeler
Comment 3•3 years ago
|
||
bugherder |
Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox99:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 99 Branch
You need to log in
before you can comment on or make changes to this bug.
Description
•