Closed
Bug 299150
Opened 20 years ago
Closed 20 years ago
OCSP and FireFox
Categories
(Firefox :: Security, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 110161
People
(Reporter: dougt, Assigned: dougt)
References
Details
Some certificates offers a URL to ping to check to see if the certificate has
been revoked. Currently, when we do a certificate validation, we ignore this
check. A user, however, can enable this check (but no one ever does because
they don't know what it means)
I propose we enabled OSCP checking when there exists a OSCP URL in the certficiate.
Comment 1•20 years ago
|
||
How about we fully implement OCSP first? HINT: it doesn't work with web proxies
or HTTP authentication because it uses it own basic HTTP stack. It should use
Necko instead. I think there is a bug on this somewhere.
Comment 3•20 years ago
|
||
A strategy that Nelson proposed before, which is different from
the proposal in bug 152426 comment 4 (app providing callbacks
to NSS for HTTP), is that PSM, not NSS, be responsible for
doing OCSP checks on certs. PSM would be responsible for talking
to the OCSP responder using HTTP and only use NSS to extract the
URL from the cert, construct OCSP requests and parse OCSP responses.
Comment 4•20 years ago
|
||
There is a project underway to greatly enhance NSS's handling of cert
revocation. It is scheduled for NSS 3.12, which should be less than a
year away. In preparation for that Julien and I have discussed the
issue of http-based fetching of certs, CRLs, and OCSP responses, and
of LDAP-based cert fetching. The requests for these things are normally
generated as a side effect of (either of) two operations:
- cert chain validation (when receiving a cert from a peer)
- cert chain building (for sending out a user's cert chain).
So far, we have been working on this design without any participation
from any one in mozilla.org because there is no apparent PSM owner with
whom to work on this. If Doug or Darin or any other mozilla.org guru
would like to work with us on this, defining the interfaces by which NSS
would effectively convey such requests to PSM/Necko, and let PSM/Necko
do the work (which I agree is potentially ideal) that would be MOST
welcome!
Comment 5•20 years ago
|
||
*** This bug has been marked as a duplicate of 110161 ***
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•