timeless Assignee
	Description • 14 years ago

Some certificates have a 'CRL Distribution Points' field

I'd like someone to write an extension (or just psm feature) which automatically imports CRLs listed in Certificates it encounters.

As an example, mail.google.com's certificate has:
CRL Distribution Points
URI: http://crl.thawte.com/ThawteSGCCA.crl

And bugzilla.mozilla.org's has:
CRL Distribution Points
URI: http://crl.geotrust.com/crls/secureca.crl

steps to reproduce:
1. enable feature / install extension
2. browse to bugzilla.mozilla.org / mail.google.com
3. open tools>options>advanced>revocation lists

expected results:
the CRL Distribution Points listed in the certificates for the servers visited should be listed.

	Wan-Teh Chang
	Comment 1 • 14 years ago

timeless: thanks for the suggestion.  I believe this is a duplicate of
NSS bug 489347.

	timeless Assignee
	Comment 2 • 14 years ago

this is controlled by a boolean pref: "security.crl.autoimport"

	timeless Assignee
	Comment 3 • 14 years ago

wtc: that bug is old, "high priority", and yet unresolved. this bug now has a patch (i believe the dependent bug needs to be fixed so that we don't risk disasters along the way, but...).

i'm not going to play politics, this is probably the last patch i'm going to write for gecko.

i'd love to see this or something effectively equivalent to this landed, but i do not want to have it stuck in political minefields. minefield is explosive enough.

	timeless Assignee
	Comment 4 • 14 years ago

this drops a dead code block and moves the pref check inside the try block.

	(no longer active)
	Comment 5 • 14 years ago

Brian, any chance you can take a look at this patch, please?

	Brian Smith (:briansmith, :bsmith, use NEEDINFO?)
	Comment 6 • 14 years ago

This is duplicating functionality that is in libpkix. Kai and I are working on switching to libpkix so that we can get its CRL processing. We also still need to work out if/how CRLs are going to get cached, and how to avoid downloading megabytes of CRLs on a daily basis, especially on mobile.

This patch has privacy implications: every CA for every website will begin being polled on a daily basis, making this mechanism serve as a means of broadcasting the user's location to all these CAs. Plus, it uses information derived from browsing history, but it is missing the logic to delete the CRLs when the user clears his browsing history.

I am designing an alternative mechanism with similar effects, but which addresses the above concerns.

	Kai Engert (:KaiE:)
	Comment 7 • 12 years ago

Comment on attachment 524046 [details] [diff] [review]
Automatically import CRLs for servers the user visits

approach not wanted