Closed
Bug 725994
Opened 13 years ago
Closed 9 years ago
Separate preferences for STRICT INTERMEDIATE CA and STRICT END ENTITY revocation checking
Categories
(Core :: Security: PSM, defect)
Core
Security: PSM
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: KaiE, Unassigned)
References
Details
As of today, we have preference security.OCSP.require
(which is OFF by default).
In the long term, we should require strict revocation information for all certificates.
However, we might be able to require strict revocation checking for intermediat CA certificates more quickly - for example if we implement 725991, but until a sufficient amount of servers supports OCSP stapling.
I propose to introduce a new preference
security.OCSP.require-CA
Luckily the libPKIX validation interface allows us to have separate strictness settings for intermediates and end entity certificates.
Comment 1•11 years ago
|
||
I am proposing that we WONTFIX this.
The "strict OCSP" preference we already have is confusing enough. Adding more complexity to that is making the problem worse.
Updated•11 years ago
|
No longer depends on: pkix-default
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•