Here's an imcomplete status update; further information from anyone would be welcome:
On 08/04/11 23:49, Sid Stamm wrote: > Bucket A: > - Move to libpkix for all cert validation (bug 479393) The code is now checked in; bug 651246 tracks flipping the necessary pref. Brian Smith is working on the dependencies of this bug. > - Complete active distrust in NSS (bug 470994) I thought Bob was working on this, including some preliminary cleanup of NSS flag names, but I haven't seen anything more recently. Bob? > - Implement callbacks to augment validation checking (bug 644640) It has been decided not to work further on this at the present time, because it is too hard to design an API which meets sufficient numbers of use cases. Those wanting to do trust experiments will need to ship their own custom builds for now. > - Implement subscription-based blocklisting of certs via update ping > (remove need to ship patch) Is there a bug for this? > Bucket B: > - Implement OCSP Stapling (bug 360420) Kai produced a WIP patch for this on 10th April. > - Implement date-based revocation (distrust certs after specific date) This is bug 643982 - no recent progress. > - CA locking functionality in HSTS or via CAA Debate continues as to the best mechanism to do this. > Bucket C: > - Disable cert overrides for *very old* expired certs (might not be in > any CRLs anymore) I don't know what the status is here. Gerv _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
