On 2/27/12 6:30 AM, Stephen Schultze wrote: > Hey Sid, can you give an update on this action plan?
Here's what I know: >> Bucket A: >> - Move to libpkix for all cert validation (bug 479393) Best place to follow this is now at bug 651246. There are seven bugs that need to get fixed first. NSS and platform engineers are working on these blockers (mostly Brian). >> - Complete active distrust in NSS (bug 470994) Cert blacklisting is now working (bug 727204), so most of the work is done, but we probably still need to wire it into the UI. >> - Implement callbacks to augment validation checking (bug 644640) Last time you asked for updates, this had stalled due to different uses cases presented by various interested parties and intense complexity. Peter Eckersley has taken on the task of organizing a proposed API, then we'll pick it back up and make progress on a patch. >> - Implement subscription-based blocklisting of certs via update ping >> (remove need to ship patch) We have the arbitrary cert blacklisting built into Firefox, but I'm not sure about the status of the cert-blocklist server. >> Bucket B: >> - Implement OCSP Stapling (bug 360420) Kai has made progress on this, and it's high priority for multiple teams, so it should get implemented relatively soon. (Brian, correct me if I'm wrong here.) >> - Implement date-based revocation (distrust certs after specific date) Bug 643982: there doesn't appear to be any progress on this. It's likely waiting on the active distrust to wrap up. >> - CA locking functionality in HSTS or via CAA The security engineering team has taken interest in this and is planning to implement CA pinning in some form during 2012. https://wiki.mozilla.org/Security/Features/CA_pinning_functionality There's a proposal at the IETF to do something similar to HTTPS Strict Transport Security (but not make the two features interdependent): https://tools.ietf.org/html/draft-evans-palmer-key-pinning >> Bucket C: >> - Disable cert overrides for *very old* expired certs (might not be in >> any CRLs anymore) Don't know what the status is here. -Sid _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
