It is possible (but not supported) to use have FF download the CRLs specified by the certificate.
There are (of course) many caveats: 1. This is enabled by changing several hidden prefs (which mean we might change them at any time without notifying our users). 2. Downloading is not the same as requiring fresh revocation information for all connections. 3. If you require fresh revocation info you will have issues with certificates without revocation information (such as self signed and business CAs) since they will be treated as revoked and no override will be possible. 4. You will find some bugs on the certificate UI. 5. The code is not as tested as the rest of the FF and this is potentially more buggy. 6. There will be a non-trivial performance hit (specially network bases) as some CRLs are >500k and these entries are not cached across sessions (no peristent cache). This might not be an issue if you have good network connections (no mobile). Without more due, here are the invocations to be added to your about:config. (not recomented for defaults for the reasons listed above.) bool pref: security.use_libpkix_verification: true //enables alt verification lib bool pref: security.CRL_download.enabled: true //enables crl download in libpkix only! bool pref: security.fresh_revocation_info.require : true // revocation info mandatory in libpkix only Hope this helps Camilo ----- Original Message ----- From: "Daniel Veditz" <[email protected]> To: [email protected] Sent: Thursday, April 11, 2013 3:31:03 PM Subject: Re: Firefox behavior with CDPs and AIAs On 4/11/2013 1:26 PM, Rick Andrews wrote: > Sid Stamm suggested dev.security... > >> -----Original Message----- >> From: Ian Melven [mailto:[email protected]] >> >> you might also try asking this on mozilla.dev.tech.crypto :) Sid was wrong :-) The guys who know the technical guts of our crypto implementation are over in m.d.tech.crypto AFAIK we do not download CRLs based on certs, but will update CRLs the user has manually specified. We've talked about improving CRL handling as part of a comprehensive reform of revocation checking but have yet to solve the performance and space requirements of CRLs. We do support OCSP and are in the process of adding support for OCSP stapling to improve performance, security, and privacy. Lack of an OCSP response is not fatal however, because in general OCSP has not been reliable enough for that. However, cautious users can change the mozilla pref security.OCSP.require to true if they wish the lack of an OCSP reponse to be fatal. For anything more detailed (timelines, bug numbers) you'll need to go bug the .tech.crypto folks. -Dan Veditz _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
