On 4/11/2013 5:12 PM, Camilo Viecco wrote:
It is possible (but not supported) to use have FF download the CRLs specified
by the certificate.
There are (of course) many caveats:
Which is why we don't support it.
6. There will be a non-trivial performance hit (specially network bases) as
some CRLs
are >500k and these entries are not cached across sessions (no peristent
cache). This
might not be an issue if you have good network connections (no mobile).
yes, the biggie: even though CRLs are valid for a quite a while we don't
cache them across restarts. Maybe not so bad if you never shut down your
browser
bool pref: security.use_libpkix_verification: true //enables alt
verification lib
Yes, note that CRL download support is only available as part of the
not-yet-supported libpkix verification path. It's quite a bit bigger
than just CRL downloads, this uses a completely different library to
verify certificates. Libpkix is not entirely untested: Firefox uses it
for EV certs, and Chrome uses it for everything. But last time I looked
into it (months ago) there were bugs that were deemed bad enough that we
weren't ready to turn it on in Firefox.
bool pref: security.fresh_revocation_info.require : true // revocation info
mandatory in libpkix only
How does this interact with the security.ocsp.require pref? Do they
conflict? Play well together? Or simply unrelated, one applying to the
old path and one to libpkix?
-Dan Veditz
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security