Brian, If this is just about changing the UI in Firefox, I have no objection.
If this is about removing the feature from NSS altogether on the other hand, I would like to state that we have several several products at Oracle that use NSS and rely on the ability to have CRLs stored in the database, and processed during certificate validation. These applications act as both SSL servers and clients, and we expect the CRLs to be supported in both.
While some Oracle products are moving away from NSS, old versions continue to be supported and we are picking up new NSS releases to get certain security fixes. We couldn't do that anymore if the CRL feature went away. In the past, before Oracle, Sun went to great pains to work on the common public NSS tree for these products. We certainly don't want to fork NSS again at this stage.
Julien On 4/30/2013 14:28, Brian Smith wrote:
Hi all, I propose we remove the "Revocation Lists" feature (Options -> Advanced -> Revocation Lists). Are there any objections? If so, please explain your objection. A certificate revocation list (CRL) is a list of revoked certificates, published by the certificate authority that issued the certificates. These lists vary from 1KB to potentially hundreds of megabytes in size. Very large CRLs are not super common but they exist: Reportedly, GoDaddy (A CA in our root CA program) has a 41MB CRL. And, Verisign has at least one CRL that is close to 1MB on its own, and that's not the only CRL that they have. the US Department of Defense is another example of an organization known to have extremely large CRLs. The "Revocation Lists" feature allows a user to configure Firefox to poll the CAs server on a regular interval. As far as I know, Firefox is the only browser to have such a feature. Other browser either ignore CRLs completely or download CRLs on an "as needed" basis based on a URL embedded in the certificate. For example, in its default configuration, Google Chrome ignores CRLs, AFAICT (they use some indirect mechanism for handling revocation, which will be discussed in another thread). AFAICT, the "Revocation Lists" feature was added to Firefox a long time ago when there were IPR concerns about the "as needed" behavior. However, my understanding is that those concerns are no longer justified. In another thread, we will be discussing about whether or not we should implement the "as needed" mechanism. However, I think that we can make this decision independently of that decision. Obviously, the vast majority of users have no hope of figuring out what this feature is, what it does, or how to use it. Because of the potential bandwidth usage issues, and UX issues, it doesn't seem like a good idea to add this feature to Mobile. But, also, if a certificate feature isn't important enough for mobile*, then why is it important for desktop? We should be striving for platform parity here. Finally, this feature complicates significant improvements to the core certificate validation logic that we are making. For all these reasons, I think it is time for this feature to go. Cheers, Brian [*] Note: I make a distinction between things that haven't been done *yet* for mobile vs. things that we really have no intention to do.
_______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
