Closed Bug 299150 Opened 19 years ago Closed 19 years ago

OCSP and FireFox

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 110161

People

(Reporter: dougt, Assigned: dougt)

References

Details

Some certificates offers a URL to ping to check to see if the certificate has
been revoked.  Currently, when we do a certificate validation, we ignore this
check.  A user, however, can enable this check (but no one ever does because
they don't know what it means)

I propose we enabled OSCP checking when there exists a OSCP URL in the certficiate.
How about we fully implement OCSP first?  HINT: it doesn't work with web proxies
or HTTP authentication because it uses it own basic HTTP stack.  It should use
Necko instead.  I think there is a bug on this somewhere.
A strategy that Nelson proposed before, which is different from
the proposal in bug 152426 comment 4 (app providing callbacks
to NSS for HTTP), is that PSM, not NSS, be responsible for
doing OCSP checks on certs.  PSM would be responsible for talking
to the OCSP responder using HTTP and only use NSS to extract the
URL from the cert, construct OCSP requests and parse OCSP responses.
There is a project underway to greatly enhance NSS's handling of cert
revocation.  It is scheduled for NSS 3.12, which should be less than a 
year away.  In preparation for that Julien and I have discussed the 
issue of http-based fetching of certs, CRLs, and OCSP responses, and
of LDAP-based cert fetching.  The requests for these things are normally
generated as a side effect of (either of) two operations:
- cert chain validation (when receiving a cert from a peer)
- cert chain building (for sending out a user's cert chain).

So far, we have been working on this design without any participation 
from any one in mozilla.org because there is no apparent PSM owner with 
whom to work on this.  If Doug or Darin or any other mozilla.org guru
would like to work with us on this, defining the interfaces by which NSS
would effectively convey such requests to PSM/Necko, and let PSM/Necko 
do the work (which I agree is potentially ideal) that would be MOST
welcome!  

*** This bug has been marked as a duplicate of 110161 ***
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.