Closed Bug 1404934 Opened 2 years ago Closed 9 months ago

[meta] Wire up Intermediate Preloading

Categories

(Core :: Security: PSM, enhancement, P3)

enhancement

Tracking

()

RESOLVED FIXED
mozilla67
Tracking Status
firefox57 --- wontfix
firefox67 --- fixed

People

(Reporter: mgoodwin, Assigned: jcj)

References

(Depends on 1 open bug, Blocks 4 open bugs, )

Details

(Keywords: meta, Whiteboard: [psm-assigned])

Attachments

(1 file)

Firefox trusts TLS certificates which descend through a graph from a Root CA in our Root Program.  Root CAs sign Intermediate CAs which issue certificates. Intermediate CAs also sign other Intermediate CAs, providing multiple paths of trust for compatibility reasons.

This topology sometimes produces unexpected results.

The Root Program policy now requires all Intermediate CAs be disclosed to Mozilla before they may be used; the purpose of this policy was to eventually permit us to technically limit our trust store to only trust certificates descended from a whitelist of Intermediate CAs. This protects our users from intentional or unintentional use of cross-signatures to permit unexpected organizations from acting Mozilla-trusted certificate issuers.

This bug tracks the implementation of a whitelist based on disclosed intermediates in Firefox.
Depends on: 1404939
Depends on: 1404940
Priority: -- → P1
Whiteboard: [psm-assigned]
Severity: normal → enhancement
Keywords: meta
OS: Unspecified → All
Hardware: Unspecified → All
Summary: Implement whitelisting of Intermediate Certificates → Implement preloading Intermediate Certificates
Moving to p3 because no activity for at least 24 weeks.
Priority: P1 → P3

This task is to enable RemoteSecuritysettings.jsm in-memory, subject to preferences.

Assignee: mgoodwin → jjones
Blocks: 1519256, 1520278
Depends on: 657228
Summary: Implement preloading Intermediate Certificates → Wire up Intermediate Preloading
Blocks: 1404939, 1404940
No longer depends on: 1404939, 1404940
Blocks: 1526018

This patch:

  • Classifies RemoteSecuritySettings as production.

  • Add detailed logging controlled by the browser.policies.loglevel pref.

  • Generally make RemoteSecuritySettings match other services better.

  • Move to hex-encoded hashes to match Kinto.

  • Adds RemoteSecuritySettings to blocklist-clients. This may not be the
    permanent home.

  • Adds a preference for how many certs to download at once.

  • Adds an Observer interface.

    (This makes the tests more predictable, but it also avoids having a
    duplicate call when the full "sync" is called.)

Summary: Wire up Intermediate Preloading → [meta] Wire up Intermediate Preloading
Pushed by jjones@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/839decca3577
Wire-up Intermediate Preloading r=keeler
Flags: behind-pref+
Status: NEW → RESOLVED
Closed: 9 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla67
Depends on: 1530545
Depends on: 1520297
No longer blocks: 1520278
Depends on: 1520278
See Also: → 1334485
You need to log in before you can comment on or make changes to this bug.