[meta] Wire up Intermediate Preloading
Categories
(Core :: Security: PSM, enhancement, P3)
Tracking
()
People
(Reporter: mgoodwin, Assigned: jcj)
References
(Blocks 2 open bugs, )
Details
(Keywords: meta, Whiteboard: [psm-assigned])
Attachments
(1 file)
Firefox trusts TLS certificates which descend through a graph from a Root CA in our Root Program. Root CAs sign Intermediate CAs which issue certificates. Intermediate CAs also sign other Intermediate CAs, providing multiple paths of trust for compatibility reasons. This topology sometimes produces unexpected results. The Root Program policy now requires all Intermediate CAs be disclosed to Mozilla before they may be used; the purpose of this policy was to eventually permit us to technically limit our trust store to only trust certificates descended from a whitelist of Intermediate CAs. This protects our users from intentional or unintentional use of cross-signatures to permit unexpected organizations from acting Mozilla-trusted certificate issuers. This bug tracks the implementation of a whitelist based on disclosed intermediates in Firefox.
Assignee | ||
Updated•7 years ago
|
Assignee | ||
Updated•6 years ago
|
Assignee | ||
Comment 2•5 years ago
|
||
This task is to enable RemoteSecuritysettings.jsm in-memory, subject to preferences.
Assignee | ||
Updated•5 years ago
|
Assignee | ||
Comment 3•5 years ago
|
||
This patch:
-
Classifies RemoteSecuritySettings as production.
-
Add detailed logging controlled by the browser.policies.loglevel pref.
-
Generally make RemoteSecuritySettings match other services better.
-
Move to hex-encoded hashes to match Kinto.
-
Adds RemoteSecuritySettings to blocklist-clients. This may not be the
permanent home. -
Adds a preference for how many certs to download at once.
-
Adds an Observer interface.
(This makes the tests more predictable, but it also avoids having a
duplicate call when the full "sync" is called.)
Updated•5 years ago
|
Pushed by jjones@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/839decca3577 Wire-up Intermediate Preloading r=keeler
Assignee | ||
Updated•5 years ago
|
Comment 5•5 years ago
|
||
bugherder |
Assignee | ||
Updated•5 years ago
|
Assignee | ||
Updated•5 years ago
|
Assignee | ||
Comment 7•4 years ago
|
||
Maybe so. :)
Release Note Request (optional, but appreciated)
[Why is this notable]
In Beta 72 we're pre-populating all disclosed Intermediate CA certificates for all Firefox users. We haven't set this to ride the whole train yet because the previous attempt uncovered issues with the underlying RKV data-store when it hit Beta, and we're being conservative. We will probably roll to release in 73.
[Affects Firefox for Android]:
Not yet enabled for Android
[Suggested wording]:
Firefox 72 will, in the background, locally cache all trusted Web PKI Certificate Authority certificates known to Mozilla. This will improve HTTPS compatibility with misconfigured web servers.
[Links (documentation, blog post, etc)]:
Not yet. We will when we are prepared to enable for riding the trains, probably shortly after Beta goes to 72.
Comment 8•4 years ago
|
||
Regarding comment 7, this got pushed back to at least 74 per the latest Trello update.
Comment 9•4 years ago
|
||
Adding to the draft 75beta release notes.
Updated•4 years ago
|
Description
•