Closed Bug 1404934 Opened 3 years ago Closed 2 years ago

[meta] Wire up Intermediate Preloading


(Core :: Security: PSM, enhancement, P3)




Tracking Status
relnote-firefox --- 75+
firefox57 --- wontfix
firefox67 --- fixed


(Reporter: mgoodwin, Assigned: jcj)


(Depends on 1 open bug, Blocks 4 open bugs, )


(Keywords: meta, Whiteboard: [psm-assigned])


(1 file)

Firefox trusts TLS certificates which descend through a graph from a Root CA in our Root Program.  Root CAs sign Intermediate CAs which issue certificates. Intermediate CAs also sign other Intermediate CAs, providing multiple paths of trust for compatibility reasons.

This topology sometimes produces unexpected results.

The Root Program policy now requires all Intermediate CAs be disclosed to Mozilla before they may be used; the purpose of this policy was to eventually permit us to technically limit our trust store to only trust certificates descended from a whitelist of Intermediate CAs. This protects our users from intentional or unintentional use of cross-signatures to permit unexpected organizations from acting Mozilla-trusted certificate issuers.

This bug tracks the implementation of a whitelist based on disclosed intermediates in Firefox.
Depends on: 1404939
Depends on: 1404940
Priority: -- → P1
Whiteboard: [psm-assigned]
Severity: normal → enhancement
Keywords: meta
OS: Unspecified → All
Hardware: Unspecified → All
Summary: Implement whitelisting of Intermediate Certificates → Implement preloading Intermediate Certificates
Moving to p3 because no activity for at least 24 weeks.
Priority: P1 → P3

This task is to enable RemoteSecuritysettings.jsm in-memory, subject to preferences.

Assignee: mgoodwin → jjones
Blocks: 1519256, 1520278
Depends on: 657228
Summary: Implement preloading Intermediate Certificates → Wire up Intermediate Preloading

This patch:

  • Classifies RemoteSecuritySettings as production.

  • Add detailed logging controlled by the browser.policies.loglevel pref.

  • Generally make RemoteSecuritySettings match other services better.

  • Move to hex-encoded hashes to match Kinto.

  • Adds RemoteSecuritySettings to blocklist-clients. This may not be the
    permanent home.

  • Adds a preference for how many certs to download at once.

  • Adds an Observer interface.

    (This makes the tests more predictable, but it also avoids having a
    duplicate call when the full "sync" is called.)

Summary: Wire up Intermediate Preloading → [meta] Wire up Intermediate Preloading
Pushed by
Wire-up Intermediate Preloading r=keeler
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla67
No longer blocks: 1520278
Depends on: 1520278
See Also: → 1334485

Is this worth a mention in the 72 release notes?

Flags: needinfo?(jjones)

Maybe so. :)

Release Note Request (optional, but appreciated)
[Why is this notable]
In Beta 72 we're pre-populating all disclosed Intermediate CA certificates for all Firefox users. We haven't set this to ride the whole train yet because the previous attempt uncovered issues with the underlying RKV data-store when it hit Beta, and we're being conservative. We will probably roll to release in 73.

[Affects Firefox for Android]:
Not yet enabled for Android

[Suggested wording]:
Firefox 72 will, in the background, locally cache all trusted Web PKI Certificate Authority certificates known to Mozilla. This will improve HTTPS compatibility with misconfigured web servers.

[Links (documentation, blog post, etc)]:
Not yet. We will when we are prepared to enable for riding the trains, probably shortly after Beta goes to 72.

relnote-firefox: --- → ?
Flags: needinfo?(jjones)

Regarding comment 7, this got pushed back to at least 74 per the latest Trello update.

Adding to the draft 75beta release notes.

You need to log in before you can comment on or make changes to this bug.