Closed
Bug 1490737
Opened 6 years ago
Closed 6 years ago
Add a pref to disable CRLite for enterprise use cases
Categories
(Core :: Security: PSM, enhancement)
Tracking
()
RESOLVED
WONTFIX
| Tracking | Status | |
|---|---|---|
| firefox64 | --- | affected |
People
(Reporter: jcj, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [crlite] [psm-backlog])
Perhaps this can just be triggering on the enterprise roots pref, but we should have an option to not apply the filters to certs issued by enrolled CAs for internal enterprise sites if they aren't in CT.
|
Reporter | |
Updated•6 years ago
|
Summary: Add a pref to disable CRLite for enterprise roots → Add a pref to disable CRLite for enterprise use cases
|
||
Comment 1•6 years ago
|
||
Don't we get this for free because we know exactly which issuers are covered by CRLite?
Flags: needinfo?(jjones)
|
||
Comment 2•6 years ago
|
||
My thinking about how to implement this has shifted to this: Only use CRLite when at least one "valid" SCT is delivered with the cert. I'm planning to propose a policy that will require CT logging and SCTs delivered with the cert to Firefox. I do think we'll need an enterprise policy that disables the SCT requirement, but I don't think, in this scenario, that we need an enterprise pref to disable CRLite - either we get an SCT and use CRLite, or we don't.
|
|
Reporter | |
Comment 3•6 years ago
|
||
I like Wayne's solution in comment 2. Ship it!
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(jjones)
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•