Open Bug 1546675 Opened 6 years ago Updated 2 years ago

Ship security settings JSON dumps on mobile?

Categories

(Core :: Security: PSM, enhancement, P3)

Product:
Core
Component:
Security: PSM
Version:
66 Branch
Type:
enhancement

Tracking

()

People

(Reporter: leplatrem, Unassigned)

References

Details

(Whiteboard: [psm-backlog])

In Bug 1512451 some comments were made about the size of the JSON dump for our mobile installer.

Basically we only ship OneCRL https://searchfox.org/mozilla-central/rev/ec489aa170b6486891cf3625717d6fa12bcd11c1/mobile/android/installer/package-manifest.in#98

Having this dump just reduces the amount of data to be downloaded during the first synchronization, and we're not obliged to ship it.

Shall we remove it?

Well, it's a security trade-off. If we ship it with the installer, users are a bit safer because they have revocation information they wouldn't otherwise have (particularly since we don't fetch OCSP for non-EV certificates on mobile).

Priority: -- → P3
Whiteboard: [psm-backlog]
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.