Closed Bug 1773371 Opened 2 years ago Closed 2 years ago

Enforce CRLite revoked status when OCSP confirmation fails

Categories

(Core :: Security: PSM, enhancement, P1)

Product:
Core
Component:
Security: PSM
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
103 Branch
Tracking Flags:
Tracking Status
firefox103 --- fixed

People

(Reporter: jschanck, Assigned: jschanck)

Details

Attachments

(1 file)

Bug 1773371 - Enforce CRLite revoked status when OCSP confirmation fails. r=keeler
48 bytes, text/x-phabricator-request
Details | Review

CRLite is currently deployed in "check revocations" mode on nightly and early beta (Bug 1753071). This mode overrides CRLite "revoked" responses when OCSP returns "not revoked". For the initial deployment we have retained the fail-open behavior of OCSP, meaning that CRLite "revoked" responses are discarded when the OCSP responder is offline, etc. Now that we have more confidence in CRLite, we should fail closed.

Pushed by jschanck@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/9d9edda47a3a
Enforce CRLite revoked status when OCSP confirmation fails. r=keeler

https://hg.mozilla.org/mozilla-central/rev/9d9edda47a3a

Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox103: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 103 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: