Closed Bug 1794479 Opened 2 years ago Closed 2 years ago

Measure the age of OCSP responses that are used to override CRLite

Categories

(Core :: Security: PSM, enhancement, P1)

enhancement

Tracking

()

RESOLVED FIXED
107 Branch
Tracking Status
firefox107 --- fixed

People

(Reporter: jschanck, Assigned: jschanck)

References

(Blocks 1 open bug)

Details

Attachments

(2 files)

We currently have CRLite configured in "Confirm Revocations" mode, which double-checks "revoked" results against OCSP. From the CRLITE_VS_OCSP_RESULT telemetry we know that OCSP occasionally overrides CRLite. We suspect that this is due to cache effects and only happens when the OCSP "OK" result is old.

This new telemetry will measure the age of OCSP responses when OCSP is used to override CRLite.

Defines the OCSP_AGE_AT_CRLITE_OVERRIDE histogram which records the age of an
OCSP response, in hours, when CRLite says a certificate is revoked and OCSP
says it's OK.

Attachment #9297891 - Flags: data-review?(chutten)

Comment on attachment 9297891 [details]
1794479_data_review_request.md

DATA COLLECTION REVIEW RESPONSE:

Is there or will there be documentation that describes the schema for the ultimate data set available publicly, complete and accurate?

Yes.

Is there a control mechanism that allows the user to turn the data collection on and off?

Yes. This collection is Telemetry so can be controlled through Firefox's Preferences.

If the request is for permanent data collection, is there someone who will monitor the data over time?

No. This collection will expire in six months.

Using the category system of data types on the Mozilla wiki, what collection type of data do the requested measurements fall under?

Category 2, Interaction.

Is the data collection request for default-on or default-off?

Default on for all channels.

Does the instrumentation include the addition of any new identifiers?

No.

Is the data collection covered by the existing Firefox privacy notice?

Yes.

Does the data collection use a third-party collection tool?

No.


Result: datareview+

Attachment #9297891 - Flags: data-review?(chutten) → data-review+
Pushed by jschanck@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/dd2b8b8fff0d
Gather telemetry on the age of OCSP responses used to override CRLite. r=keeler
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
See Also: → 1817101
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: