Measure the age of OCSP responses that are used to override CRLite
Categories
(Core :: Security: PSM, enhancement, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox107 | --- | fixed |
People
(Reporter: jschanck, Assigned: jschanck)
References
(Blocks 1 open bug)
Details
Attachments
(2 files)
48 bytes,
text/x-phabricator-request
|
Details | Review | |
3.01 KB,
text/plain
|
chutten
:
data-review+
|
Details |
We currently have CRLite configured in "Confirm Revocations" mode, which double-checks "revoked" results against OCSP. From the CRLITE_VS_OCSP_RESULT
telemetry we know that OCSP occasionally overrides CRLite. We suspect that this is due to cache effects and only happens when the OCSP "OK" result is old.
This new telemetry will measure the age of OCSP responses when OCSP is used to override CRLite.
Assignee | ||
Comment 1•2 years ago
|
||
Defines the OCSP_AGE_AT_CRLITE_OVERRIDE histogram which records the age of an
OCSP response, in hours, when CRLite says a certificate is revoked and OCSP
says it's OK.
Assignee | ||
Comment 2•2 years ago
|
||
Comment 3•2 years ago
|
||
Comment on attachment 9297891 [details]
1794479_data_review_request.md
DATA COLLECTION REVIEW RESPONSE:
Is there or will there be documentation that describes the schema for the ultimate data set available publicly, complete and accurate?
Yes.
Is there a control mechanism that allows the user to turn the data collection on and off?
Yes. This collection is Telemetry so can be controlled through Firefox's Preferences.
If the request is for permanent data collection, is there someone who will monitor the data over time?
No. This collection will expire in six months.
Using the category system of data types on the Mozilla wiki, what collection type of data do the requested measurements fall under?
Category 2, Interaction.
Is the data collection request for default-on or default-off?
Default on for all channels.
Does the instrumentation include the addition of any new identifiers?
No.
Is the data collection covered by the existing Firefox privacy notice?
Yes.
Does the data collection use a third-party collection tool?
No.
Result: datareview+
Pushed by jschanck@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/dd2b8b8fff0d Gather telemetry on the age of OCSP responses used to override CRLite. r=keeler
Comment 5•2 years ago
|
||
bugherder |
Description
•