CCADB entries generated 2024-03-08T17:01:00Z
Categories
(Core :: Security Block-lists, Allow-lists, and other State, enhancement)
Tracking
()
People
(Reporter: ccadb2onercl, Assigned: bwilson)
Details
Attachments
(3 files)
Adding entries to OneCRL based on revoked intermediate certificates reported in the CCADB.
Reporter | ||
Comment 1•11 months ago
|
||
Reporter | ||
Comment 2•11 months ago
|
||
Reporter | ||
Comment 3•11 months ago
|
||
Assignee | ||
Updated•11 months ago
|
Reporter | ||
Comment 4•11 months ago
|
||
Changes are still in review. The following bugs appear to require resolution.
https://bugzilla.mozilla.org/show_bug.cgi?id=1884400
Assignee | ||
Comment 5•11 months ago
|
||
Hi John,
These are the correct entries to add to OneCRL.
We do not need to run TLS Canary on this batch of changes.
Approve at Kinto Staging.
Use remote-settings-devtools in a development profile to confirm the OneCRL data in Staging Nightly is as intended. (It may take a while for the changes to show up.)
Run the onecrl-entry-checker tool and attach the output to this bug
I'll then take a look at everything using onecrl-entry-checker, and then we can move these changes into production, and then I'll check my Nightly/Beta profile using the cert-storage-inspector tool.
Let me know if you need me to do anything.
Thanks,
Ben
Comment 6•11 months ago
|
||
[18:35:51] Stage-Stage: 1608 Stage-Preview: 1608 Stage-Published: 1608 compare.py:67
[18:35:53] Prod-Stage: 1608 Prod-Preview: 1608 Prod-Published: 1603 compare.py:75
Verifying stage against preview compare.py:82
prod/security-state-staging (1608) and prod/security-state-preview (1608) are equivalent compare.py:87
prod/security-state-staging (1608) and prod/security-state-staging (1608) are equivalent compare.py:87
prod/security-state-staging (1608) and prod/security-state-preview (1608) are equivalent compare.py:87
prod/security-state-preview (1608) and prod/security-state-staging (1608) are equivalent compare.py:87
[18:35:54] prod/security-state-preview (1608) and prod/security-state-preview (1608) are equivalent compare.py:87
prod/security-state-staging (1608) and prod/security-state-preview (1608) are equivalent compare.py:87
No changes are waiting in staging compare.py:90
There are 5 changes waiting in production. Adding: compare.py:99
{
'details': {'bug': 'https://bugzilla.mozilla.org/show_bug.cgi?id=1884400', 'who': '', 'why': '', 'name': '', 'created': ''},
'enabled': False,
'issuerName': 'MEMxCzAJBgNVBAYTAkNOMRwwGgYDVQQKExNpVHJ1c0NoaW5hIENvLixMdGQuMRYwFAYDVQQDEw12VHJ1cyBSb290IENB',
'serialNumber': 'VmPk4uhKrU+Ar6D+FKt4T+wADJs='
}
{
'details': {'bug': 'https://bugzilla.mozilla.org/show_bug.cgi?id=1884400', 'who': '', 'why': '', 'name': '', 'created': ''},
'enabled': False,
'issuerName': 'MEMxCzAJBgNVBAYTAkNOMRwwGgYDVQQKExNpVHJ1c0NoaW5hIENvLixMdGQuMRYwFAYDVQQDEw12VHJ1cyBSb290IENB',
'serialNumber': 'H6Q9cmNee/OBNe7znM/J3cNHeYY='
}
{
'details': {'bug': 'https://bugzilla.mozilla.org/show_bug.cgi?id=1884400', 'who': '', 'why': '', 'name': '', 'created': ''},
'enabled': False,
'issuerName': 'MEoxCzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJZGVuVHJ1c3QxJzAlBgNVBAMTHklkZW5UcnVzdCBDb21tZXJjaWFsIFJvb3QgQ0EgMQ==',
'serialNumber': 'fgr3g+MTaN10FgQg4sbqcA=='
}
{
'details': {'bug': 'https://bugzilla.mozilla.org/show_bug.cgi?id=1884400', 'who': '', 'why': '', 'name': '', 'created': ''},
'enabled': False,
'issuerName': 'MEcxCzAJBgNVBAYTAkNOMRwwGgYDVQQKExNpVHJ1c0NoaW5hIENvLixMdGQuMRowGAYDVQQDExF2VHJ1cyBFQ0MgUm9vdCBDQQ==',
'serialNumber': 'baFk8S+rVizrFzxGvKqfqQvu0kY='
}
{
'details': {'bug': 'https://bugzilla.mozilla.org/show_bug.cgi?id=1884400', 'who': '', 'why': '', 'name': '', 'created': ''},
'enabled': False,
'issuerName': 'MEcxCzAJBgNVBAYTAkNOMRwwGgYDVQQKExNpVHJ1c0NoaW5hIENvLixMdGQuMRowGAYDVQQDExF2VHJ1cyBFQ0MgUm9vdCBDQQ==',
'serialNumber': 'F7oJqB+ONoNowl5eHOOl8oSDne0='
}
Staging is updated, and production changes are waiting, so Firefox can use compare.py:110
Remote Settings DevTools (https://github.com/mozilla-extensions/remote-settings-devtools)
and cert-storage-inspector (https://github.com/mozkeeler/cert-storage-inspector) to test
OneCRL.
Reporter | ||
Comment 7•11 months ago
|
||
Changes are still in review. The following bugs appear to require resolution.
https://bugzilla.mozilla.org/show_bug.cgi?id=1884400
Reporter | ||
Comment 8•11 months ago
|
||
Changes are still in review. The following bugs appear to require resolution.
https://bugzilla.mozilla.org/show_bug.cgi?id=1884400
Assignee | ||
Comment 9•11 months ago
|
||
The additions listed in Comment #6 appear to be correct. Please proceed with approving the changes in Kinto Production.
Thanks,
Ben
Assignee | ||
Comment 11•11 months ago
|
||
Changes appear in Nightly and Beta Firefox profiles and at https://crt.sh/mozilla-onecrl.
Description
•