Open Bug 1911864 Opened 1 year ago Updated 1 year ago

Implement "less strict" OCSP revocation setting

Categories

(Core :: Security: PSM, enhancement)

Product:
Core
Component:
Security: PSM
Type:
enhancement

Tracking

()

People

(Reporter: dveditz, Unassigned)

References

Details

Chrome does not check OCSP, and pushes only a subset of revocations to their clients based on the revocation reason. This leads to regular occurrences of sites that are are "broken" in Firefox but "work fine" in Chrome when the revocations were issued for minor technical reasons. In our plans for CRLite one approach to shrinking the data set was to include only the more serious revocation reasons. I propose

  • by default our OCSP checks only result in SSL errors for that same set of reasons
  • other reasons could result in degraded URL bar presentation like "Not Secure" or slashed lock (or, ignore completely like Chrome)
  • there's a preference to get "full" OCSP enforcement for TLS purists. Can be hidden about:config pref, but should be settable by enterprise policy
See Also: → 1911893
You need to log in before you can comment on or make changes to this bug.