Closed
Bug 1926414
Opened 14 days ago
Closed 13 days ago
Add an option to make CRLite coverage checks more strict
Categories
(Core :: Security: PSM, enhancement, P3)
Core
Security: PSM
Tracking
()
RESOLVED
FIXED
133 Branch
| Tracking | Status | |
|---|---|---|
| firefox133 | --- | fixed |
People
(Reporter: jschanck, Assigned: jschanck)
Details
Attachments
(1 file)
A certificate is considered to be "covered" by a CRLite filter when it is presented with at least one SCT that attests to its inclusion in a portion of a CT log that was ingested by the CRLite backend. When a log experiences an MMD violation, it is possible that
- there is a certificate C with an SCT from that log at time T,
- the CRLite backend believes it has seen all certificates in that log with timestamps < T' - MMD for some T' > T + MMD.
- C is not in the log at time T'.
This can cause a CRLite client to mistakenly view C as revoked. We currently mitigate this by double-checking "revoked" results against OCSP.
Eventually the CT ecosystem will transition to sunlight logs, SCTs will include the leaf-index extension, and CRLite coverage checks will not depend on the MMD. Until then, we might consider stricter notions of coverage that require two or more timestamps from different logs.
|
Assignee | |
Comment 1•14 days ago
|
||
Pushed by jschanck@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/5a6e5a234f11
add a pref to make CRLite coverage checks more strict. r=keeler
Status: ASSIGNED → RESOLVED
Closed: 13 days ago
status-firefox133:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 133 Branch
You need to log in
before you can comment on or make changes to this bug.
Description
•