Closed Bug 1926414 Opened 20 days ago Closed 19 days ago

Add an option to make CRLite coverage checks more strict

Categories

(Core :: Security: PSM, enhancement, P3)

enhancement

Tracking

()

RESOLVED FIXED
133 Branch
Tracking Status
firefox133 --- fixed

People

(Reporter: jschanck, Assigned: jschanck)

Details

Attachments

(1 file)

A certificate is considered to be "covered" by a CRLite filter when it is presented with at least one SCT that attests to its inclusion in a portion of a CT log that was ingested by the CRLite backend. When a log experiences an MMD violation, it is possible that

  1. there is a certificate C with an SCT from that log at time T,
  2. the CRLite backend believes it has seen all certificates in that log with timestamps < T' - MMD for some T' > T + MMD.
  3. C is not in the log at time T'.

This can cause a CRLite client to mistakenly view C as revoked. We currently mitigate this by double-checking "revoked" results against OCSP.

Eventually the CT ecosystem will transition to sunlight logs, SCTs will include the leaf-index extension, and CRLite coverage checks will not depend on the MMD. Until then, we might consider stricter notions of coverage that require two or more timestamps from different logs.

Pushed by jschanck@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/5a6e5a234f11 add a pref to make CRLite coverage checks more strict. r=keeler
Status: ASSIGNED → RESOLVED
Closed: 19 days ago
Resolution: --- → FIXED
Target Milestone: --- → 133 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: