Closed
Bug 1926414
Opened 20 days ago
Closed 19 days ago
Add an option to make CRLite coverage checks more strict
Categories
(Core :: Security: PSM, enhancement, P3)
Core
Security: PSM
Tracking
()
RESOLVED
FIXED
133 Branch
Tracking | Status | |
---|---|---|
firefox133 | --- | fixed |
People
(Reporter: jschanck, Assigned: jschanck)
Details
Attachments
(1 file)
A certificate is considered to be "covered" by a CRLite filter when it is presented with at least one SCT that attests to its inclusion in a portion of a CT log that was ingested by the CRLite backend. When a log experiences an MMD violation, it is possible that
- there is a certificate C with an SCT from that log at time T,
- the CRLite backend believes it has seen all certificates in that log with timestamps < T' - MMD for some T' > T + MMD.
- C is not in the log at time T'.
This can cause a CRLite client to mistakenly view C as revoked. We currently mitigate this by double-checking "revoked" results against OCSP.
Eventually the CT ecosystem will transition to sunlight logs, SCTs will include the leaf-index extension, and CRLite coverage checks will not depend on the MMD. Until then, we might consider stricter notions of coverage that require two or more timestamps from different logs.
Assignee | ||
Comment 1•20 days ago
|
||
Pushed by jschanck@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/5a6e5a234f11
add a pref to make CRLite coverage checks more strict. r=keeler
Status: ASSIGNED → RESOLVED
Closed: 19 days ago
status-firefox133:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 133 Branch
You need to log in
before you can comment on or make changes to this bug.
Description
•