Open Bug 1953550 Opened 8 days ago Updated 8 days ago

Disable OCSP fallback for in-program certificates that are not covered by CRLite when CRLite is in enforcement mode

Tracking

()

Status:

ASSIGNED

People

(Reporter: jschanck, Assigned: jschanck)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Bug 1953550 - reduce the use of OCSP when CRLite is enforced. r=keeler 8 days ago John Schanck [:jschanck] 48 bytes, text/x-phabricator-request		Details \| Review

John Schanck [:jschanck]

Assignee

Description

•

8 days ago

There are a few situations where the user's CRLite data may not cover a certificate that chains to our root store, e.g.

the user has not yet downloaded CRLite filters, or
the user's CRLite filters are out-of-date, or
the certificate has been in CT for < 1 MMD interval.

If we're configured to enforce CRLite and tolerate OCSP soft failures, then it is reasonable to treat these as "CRLite soft failures" and skip OCSP fetching. Doing so will reduce the number of OCSP requests that we make for new profiles and profiles that have not been used recently.

John Schanck [:jschanck]

Assignee

Updated

•

8 days ago

Assignee: nobody → jschanck

Status: NEW → ASSIGNED

John Schanck [:jschanck]

Assignee

Comment 1

•

8 days ago

Attached file Bug 1953550 - reduce the use of OCSP when CRLite is enforced. r=keeler — Details

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Disable OCSP fallback for in-program certificates that are not covered by CRLite when CRLite is in enforcement mode

Categories

(Core :: Security: PSM, enhancement, P3)

Tracking

()

People

(Reporter: jschanck, Assigned: jschanck)

References

(Blocks 1 open bug)

Details

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Updated

Comment 1

Attachment

General

Description

File Name

Content Type