Closed
Bug 427668
Opened 16 years ago
Closed 8 years ago
Avoid EV verification when it's not necessary
Categories
(Core :: Security: PSM, defect)
Core
Security: PSM
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: KaiE, Unassigned)
References
(Depends on 1 open bug)
Details
In bug 406755 we've checked in a patch to do EV verification at a very early time, in the AuthCertificateCallback. This is unnecessary for any sockets (or applications) which don't make use of the EV SSL status bit. Nelson has proposed, an application should explicitly request that it's interested in EV. Unfortunately, as of today, all crypto related init happens inside the PSM module, which is a module shared between all apps. So, one could think of the following: - have a pref value in core crypto, which says "EV is OFF" - have a pref value in Firefox, which overrides that to "EV is ON" - have PSM check for that pref at init time, and do or do not perform EV verification during SSL This is an enhancement for non-web apps. But still, even in Firefox there might be SSL sockets that are unrelated to SSL. Maybe Chatzilla etc. Maybe socket construction initiated by protocol specific code (mail, http) should pass in a flag whether EV verification should happen on a socket.
Reporter | ||
Comment 1•16 years ago
|
||
Maybe fixing bug will become unnecessary once bug 324867 is done and PSM is able to make use of that feature. Because then the callback could simply make sure all potentially required intermediates are still referenced, and delay EV verification until the application requests it (as it was done previously to the landing of bug 406755 attachment 312419 [details] [diff] [review].
Depends on: 324867
Reporter | ||
Comment 2•12 years ago
|
||
reassign bug owner. mass-update-kaie-20120918
Assignee: kaie → nobody
This doesn't seem particularly necessary (there's not too much of a performance hit now that we use mozilla::pkix, and if OCSP fetching is a concern, that can be disabled by a pref).
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•