Closed Bug 645819 Opened 14 years ago Closed 12 years ago

Automatically import CRLs for servers the user visits

Categories

(Core Graveyard :: Security: UI, enhancement)

Product:
Core Graveyard
Component:
Security: UI
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: timeless, Assigned: timeless)

References

(Blocks 1 open bug)

Details

Attachments

(1 file, 1 obsolete file)

Automatically import CRLs for servers the user visits
4.01 KB, patch
KaiE
: review-
Details | Diff | Splinter Review
Some certificates have a 'CRL Distribution Points' field I'd like someone to write an extension (or just psm feature) which automatically imports CRLs listed in Certificates it encounters. As an example, mail.google.com's certificate has: CRL Distribution Points URI: http://crl.thawte.com/ThawteSGCCA.crl And bugzilla.mozilla.org's has: CRL Distribution Points URI: http://crl.geotrust.com/crls/secureca.crl steps to reproduce: 1. enable feature / install extension 2. browse to bugzilla.mozilla.org / mail.google.com 3. open tools>options>advanced>revocation lists expected results: the CRL Distribution Points listed in the certificates for the servers visited should be listed.
Blocks: 645502
timeless: thanks for the suggestion. I believe this is a duplicate of NSS bug 489347.
Depends on: 646534
Summary: Write an extension which auto-imports CRLs when it finds them → Automatically import CRLs for servers the user visits
this is controlled by a boolean pref: "security.crl.autoimport"
Assignee: chofmann → timeless
Status: NEW → ASSIGNED
Attachment #523920 - Flags: review?(kaie)
wtc: that bug is old, "high priority", and yet unresolved. this bug now has a patch (i believe the dependent bug needs to be fixed so that we don't risk disasters along the way, but...). i'm not going to play politics, this is probably the last patch i'm going to write for gecko. i'd love to see this or something effectively equivalent to this landed, but i do not want to have it stuck in political minefields. minefield is explosive enough.
this drops a dead code block and moves the pref check inside the try block.
Attachment #523920 - Attachment is obsolete: true
Attachment #523920 - Flags: review?(kaie)
Attachment #524046 - Flags: review?(kaie)
Brian, any chance you can take a look at this patch, please?
This is duplicating functionality that is in libpkix. Kai and I are working on switching to libpkix so that we can get its CRL processing. We also still need to work out if/how CRLs are going to get cached, and how to avoid downloading megabytes of CRLs on a daily basis, especially on mobile. This patch has privacy implications: every CA for every website will begin being polled on a daily basis, making this mechanism serve as a means of broadcasting the user's location to all these CAs. Plus, it uses information derived from browsing history, but it is missing the logic to delete the CRLs when the user clears his browsing history. I am designing an alternative mechanism with similar effects, but which addresses the above concerns.
Comment on attachment 524046 [details] [diff] [review] Automatically import CRLs for servers the user visits approach not wanted
Attachment #524046 - Flags: review?(kaie) → review-
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → WONTFIX
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: