Last Comment Bug 651246 - (pkix-default) Make libpkix-based certificate path building/validation the default in PSM
(pkix-default)
: Make libpkix-based certificate path building/validation the default in PSM
Status: RESOLVED INVALID
: APIchange, dev-doc-needed
Product: Core
Classification: Components
Component: Security: PSM (show other bugs)
: Trunk
: All All
: -- enhancement with 2 votes (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
: David Keeler [:keeler] (use needinfo?)
Mentors:
Depends on: 489714 647722 787353 863534 psm-pkix 480706 485155 489188 635384 647364 655340 672811 699874 718759 728321 737802 775827 785259 787155 856060
Blocks:
  Show dependency treegraph
 
Reported: 2011-04-19 14:54 PDT by Brian Smith (:briansmith, :bsmith, use NEEDINFO?)
Modified: 2013-09-29 17:20 PDT (History)
31 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
-


Attachments

Description Brian Smith (:briansmith, :bsmith, use NEEDINFO?) 2011-04-19 14:54:51 PDT
+++ This bug was initially created as a clone of Bug #479393 +++
Comment 1 Kai Engert (:kaie) (on vacation) 2011-04-20 02:57:16 PDT
Make libpkix-based certificate path building/validation the default in PSM
Comment 2 Kai Engert (:kaie) (on vacation) 2011-05-05 14:08:43 PDT
Brian suggested to set APIchange, dev-doc-needed
in bug 479393 comment 58,
and I think it should be rather in this bug.
Comment 3 Brian Smith (:briansmith, :bsmith, use NEEDINFO?) 2011-05-23 02:04:59 PDT
Bug 439505 and bug 653572 are not blockers for this.

Bug 651585 blocks enabling AIA cert fetching, but not this. (The dependency is already set in that bug.)

Bug 650307, bug 650296, bug 653565,  and must all be fixed before libpkix is enabled by default on Aurora/Beta/Final release.

I also want to investigate bug 480706 further.
Comment 4 Brian Smith (:briansmith, :bsmith, use NEEDINFO?) 2011-11-04 02:24:05 PDT
Kai, I propose that we remove the dependencies on bug 592978 and bug 640892 and instead change our bad cert handler to avoid using CERTVerifyLog at all, as I explained in the email I sent you today.

As I commented in bug 489714, I think the current (old) cert verification code would have the same problem, so that shouldn't be a blocker.

I also don't think we need to have bug 647364 block this. If we have explicitly distrusted a root or intermediate CA, it is OK if the user can't explicitly trust an EE or intermediate chained to the distrusted cert. It is probably better that way, actually.

I also think we do not need to fix 653572 to enable libpkix by default. We can open up a new bug to change the default certificate validation for extensions using the old API, and fix it later.

Do you agree with the above?

If so, that would leave only bug 672811 to fix and bug 647722 to investigate and possibly fix. I will investigate bug 647722 tomorrow and I will submit patches for the remaining issues (the cert override issue which would require a new bug, and bug 672811 which I already know how to fix without a change to NSS).

Then we would be able to try to enable libpkix for FF11. This would resolve bug 634074, which is a very high priority.
Comment 5 Brian Smith (:briansmith, :bsmith, use NEEDINFO?) 2011-11-04 11:22:53 PDT
We need to make sure that all the blacklisted certificates have the correct "distrusted" version of the cert, for the reason Wan-Teh mentions in bug 642503 comment 50.
Comment 6 Brian Smith (:briansmith, :bsmith, use NEEDINFO?) 2011-11-04 11:34:19 PDT
If we don't fix bug 653572, then we will need to explicitly call CERT_SetusePKIXForValidation(PR_FALSE) in libpkix mode to avoid bug 551429.
Comment 7 Ryan Hurst 2012-02-08 07:36:49 PST
Excited to see this change make it in, will it also include executing the NIST PKITS tests (http://csrc.nist.gov/groups/ST/crypto_apps_infra/pki/pkitesting.html) publishing the results?
Comment 8 Kyle Hamilton 2012-02-08 19:20:09 PST
blocks: 478418

US Federal Bridge PKI doesn't certify end-entities, it cross-certifies other roots.  libpkix is necessary, dveditz tells me, for cross-certification.
Comment 9 Brian Smith (:briansmith, :bsmith, use NEEDINFO?) 2012-07-19 17:50:01 PDT
I am removing bug 551429 from the blocking list because we have a workaround for that in bug 728321, which is already blocking this bug.
Comment 10 Kai Engert (:kaie) (on vacation) 2012-08-02 13:22:51 PDT
Today we discussed the initial step in switching Mozilla to libPKIX should be low impact, and behaviour like amount of OCSP and CRL downloads should be similar to what we have today.

That probably means, we'll want to keep automatic CRL downloading disabled for the initial step.

The idea is to enable CRL downloading in a subsequent step, so we can better distinguish whether bug reports are related to libPKIX or rather related to enabling of additional downloading etc.
Comment 11 Brian Smith (:briansmith, :bsmith, use NEEDINFO?) 2012-08-02 14:29:18 PDT
(In reply to Kai Engert (:kaie) from comment #10)
> Today we discussed the initial step in switching Mozilla to libPKIX should
> be low impact, and behaviour like amount of OCSP and CRL downloads should be
> similar to what we have today.

I filed bug 775827 about this, and I will clarify its summary so it is clear that it is about making the default revocation checking behavior for libpkix-based verification to be the same as the default revocation checking behavior for classic verification, with respect to both CRLs and OCSP.
Comment 12 Brian Smith (:briansmith, :bsmith, use NEEDINFO?) 2013-09-29 17:20:52 PDT
As discussed on nss-dev, libpkix won't become the default in Gecko. This will be discussed further on the dev-tech-crypto mailing list soon.

Note You need to log in before you can comment on or make changes to this bug.