Preload all known intermediate certificates for CAs in our root store
Categories
(Core :: Security: PSM, enhancement, P3)
Tracking
()
Tracking | Status | |
---|---|---|
firefox66 | --- | fixed |
People
(Reporter: briansmith, Assigned: jcj)
References
(Blocks 2 open bugs)
Details
(Keywords: perf, Whiteboard: [psm-assigned])
Attachments
(2 files)
Comment 1•13 years ago
|
||
Comment 2•13 years ago
|
||
Comment 3•13 years ago
|
||
Updated•13 years ago
|
Reporter | ||
Comment 4•12 years ago
|
||
Comment 5•12 years ago
|
||
Updated•9 years ago
|
Updated•7 years ago
|
Comment hidden (mozreview-request) |
Comment 8•7 years ago
|
||
mozreview-review |
Comment 9•7 years ago
|
||
mozreview-review |
Updated•6 years ago
|
Comment 10•6 years ago
|
||
Comment 11•6 years ago
|
||
Assignee | ||
Updated•6 years ago
|
Comment 12•6 years ago
|
||
What are the reasons for implementing this? Performance?
Won't this result in more improperly configured sites?
Assignee | ||
Comment 13•6 years ago
|
||
(In reply to Kristian Klausen from comment #12)
What are the reasons for implementing this? Performance?
Performance is part of it, as is reducing unknown issuer error rates (as an alternative to AIA-chasing). Also, a list of all in-program intermediates is a necessary part of the work we're doing for CRLite, so attaching the DER certs to that data is pretty natural. This plus CRLite lets us stop doing out-of-band network fetches to determine configuration and revocation status w/o the operators stapling OCSP.
Won't this result in more improperly configured sites?
Given the error rate telemetry and conversations we've had here over the years, I think that trend is already underway. Error-page-in-Firefox doesn't seem to be the major alarm it once was.
The first uses of this will be to gather telemetry insights from Nightly users; there's no immediate plans to ship this.
Comment 14•6 years ago
|
||
Comment 15•6 years ago
|
||
Comment 16•6 years ago
|
||
Comment 17•6 years ago
|
||
bugherder |
Assignee | ||
Updated•6 years ago
|
Description
•