Closed Bug 775827 Opened 12 years ago Closed 11 years ago

Make default behavior of libpkix-based revocation checking match the default behavior when the classic certificate validation library is used.

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: briansmith, Assigned: briansmith)

References

Details

(Keywords: perf)

Attachments

(1 file)

WIP: Disable intermediate certificate revocation info fetching in libpkix mode by default
12.87 KB, patch
Details | Diff | Splinter Review
The patch in bug 479393 changes the revocation checking behavior of Firefox when libpkix is enabled. In non-libpkix mode, we did not do fetching of intermediate certificates' OCSP information. In libpkix mode, we do the fetching. There is no current combination of prefs that results in Firefox's old behavior. Before we switch to libpkix as the default, we need to restore the old revocation information fetching behavior so that we do not regress performance and so that we do not add any unnecessary chances for regressions. We can re-enable the revocation checking of intermediate certificates by default later if/when we have agreement that Firefox should behave that way.
Here's the patch I wrote a while ago showing how I intend it to work. I still need to clean it up.
If I'm reading this correctly, then making this change will impact EV Revocation Checking. (https://wiki.mozilla.org/CA:EV_Revocation_Checking) Currently OCSP must also work for the intermediate certificates, and a failed OCSP response will result in EV treatment not being given. We should make sure that the patch for this bug does not remove revocation checking of intermediate certs for EV.
The code that validates EV certificates has its own revocation policy and it would not be affected by this change: http://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/src/nsIdentityChecking.cpp?rev=4a432c2d1b41#1186
Summary: Disable fetching of intermediate CA certificate revocation information by default when libpkix is used → Make default behavior of libpkix-based revocation checking match the default behavior when the classic certificate validation library is used.
We'll be removing the option to remove libpkix as part of the switch to insanity::pkix.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: