Remove "Revocation Lists" feature

RESOLVED FIXED in mozilla24

Status

()

Core
Security: PSM
RESOLVED FIXED
4 years ago
2 years ago

People

(Reporter: briansmith, Assigned: briansmith)

Tracking

({user-doc-needed})

unspecified
mozilla24
user-doc-needed
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(relnote-firefox 24+)

Details

Attachments

(2 attachments, 1 obsolete attachment)

Steps involved:

1. Remove nsICRLManager and nsICRLInfo, and their implementations.
2. Remove all the CRL updating code from nsNSSComponent
3. Remove the UI in Options -> Advanced -> Certificates -> Revocation Lists
4. Remove localized strings.

See the justification in the discussion:
https://mail.mozilla.org/pipermail/firefox-dev/2013-April/000329.html

Comment 1

4 years ago
(In reply to Brian Smith (:bsmith) from comment #0)
> 2. Remove all the CRL updating code from nsNSSComponent

For the sake of completeness: the PSM content listeners for application/x-pkcs7-crl, application/x-x509-crl and application/pkix-crl should be removed as well, I guess - see https://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/src/nsNSSModule.cpp#339. Otherwise, clicking a CRLDP URL will still download a CRL, but it can't be deleted from the DB any longer.
Assignee: nobody → bsmith
Target Milestone: --- → mozilla24
Created attachment 757790 [details]
Before/after screenshot
Created attachment 757794 [details] [diff] [review]
remove "Revocation Lists" UI

This patch removes the entire UI. This patch does not try to address the issue of CRLs that are already imported into the database, because we don't know whether or not those CRLs were imported via command-line tools by the system administrator. Since there is no change to NSS, NSS will continue to use those CRLs.
Attachment #757794 - Flags: superreview?(honzab.moz)
Attachment #757794 - Flags: review?(cviecco)
Comment on attachment 757794 [details] [diff] [review]
remove "Revocation Lists" UI

Review of attachment 757794 [details] [diff] [review]:
-----------------------------------------------------------------

Needs ui review too. 
Otherwise r+ for security/manager
Attachment #757794 - Flags: review?(cviecco) → review+
Comment on attachment 757794 [details] [diff] [review]
remove "Revocation Lists" UI

This is the thing that was discussed here:
https://mail.mozilla.org/pipermail/firefox-dev/2013-May/000333.html
https://mail.mozilla.org/pipermail/firefox-dev/2013-May/000335.html
Attachment #757794 - Flags: superreview?(honzab.moz) → superreview?(dolske)

Comment 6

4 years ago
There are some more strings in pippki.properties that will be unused and can be removed:
NoUpdateFailure
undefinedValStr
undefinedURL
yesButton
noButton

The following strings in pipnss.properties can also be removed:
CrlImportFailure1x
CrlImportFailureExpired
CrlImportFailureBadSignature
CrlImportFailureInvalid
CrlImportFailureOld
CrlImportFailureNotYetValid
CrlImportFailureNetworkProblem
CrlImportFailureReasonUnknown
CrlImportFailure2
Created attachment 763366 [details] [diff] [review]
Remove "Revocation Lists" UI [v2]

Hasse, thanks for looking at this. I updated the patch to address your suggestions.

dolske, could you please briefly take a look at the UI-related (XUL/JS/CSS) changes. If you are too busy, a referral to somebody else would be appreciated. Also, see the before/after screen shot in the other attachment.
Attachment #757794 - Attachment is obsolete: true
Attachment #757794 - Flags: superreview?(dolske)
Attachment #763366 - Flags: superreview?(dolske)
Attachment #763366 - Flags: review+
Comment on attachment 763366 [details] [diff] [review]
Remove "Revocation Lists" UI [v2]

Review of attachment 763366 [details] [diff] [review]:
-----------------------------------------------------------------

Brian was looking to expedite this review so poked me about it tonight. r=me

Remove the services.sync.prefs.sync.security.OCSP.disable_button.managecrl pref from firefox.js as that pref won't be useful anymore.

::: browser/components/preferences/in-content/advanced.xul
@@ +439,3 @@
>  #ifdef XP_MACOSX
>          <vbox>
>  #endif

Remove these ifdef's for OS X because the three buttons should fit on one line now.

@@ -446,5 @@
>                    preference="security.disable_button.openCertManager"/>
> -          <button id="viewCRLButton"
> -                  label="&viewCRLs.label;" accesskey="&viewCRLs.accesskey;"
> -                  oncommand="gAdvancedPane.showCRLs();"
> -                  preference="security.OCSP.disable_button.managecrl"/>

Remove the associated <preference> elements from this file.
Attachment #763366 - Flags: superreview?(dolske) → review+
Status: NEW → ASSIGNED
Thanks for the review Matt (and Hasse). I made all the suggested changes:

https://hg.mozilla.org/integration/mozilla-inbound/rev/308e3cd73c5f
Backed out in because of a build failure in another patch I checked in at the same time:
https://hg.mozilla.org/integration/mozilla-inbound/rev/8cac85f8f512

Re-landed
https://hg.mozilla.org/integration/mozilla-inbound/rev/dd6e10c7db02

Updated

4 years ago
Blocks: 886099
https://hg.mozilla.org/mozilla-central/rev/dd6e10c7db02
Status: ASSIGNED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Blocks: 646534

Updated

4 years ago
Blocks: 892255

Comment 12

4 years ago
I just learned about this bug today.

To summarize:

- As of Firefox 24 there is no user-interface for importing a CRL or modifying the CRLs that you have set to auto-import.

- All of the CRLs that you have setup for auto-import will continue to be auto-imported as per your previous settings. See Comment #3 for details.

- If you want to see and/or modify your list of auto-importing CRLs, you will need to install a previous version of Firefox.

- Or you can use crlutil
https://developer.mozilla.org/en-US/docs/NSS/tools/NSS_Tools_crlutil
relnote-firefox: --- → ?
Keywords: user-doc-needed

Comment 13

4 years ago
Will the CRL UI remain in Thunderbird and SeaMonkey? Or will it be removed from those products too?
(In reply to Kathleen Wilson from comment #12)
> - If you want to see and/or modify your list of auto-importing CRLs, you
> will need to install a previous version of Firefox.

While this is true, I don't think we should recommend this.

(In reply to Kathleen Wilson from comment #13)
> Will the CRL UI remain in Thunderbird and SeaMonkey? Or will it be removed
> from those products too?

This patch removed the UI that was shared by all of those applications. Bug 892255 and bug 886099 removed the button to open the UI from Thunderbird and Seamonkey respectively.
(In reply to Kathleen Wilson from comment #12)
> - As of Firefox 24 there is no user-interface for importing a CRL or
> modifying the CRLs that you have set to auto-import.

Yes.

> - All of the CRLs that you have setup for auto-import will continue to be
> auto-imported as per your previous settings. See Comment #3 for details.

No, they will not auto-update anymore. But, the last version that was imported will be used by NSS.

> - If you want to see and/or modify your list of auto-importing CRLs, you
> will need to install a previous version of Firefox.

No. The feature is effectively gone.

> - Or you can use crlutil
> https://developer.mozilla.org/en-US/docs/NSS/tools/NSS_Tools_crlutil

That will work for NSS but not for insanity::pkix.

Comment 16

4 years ago
> 
> > - Or you can use crlutil
> > https://developer.mozilla.org/en-US/docs/NSS/tools/NSS_Tools_crlutil
> 
> That will work for NSS but not for insanity::pkix.


Just trying to understand... Does that mean that when Firefox picks up insanity::pkix, no more CRL checking will be done, even if someone has imported CRLs into NSS?
(In reply to Kathleen Wilson from comment #16)
> > 
> > > - Or you can use crlutil
> > > https://developer.mozilla.org/en-US/docs/NSS/tools/NSS_Tools_crlutil
> > 
> > That will work for NSS but not for insanity::pkix.
> 
> 
> Just trying to understand... Does that mean that when Firefox picks up
> insanity::pkix, no more CRL checking will be done, even if someone has
> imported CRLs into NSS?

Right.

Updated

4 years ago
relnote-firefox: ? → 24+
Blocks: 645683
Blocks: 104137
Blocks: 406559
Blocks: 98193
Blocks: 119046
Blocks: 150589
Blocks: 282945
Blocks: 379298
Blocks: 83509
Blocks: 170317

Updated

2 years ago
Blocks: 584066

Updated

2 years ago
Blocks: 102006
You need to log in before you can comment on or make changes to this bug.