Closed Bug 867465 Opened 11 years ago Closed 11 years ago

Remove "Revocation Lists" feature

Categories

(Core :: Security: PSM, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla24
Tracking Status
relnote-firefox --- 24+

People

(Reporter: briansmith, Assigned: briansmith)

References

Details

(Keywords: user-doc-needed)

Attachments

(2 files, 1 obsolete file)

Steps involved:

1. Remove nsICRLManager and nsICRLInfo, and their implementations.
2. Remove all the CRL updating code from nsNSSComponent
3. Remove the UI in Options -> Advanced -> Certificates -> Revocation Lists
4. Remove localized strings.

See the justification in the discussion:
https://mail.mozilla.org/pipermail/firefox-dev/2013-April/000329.html
(In reply to Brian Smith (:bsmith) from comment #0)
> 2. Remove all the CRL updating code from nsNSSComponent

For the sake of completeness: the PSM content listeners for application/x-pkcs7-crl, application/x-x509-crl and application/pkix-crl should be removed as well, I guess - see https://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/src/nsNSSModule.cpp#339. Otherwise, clicking a CRLDP URL will still download a CRL, but it can't be deleted from the DB any longer.
Assignee: nobody → bsmith
Target Milestone: --- → mozilla24
Attached patch remove "Revocation Lists" UI (obsolete) — Splinter Review
This patch removes the entire UI. This patch does not try to address the issue of CRLs that are already imported into the database, because we don't know whether or not those CRLs were imported via command-line tools by the system administrator. Since there is no change to NSS, NSS will continue to use those CRLs.
Attachment #757794 - Flags: superreview?(honzab.moz)
Attachment #757794 - Flags: review?(cviecco)
Comment on attachment 757794 [details] [diff] [review]
remove "Revocation Lists" UI

Review of attachment 757794 [details] [diff] [review]:
-----------------------------------------------------------------

Needs ui review too. 
Otherwise r+ for security/manager
Attachment #757794 - Flags: review?(cviecco) → review+
Comment on attachment 757794 [details] [diff] [review]
remove "Revocation Lists" UI

This is the thing that was discussed here:
https://mail.mozilla.org/pipermail/firefox-dev/2013-May/000333.html
https://mail.mozilla.org/pipermail/firefox-dev/2013-May/000335.html
Attachment #757794 - Flags: superreview?(honzab.moz) → superreview?(dolske)
There are some more strings in pippki.properties that will be unused and can be removed:
NoUpdateFailure
undefinedValStr
undefinedURL
yesButton
noButton

The following strings in pipnss.properties can also be removed:
CrlImportFailure1x
CrlImportFailureExpired
CrlImportFailureBadSignature
CrlImportFailureInvalid
CrlImportFailureOld
CrlImportFailureNotYetValid
CrlImportFailureNetworkProblem
CrlImportFailureReasonUnknown
CrlImportFailure2
Hasse, thanks for looking at this. I updated the patch to address your suggestions.

dolske, could you please briefly take a look at the UI-related (XUL/JS/CSS) changes. If you are too busy, a referral to somebody else would be appreciated. Also, see the before/after screen shot in the other attachment.
Attachment #757794 - Attachment is obsolete: true
Attachment #757794 - Flags: superreview?(dolske)
Attachment #763366 - Flags: superreview?(dolske)
Attachment #763366 - Flags: review+
Comment on attachment 763366 [details] [diff] [review]
Remove "Revocation Lists" UI [v2]

Review of attachment 763366 [details] [diff] [review]:
-----------------------------------------------------------------

Brian was looking to expedite this review so poked me about it tonight. r=me

Remove the services.sync.prefs.sync.security.OCSP.disable_button.managecrl pref from firefox.js as that pref won't be useful anymore.

::: browser/components/preferences/in-content/advanced.xul
@@ +439,3 @@
>  #ifdef XP_MACOSX
>          <vbox>
>  #endif

Remove these ifdef's for OS X because the three buttons should fit on one line now.

@@ -446,5 @@
>                    preference="security.disable_button.openCertManager"/>
> -          <button id="viewCRLButton"
> -                  label="&viewCRLs.label;" accesskey="&viewCRLs.accesskey;"
> -                  oncommand="gAdvancedPane.showCRLs();"
> -                  preference="security.OCSP.disable_button.managecrl"/>

Remove the associated <preference> elements from this file.
Attachment #763366 - Flags: superreview?(dolske) → review+
Status: NEW → ASSIGNED
Thanks for the review Matt (and Hasse). I made all the suggested changes:

https://hg.mozilla.org/integration/mozilla-inbound/rev/308e3cd73c5f
Blocks: 886099
https://hg.mozilla.org/mozilla-central/rev/dd6e10c7db02
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Blocks: 892255
I just learned about this bug today.

To summarize:

- As of Firefox 24 there is no user-interface for importing a CRL or modifying the CRLs that you have set to auto-import.

- All of the CRLs that you have setup for auto-import will continue to be auto-imported as per your previous settings. See Comment #3 for details.

- If you want to see and/or modify your list of auto-importing CRLs, you will need to install a previous version of Firefox.

- Or you can use crlutil
https://developer.mozilla.org/en-US/docs/NSS/tools/NSS_Tools_crlutil
Will the CRL UI remain in Thunderbird and SeaMonkey? Or will it be removed from those products too?
(In reply to Kathleen Wilson from comment #12)
> - If you want to see and/or modify your list of auto-importing CRLs, you
> will need to install a previous version of Firefox.

While this is true, I don't think we should recommend this.

(In reply to Kathleen Wilson from comment #13)
> Will the CRL UI remain in Thunderbird and SeaMonkey? Or will it be removed
> from those products too?

This patch removed the UI that was shared by all of those applications. Bug 892255 and bug 886099 removed the button to open the UI from Thunderbird and Seamonkey respectively.
(In reply to Kathleen Wilson from comment #12)
> - As of Firefox 24 there is no user-interface for importing a CRL or
> modifying the CRLs that you have set to auto-import.

Yes.

> - All of the CRLs that you have setup for auto-import will continue to be
> auto-imported as per your previous settings. See Comment #3 for details.

No, they will not auto-update anymore. But, the last version that was imported will be used by NSS.

> - If you want to see and/or modify your list of auto-importing CRLs, you
> will need to install a previous version of Firefox.

No. The feature is effectively gone.

> - Or you can use crlutil
> https://developer.mozilla.org/en-US/docs/NSS/tools/NSS_Tools_crlutil

That will work for NSS but not for insanity::pkix.
> 
> > - Or you can use crlutil
> > https://developer.mozilla.org/en-US/docs/NSS/tools/NSS_Tools_crlutil
> 
> That will work for NSS but not for insanity::pkix.


Just trying to understand... Does that mean that when Firefox picks up insanity::pkix, no more CRL checking will be done, even if someone has imported CRLs into NSS?
(In reply to Kathleen Wilson from comment #16)
> > 
> > > - Or you can use crlutil
> > > https://developer.mozilla.org/en-US/docs/NSS/tools/NSS_Tools_crlutil
> > 
> > That will work for NSS but not for insanity::pkix.
> 
> 
> Just trying to understand... Does that mean that when Firefox picks up
> insanity::pkix, no more CRL checking will be done, even if someone has
> imported CRLs into NSS?

Right.
Blocks: 584066
Blocks: 102006
You need to log in before you can comment on or make changes to this bug.