Ticket #86 (reopened enhancement)
firefox-extension should install CRL
Reported by: | andersk | Owned by: | |
---|---|---|---|
Priority: | normal | Milestone: | The Distant Future |
Component: | -- | Keywords: | |
Cc: | Fixed in version: | ||
Upstream bug: |
Description
As with #67, the firefox-extension package should install the new CRL from http://ca.mit.edu/mitca.crl.
Change History
comment:2 Changed 15 years ago by rbasch
It looks like the correct CRL distribution point for server certs is now http://ca.mit.edu/ca/mitserver.crl
comment:3 Changed 15 years ago by broder
- Status changed from new to closed
- Resolution set to wontfix
Apparently mitcert-issued certs now include a CRL in them, which means that this will be a completely moot point in one year, if it's not already.
comment:4 Changed 15 years ago by rbasch
- Status changed from closed to reopened
- Resolution wontfix deleted
Server certs do include the CRL distribution point now, but I believe firefox still needs to be configured to import and auto-update the CRL.
comment:5 Changed 15 years ago by geofft
jwalden happened to overhear discussion on this, and looked up what's necessary...
Zephyr from jwalden 21:29 (Jeffrey S Walden)
CRLs and all that gunk are not especially my strong suit, but I *believe* this is
what you want -- and looking at the implementation, I think it'll handle updating
the autoupdate prefs as well:
/* * http://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/public/nsICRLManager.idl#58 * http://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/src/nsCRLManager.cpp#236 */ const SEC_CRL_TYPE = 1; const SEC_KRL_TYPE = 0; function importCRL(certData /* : string */, uri /* : nsIURI */, crlKey /* : string */) { var crlManager = Components.classes["@mozilla.org/security/crlmanager;1"] .getService(Components.interfaces.nsICRLManager); crlManager.importCrl(certData, certData.length, uri, SEC_CRL_TYPE, true /* download silently, don't potentially show error UI */, crlKey); }
comment:6 Changed 14 years ago by jdreed
- Milestone changed from Summer 2010 (Lucid Deploy) to The Distant Future
comment:7 Changed 13 years ago by jdreed
I briefly looked at this again, and it's not entirely clear to me what format certData should be (PEM, DER?), or what exactly "crlKey" is or where one obtains it. I also remembered that I hate XPCOM, and that the CRL is empty so we probably don't care.
If someone actually figures out the details, the implementation is probably quite straightforward, and I'd suggest looping like we do for the certs, and have things like "Crl1" and "CrlUrl1" in the properties file.
comment:8 Changed 12 years ago by achernya
MITCert now issues InCommon?-signed certificates, with a CRL of http://crl.incommon.org/InCommonServerCA.crl encoded in them, so I believe this is now very much not our problem.
comment:9 Changed 12 years ago by andersk
How many MIT CA–signed certificates are still out there? Are we going to be able to get rid of the MIT CA entirely?
comment:10 Changed 12 years ago by jdreed
I will attempt to get info on the future directions of certificates. I'll note that debathena-ssl-certificates also contains the csail CA and the MIT client CA, both of which are presumably going to continue to be a thing.