Ticket #86 (reopened enhancement)

Opened 13 years ago

Last modified 8 years ago

firefox-extension should install CRL

Reported by: andersk Owned by:
Priority: normal Milestone: The Distant Future
Component: -- Keywords:
Cc: Fixed in version:
Upstream bug:

Description

As with #67, the firefox-extension package should install the new CRL from  http://ca.mit.edu/mitca.crl.

Change History

comment:1 Changed 12 years ago by jdreed

  • Component set to --
  • Milestone set to IAP 2010

comment:2 Changed 12 years ago by rbasch

It looks like the correct CRL distribution point for server certs is now  http://ca.mit.edu/ca/mitserver.crl

comment:3 Changed 12 years ago by broder

  • Status changed from new to closed
  • Resolution set to wontfix

Apparently mitcert-issued certs now include a CRL in them, which means that this will be a completely moot point in one year, if it's not already.

comment:4 Changed 12 years ago by rbasch

  • Status changed from closed to reopened
  • Resolution wontfix deleted

Server certs do include the CRL distribution point now, but I believe firefox still needs to be configured to import and auto-update the CRL.

comment:5 Changed 12 years ago by geofft

jwalden happened to overhear discussion on this, and looked up what's necessary...

Zephyr from jwalden 21:29 (Jeffrey S Walden)

CRLs and all that gunk are not especially my strong suit, but I *believe* this is
what you want -- and looking at the implementation, I think it'll handle updating
the autoupdate prefs as well:

 /*
  * http://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/public/nsICRLManager.idl#58
  * http://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/src/nsCRLManager.cpp#236
  */

 const SEC_CRL_TYPE = 1;
 const SEC_KRL_TYPE = 0;

 function importCRL(certData /* : string */, uri /* : nsIURI */, crlKey /* : string */)
 {
   var crlManager = Components.classes["@mozilla.org/security/crlmanager;1"]
                              .getService(Components.interfaces.nsICRLManager);
   crlManager.importCrl(certData, certData.length,
                        uri,
                        SEC_CRL_TYPE,
                        true /* download silently, don't potentially show error UI */,
                        crlKey);
 }

comment:6 Changed 11 years ago by jdreed

  • Milestone changed from Summer 2010 (Lucid Deploy) to The Distant Future

comment:7 Changed 9 years ago by jdreed

I briefly looked at this again, and it's not entirely clear to me what format certData should be (PEM, DER?), or what exactly "crlKey" is or where one obtains it. I also remembered that I hate XPCOM, and that the CRL is empty so we probably don't care.

If someone actually figures out the details, the implementation is probably quite straightforward, and I'd suggest looping like we do for the certs, and have things like "Crl1" and "CrlUrl1" in the properties file.

comment:8 Changed 8 years ago by achernya

MITCert now issues InCommon?-signed certificates, with a CRL of  http://crl.incommon.org/InCommonServerCA.crl encoded in them, so I believe this is now very much not our problem.

comment:9 Changed 8 years ago by andersk

How many MIT CA–signed certificates are still out there? Are we going to be able to get rid of the MIT CA entirely?

comment:10 Changed 8 years ago by jdreed

I will attempt to get info on the future directions of certificates. I'll note that debathena-ssl-certificates also contains the csail CA and the MIT client CA, both of which are presumably going to continue to be a thing.

Note: See TracTickets for help on using tickets.