On 04/30/2013 02:28 PM, Brian Smith wrote:
Hi all,
I propose we remove the "Revocation Lists" feature (Options -> Advanced ->
Revocation Lists). Are there any objections? If so, please explain your objection.
Let me check with our group that works with the DoD. My guess is it's
probably OK. I believe the DoD primarily uses OCSP, and only uses CRLs
in the offline scenario (laptops in the war theater, or example). I'm
pretty sure the original feature was driven by defense needs.
(Also note: while no browsers have this feature, some browsers do
automatic CRL fetching at validation time, so we should make sure that
we don't need to make sure we have a fall back after removing this feature).
bob
A certificate revocation list (CRL) is a list of revoked certificates,
published by the certificate authority that issued the certificates. These
lists vary from 1KB to potentially hundreds of megabytes in size.
Very large CRLs are not super common but they exist: Reportedly, GoDaddy (A CA
in our root CA program) has a 41MB CRL. And, Verisign has at least one CRL that
is close to 1MB on its own, and that's not the only CRL that they have. the US
Department of Defense is another example of an organization known to have
extremely large CRLs.
The "Revocation Lists" feature allows a user to configure Firefox to poll the CAs server on a regular interval. As far
as I know, Firefox is the only browser to have such a feature. Other browser either ignore CRLs completely or download CRLs on an
"as needed" basis based on a URL embedded in the certificate. For example, in its default configuration, Google Chrome
ignores CRLs, AFAICT (they use some indirect mechanism for handling revocation, which will be discussed in another thread).
AFAICT, the "Revocation Lists" feature was added to Firefox a long time ago when there were IPR concerns about the
"as needed" behavior. However, my understanding is that those concerns are no longer justified. In another thread, we
will be discussing about whether or not we should implement the "as needed" mechanism. However, I think that we can
make this decision independently of that decision.
Obviously, the vast majority of users have no hope of figuring out what this
feature is, what it does, or how to use it.
Because of the potential bandwidth usage issues, and UX issues, it doesn't seem
like a good idea to add this feature to Mobile. But, also, if a certificate
feature isn't important enough for mobile*, then why is it important for
desktop? We should be striving for platform parity here.
Finally, this feature complicates significant improvements to the core
certificate validation logic that we are making.
For all these reasons, I think it is time for this feature to go.
Cheers,
Brian
[*] Note: I make a distinction between things that haven't been done *yet* for
mobile vs. things that we really have no intention to do.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
