Confirmed users, Administrators
5,526
edits
CA:ImprovingRevocation: Difference between revisions
Jump to navigation
Jump to search
no edit summary
No edit summary |
|||
| Line 1: | Line 1: | ||
= Plan for Improving Revocation Checking in Firefox = | = Plan for Improving Revocation Checking in Firefox = | ||
This page is dedicated to improving how Firefox does revocation checking of SSL certificates. | This page is dedicated to improving how Firefox does revocation checking of SSL certificates. | ||
* '''Discussion of Policy changes: mozilla.dev.security.policy forum''' | |||
* '''Discussion of Code changes: mozilla.dev.tech.crypto forum''' | |||
Results of a research project investigating the state of SSL Certificate Revocation: | |||
[[File:SSLcertRevocation.pdf]] | |||
The traditional X.509 CRL and OCSP mechanisms treat all possible reasons for revocation uniformly for all websites. This uniformity leads directly to the scalability problem of revocation checking: relatively unimportant revocations overwhelm the system and completely drown out obviously critical revocations. The key to efficient, scalable processing of revocations in the short term is to realize that there are multiple possible ways for revocation information to be retrieved and that the choice of retrieval method can be made on the basis of the reason for revocation. | The traditional X.509 CRL and OCSP mechanisms treat all possible reasons for revocation uniformly for all websites. This uniformity leads directly to the scalability problem of revocation checking: relatively unimportant revocations overwhelm the system and completely drown out obviously critical revocations. The key to efficient, scalable processing of revocations in the short term is to realize that there are multiple possible ways for revocation information to be retrieved and that the choice of retrieval method can be made on the basis of the reason for revocation. | ||