Firefox behavior for CDP and AIA

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Firefox behavior for CDP and AIA

Rick Andrews
I know that FF allows you to choose a CRL and it will check status against that CRL when it finds a cert issued by the CRL issuer. Does anyone know if FF uses the CDP in the cert or the cert's issuer name as a key to find the CRL?

The reason I ask is in regards to partitioned CRLs, where a CA could, for example, have one CRL for odd serial numbers and one for even. The CA would put the appropriate CDP in each cert, but would that confuse FF?

Same question about OCSP responses and AIA.

Does anyone know the answers for IE?
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: Firefox behavior for CDP and AIA

Brian Smith-31
Rick Andrews wrote:
> I know that FF allows you to choose a CRL and it will check status
> against that CRL when it finds a cert issued by the CRL issuer. Does
> anyone know if FF uses the CDP in the cert or the cert's issuer name
> as a key to find the CRL?

I assume you are talking about the "Revocation Lists" feature exposed in the Options > Advanced > Certificates UI.

It uses the cert's issuer name. In particular, it uses CERT_CheckCRL, which calls cert_CheckCertRevocationStatus, which calls AcquireDPCache, which looks things up by issuer name. I didn't look to see Whether we allow multiple CRLs for a given issuer name.

> The reason I ask is in regards to partitioned CRLs, where a CA could,
> for example, have one CRL for odd serial numbers and one for even.
> The CA would put the appropriate CDP in each cert, but would that
> confuse FF?

I'm not sure. The "Revocation Lists" feature is somewhat unmaintained and may be removed.

> Same question about OCSP responses and AIA.

Currently, Firefox uses the first OCSP responder URL listed in the end-entity's cert's AIA for doing OCSP fetches.

> Does anyone know the answers for IE?

I am not sure exactly what IE does, but IIRC Microsoft has very good documentation on MSDN regarding revocation checking in Windows.

Cheers,
Brian
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto