Question on Firefox's Certificate Revocation Checking

[bruce lee]

Dear Firefox developers,

I would like to understand how Firefox checks for certificate revocation status when validating SSL certificates. Could you please explain what method Firefox uses to verify whether a certificate has been revoked? Proper revocation checking is an important security practice, so I would appreciate any details you can provide on how this works in Firefox.

Thank you in advance for your assistance. Please let me know if you need any clarification from me.

[John Schanck]

The information in
https://wiki.mozilla.org/CA/Revocation_Checking_in_Firefox is largely
up to date. Although we've moved beyond "preparing to test" CRLite and
we are now actively evaluating its performance with a subset of our
release population.

John

> --
> You received this message because you are subscribed to the Google Groups "dev-pl...@mozilla.org" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to dev-platform...@mozilla.org.
> To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/aec15cfd-c9e9-4acf-8a4d-e31fbe4aea90n%40mozilla.org.

[Dana Keeler]

Incidentally, the section on revocation checking for extended validation certificates is out of date - I'm working on getting that fixed (intermediates are no longer required to have OCSP information for EV, so Firefox skips checking for it).

To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CAFgAd7H7_Nmg%3D9NppBdg3eNHK13X7j57k7ZGp0JtbHaUxBefdQ%40mail.gmail.com.

[bruce lee]

As of today, how is the revocation status being checked?

[Dana Keeler]

The information in https://wiki.mozilla.org/CA/Revocation_Checking_in_Firefox is largely up to date.

CRLite is still in development.

Dana