what revocation mechanism does Firefox use to validate certificate validity?

[Qianxin Cheng]

Is Firefox still using CRL for certificate revocation, or if not, what revocation mechanism does Firefox use to validate certificate validity?

[Dana Keeler]

The information in https://wiki.mozilla.org/CA/Revocation_Checking_in_Firefox is largely up to date.

In short, Firefox uses OCSP (either stapled or fetched) to check revocation for end-entity certificates. It uses a curated list called "OneCRL" to check revocation for intermediates and roots.

We are actively developing "CRLite", which is essentially a way of compressing all known revocations into a small dataset that can be downloaded out-of-band, thus eliminating the privacy and performance issues with OCSP fetching.

Firefox has not directly used CRLs for revocation for a number of years.

On Sat, Aug 31, 2024 at 1:17 AM 'Qianxin Cheng' via dev-pl...@mozilla.org <dev-pl...@mozilla.org> wrote:

Is Firefox still using CRL for certificate revocation, or if not, what revocation mechanism does Firefox use to validate certificate validity?

--
You received this message because you are subscribed to the Google Groups "dev-pl...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-platform...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/902711c1-48e3-4d8b-adf2-b9a3e456cc64n%40mozilla.org.