info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Third party use of OneCRL
788 views
Skip to first unread message
niklas.b...@googlemail.com
Nov 7, 2017, 8:29:06 AM11/7/17
to mozilla-dev-s...@lists.mozilla.org
Hi all
I'm working for a big managed security provider. We would like to benefit from OneCRL as a means of improving our certificate revocation checking.
I could download OneCRL at https://firefox.settings.services.mozilla.com/v1/buckets/blocklists/collections/certificates/records. My question is if there is a license on OneCRL or if we are free to use it? Further I'm wondering if Mozilla has already thought about third party users and provides another way of getting the most recent version of OneCRL than getting the above mentioned website and comparing if the content has changed?
Thanks a lot already for any feedback on this!
Niklas
I'm working for a big managed security provider. We would like to benefit from OneCRL as a means of improving our certificate revocation checking.
I could download OneCRL at https://firefox.settings.services.mozilla.com/v1/buckets/blocklists/collections/certificates/records. My question is if there is a license on OneCRL or if we are free to use it? Further I'm wondering if Mozilla has already thought about third party users and provides another way of getting the most recent version of OneCRL than getting the above mentioned website and comparing if the content has changed?
Thanks a lot already for any feedback on this!
Niklas
Ryan Sleevi
Nov 7, 2017, 8:48:13 AM11/7/17
to niklas.b...@googlemail.com, mozilla-dev-security-policy
Note that additions and removals are made in OneCRL relate to the behaviour
of mozilla::pkix and the trust lists expressed by the associated version of
NSS shipping with the supported versions of Firefox.
For example, this includes revocation of 'email only' CAs (that are not
appropriately constrained), which of course would not be appropriate for an
e-mail consuming application, or the revocation of particular
cross-certificates tied to the status of trust of particular roots.
As for the blocklist update, it's maintained in
https://hg.mozilla.org/mozilla-central/filelog/tip/browser/app/blocklist.xml
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
of mozilla::pkix and the trust lists expressed by the associated version of
NSS shipping with the supported versions of Firefox.
For example, this includes revocation of 'email only' CAs (that are not
appropriately constrained), which of course would not be appropriate for an
e-mail consuming application, or the revocation of particular
cross-certificates tied to the status of trust of particular roots.
As for the blocklist update, it's maintained in
https://hg.mozilla.org/mozilla-central/filelog/tip/browser/app/blocklist.xml
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
Niklas Bachmaier
Nov 7, 2017, 9:58:49 AM11/7/17
to ry...@sleevi.com, mozilla-dev-security-policy
Thanks a lot, Ryan! Your comment on the Firefox specific selection of
revoked certificates contained in the list is definitely a point we'll have
to consider.
One more question: do I see it correctly that what is being called OneCRL
is the "certItems" part of
https://hg.mozilla.org/mozilla-central/file/tip/browser/app/blocklist.xml?
And the link which provides the JSON file (which I included in my message
before) is derived from the blocklist XML?
revoked certificates contained in the list is definitely a point we'll have
to consider.
One more question: do I see it correctly that what is being called OneCRL
is the "certItems" part of
https://hg.mozilla.org/mozilla-central/file/tip/browser/app/blocklist.xml?
And the link which provides the JSON file (which I included in my message
before) is derived from the blocklist XML?
Ryan Sleevi
Nov 7, 2017, 10:57:29 AM11/7/17
to Niklas Bachmaier, Ryan Sleevi, mozilla-dev-security-policy
Apologies, my understanding is that the XML is synced from the JSON, rather
than the other way around
See https://wiki.mozilla.org/Firefox/Kinto#Blocklists
That is, the canonical source is Kinto (JSON), that is then used to drive
the generation of the blocklist.xml (so that released binaries match the
remotely-provided blocklist at the time of binary release)
You can see an example of a OneCRL modification at
https://bugzilla.mozilla.org/show_bug.cgi?id=1407559 - in which Kinto is
updated with the new set, and then that propagates to the blocklist.xml
than the other way around
See https://wiki.mozilla.org/Firefox/Kinto#Blocklists
That is, the canonical source is Kinto (JSON), that is then used to drive
the generation of the blocklist.xml (so that released binaries match the
remotely-provided blocklist at the time of binary release)
You can see an example of a OneCRL modification at
https://bugzilla.mozilla.org/show_bug.cgi?id=1407559 - in which Kinto is
updated with the new set, and then that propagates to the blocklist.xml
Gervase Markham
Nov 8, 2017, 3:14:22 AM11/8/17
to niklas.b...@googlemail.com
On 07/11/17 14:08, niklas.b...@googlemail.com wrote:
> I'm working for a big managed security provider. We would like to
> benefit from OneCRL as a means of improving our certificate
> revocation checking.
As in, you'd like to download one copy per day, or you'd like 100,000
> I'm working for a big managed security provider. We would like to
> benefit from OneCRL as a means of improving our certificate
> revocation checking.
clients to download one copy per day?
> I could download OneCRL at
> https://firefox.settings.services.mozilla.com/v1/buckets/blocklists/collections/certificates/records.
> My question is if there is a license on OneCRL or if we are free to
> use it?
keeping with Mozilla's principles of openness and sharing, it is
available for all to use. However, that doesn't mean our IT team might
not take action against clients making abusively large numbers of
requests. So if your usage of the list might get noticed, it would be
wise to talk to us first.
> Further I'm wondering if Mozilla has already thought about
> third party users and provides another way of getting the most recent
> version of OneCRL than getting the above mentioned website and
> comparing if the content has changed?
computer-readable highly-available web service? I suspect if you send it
an If-Modified-Since or other similar headers you might also get a Not
Modified response rather than another copy of the data. But look at the
code for Kinto or ask the people who wrote it.
Gerv
Niklas Bachmaier
Nov 8, 2017, 5:15:17 AM11/8/17
to Gervase Markham, mozilla-dev-security-policy
Hi Gerv,
thanks a lot! Currently we don't know yet if the download would be
centralized or per host as we are just figuring out the concept. I totally
see that large numbers of requests would be something we need to talk about
with you first.
Have a nice day
Niklas
2017-11-08 9:13 GMT+01:00 Gervase Markham <ge...@mozilla.org>:
> On 07/11/17 14:08, niklas.b...@googlemail.com wrote:
thanks a lot! Currently we don't know yet if the download would be
centralized or per host as we are just figuring out the concept. I totally
see that large numbers of requests would be something we need to talk about
with you first.
Have a nice day
Niklas
2017-11-08 9:13 GMT+01:00 Gervase Markham <ge...@mozilla.org>:
> On 07/11/17 14:08, niklas.b...@googlemail.com wrote:
> > I'm working for a big managed security provider. We would like to
> > benefit from OneCRL as a means of improving our certificate
> > revocation checking.
>
> > benefit from OneCRL as a means of improving our certificate
> > revocation checking.
>
> As in, you'd like to download one copy per day, or you'd like 100,000
> clients to download one copy per day?
>
> clients to download one copy per day?
>
> > I could download OneCRL at
> > https://firefox.settings.services.mozilla.com/v1/buckets/blocklists/
> collections/certificates/records.
> > My question is if there is a license on OneCRL or if we are free to
> > use it?
>
> > https://firefox.settings.services.mozilla.com/v1/buckets/blocklists/
> collections/certificates/records.
> > My question is if there is a license on OneCRL or if we are free to
> > use it?
>
> We have not put an explicit license on the data but certainly, in
> keeping with Mozilla's principles of openness and sharing, it is
> available for all to use. However, that doesn't mean our IT team might
> not take action against clients making abusively large numbers of
> requests. So if your usage of the list might get noticed, it would be
> wise to talk to us first.
>
> keeping with Mozilla's principles of openness and sharing, it is
> available for all to use. However, that doesn't mean our IT team might
> not take action against clients making abusively large numbers of
> requests. So if your usage of the list might get noticed, it would be
> wise to talk to us first.
>
> > Further I'm wondering if Mozilla has already thought about
> > third party users and provides another way of getting the most recent
> > version of OneCRL than getting the above mentioned website and
> > comparing if the content has changed?
>
> > third party users and provides another way of getting the most recent
> > version of OneCRL than getting the above mentioned website and
> > comparing if the content has changed?
>
niklas.b...@googlemail.com
Dec 14, 2017, 10:03:46 AM12/14/17
to mozilla-dev-s...@lists.mozilla.org
We are now ready to use the OneCRL in production. Approximately 2500 hosts would be requesting one OneCRL copy per day. Please let me know if this is not okay for you.
Thanks a lot
Niklas
Thanks a lot
Niklas
J.C. Jones
Dec 14, 2017, 11:17:27 AM12/14/17
to niklas.b...@googlemail.com, MDSP
Niklas,
That's fine. Thanks for the heads up. Note that the format has a
possibility of changing some in 2018, but only in the way of adding fields,
not changing existing data.
Cheers,
J.C.
Crypto Engineering
That's fine. Thanks for the heads up. Note that the format has a
possibility of changing some in 2018, but only in the way of adding fields,
not changing existing data.
Cheers,
J.C.
Crypto Engineering
ume...@gmail.com
Jan 17, 2018, 10:53:33 AM1/17/18
to mozilla-dev-s...@lists.mozilla.org
Hey JC,
We have a very similar need and will like to use the OneCRL. We will have ~3000 clients pulling the OneCRL once per day. Hopefully, it is acceptable.
-Umesh
We have a very similar need and will like to use the OneCRL. We will have ~3000 clients pulling the OneCRL once per day. Hopefully, it is acceptable.
-Umesh
0 new messages