Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
OneCRL
514 views
Skip to first unread message
Gervase Markham
Nov 16, 2016, 4:05:40 PM11/16/16
to mozilla-dev-s...@lists.mozilla.org
OneCRL is Mozilla's push-based revocation system. Up to now, it's been a
little bit opaque. Thanks to the ever-excellent Rob Stradling, we now
have a web page showing all the certs in OneCRL:
https://crt.sh/mozilla-onecrl
This shows what's on it, and information about why by linking to the
relevant bugs.
If you want to download OneCRL yourself, the URL is:
https://firefox.settings.services.mozilla.com/v1/buckets/blocklists/collections/certificates/records
It's JSON.
Gerv
little bit opaque. Thanks to the ever-excellent Rob Stradling, we now
have a web page showing all the certs in OneCRL:
https://crt.sh/mozilla-onecrl
This shows what's on it, and information about why by linking to the
relevant bugs.
If you want to download OneCRL yourself, the URL is:
https://firefox.settings.services.mozilla.com/v1/buckets/blocklists/collections/certificates/records
It's JSON.
Gerv
Adrian R.
Nov 16, 2016, 7:40:23 PM11/16/16
to mozilla-dev-s...@lists.mozilla.org
Is there any way of allowing users to add locally on their machine a certificate to the OneCRL scope? (but don't allow local scope to override the mozilla-published one - it should always have priority)
back in september i revoked locally on my machine the WoSign roots and i tried to use the new certificate manager addon but not even that was able to revoke the WoSign cross-sign.
https://github.com/sidstamm/FirefoxCertificateManager/issues/56
how can i revoke locally such intermediates without revoking the root CA itself?
Adrian R.
back in september i revoked locally on my machine the WoSign roots and i tried to use the new certificate manager addon but not even that was able to revoke the WoSign cross-sign.
https://github.com/sidstamm/FirefoxCertificateManager/issues/56
how can i revoke locally such intermediates without revoking the root CA itself?
Adrian R.
Gervase Markham
Nov 17, 2016, 5:12:36 AM11/17/16
to Adrian R.
On 16/11/16 23:33, Adrian R. wrote:
> Is there any way of allowing users to add locally on their machine a
> certificate to the OneCRL scope? (but don't allow local scope to
> override the mozilla-published one - it should always have priority)
I don't understand this. OneCRL is a revocation list, not a trust list.
> Is there any way of allowing users to add locally on their machine a
> certificate to the OneCRL scope? (but don't allow local scope to
> override the mozilla-published one - it should always have priority)
So what would it mean to "not allow local scope to override the Mozilla
scope"? If you were able to "locally" add a cert to OneCRL, how could
that ever be overridden by the Mozilla list?
> back in september i revoked locally on my machine the WoSign roots
> and i tried to use the new certificate manager addon but not even
> that was able to revoke the WoSign cross-sign.
>
> https://github.com/sidstamm/FirefoxCertificateManager/issues/56
>
> how can i revoke locally such intermediates without revoking the root
> CA itself?
need to import the cross-sign cert into your certificate manager and
explicitly mark it as untrusted. On the Authorities tab in Certificate
Manager, use the "Import" button, and then later the "Edit Trust" button
and uncheck all boxes.
Gerv
0 new messages