crlite
crlite copied to clipboard
mozilla
WebPKI-level Certificate Revocation via Multi-Level Bloom Filter Cascade
Set a deadline per-issuer in aggregate-crls that if revocation data isn't acquired by the deadline, the issuer is not enrolled in CRLite. _Originally posted by @jcjones in https://github.com/mozilla/crlite/issues/43#issuecomment-730548932_
If the signer task doesn't run for some time, the bucket in Kinto can end up with many stashes waiting to be signed. Right now it fails indicating that the...
The publisher tool operates in four stages, and not in a transaction, which raises concerns as to what happens when it does not update in a consistent way. The possibilities...
I wonder if we want to verify that anything that was in the old set but isn't in the new set has expired? _Originally posted by @mozkeeler in https://github.com/mozilla/crlite/pull/48_ This...
RFC 5280 defines an extension `CRLReason`: ``` id-ce-cRLReasons OBJECT IDENTIFIER ::= { id-ce 21 } CRLReason ::= ENUMERATED { unspecified (0), keyCompromise (1), cACompromise (2), affiliationChanged (3), superseded (4), cessationOfOperation...
Certs that are shorter than Firefox's short-lived-certificates window won't have revocation checking anyway, so we could consider excluding them from the filter.
Here's the current set: ``` stats.create_filter_cascade.CreateCertLists.Issuers stats.create_filter_cascade.CreateCertLists.KnownNotRevoked stats.create_filter_cascade.CreateCertLists.KnownRevoked stats.ct-fetch.insertCTWorker.Inserted stats.gauges.create_filter_cascade.CreateCertLists.VirtualMemory.available stats.gauges.create_filter_cascade.GenerateMLBF.BitCount stats.gauges.create_filter_cascade.GenerateMLBF.LayerCount stats.timers.aggregate-crls.KeysToChan stats.timers.aggregate-crls.List stats.timers.aggregate-known.KeysToChan stats.timers.aggregate-known.SetToChan stats.timers.create_filter_cascade.CreateCertLists stats.timers.create_filter_cascade.FindAdditions stats.timers.create_filter_cascade.GenerateMLBF stats.timers.create_filter_cascade.LoadRevokedCerts stats.timers.create_filter_cascade.Main stats.timers.create_filter_cascade.SaveAdditions stats.timers.create_filter_cascade.SaveMLBF stats.timers.create_filter_cascade.VerifyMLBF stats.timers.ct-fetch.ExpireAt stats.timers.ct-fetch.insertCTWorker.ParseCertificates stats.timers.ct-fetch.insertCTWorker.Store stats.timers.ct-fetch.LogWorker.GetRawEntries stats.timers.ct-fetch.LogWorker.LogEntryFromLeaf stats.timers.ct-fetch.LogWorker.ProcessedEntry...
We might want to provide the same data in one format for Firefox X and a different format for Firefox X+1, or perhaps one for Release and one for Beta....
This line shows that the keys of the bloom filter are the binary concatenation of two binary data fields: https://github.com/mozilla/crlite/blob/d0b57d3319aa9e2ddc1a0c76b41c28860d9ccdd2/create_filter_cascade/certs_to_crlite.py#L63 `sha256(DER-encoded issuer SPKI) || DER-encoded serial number` The first part,...