search

mozilla / crlite

WebPKI-level Certificate Revocation via Multi-Level Bloom Filter Cascade
http://www.cs.umd.edu/~dml/papers/crlite_oakland17.pdf
Mozilla Public License 2.0
77 stars 6 forks source link

Current state of CRLite #313

Open elardus-erasmus opened 2 months ago

elardus-erasmus commented 2 months ago

Are Let's Encrypt CRLs enrolled in CRLite? Does FF perform CRLite revocation, or is it still used for telemetry, or is it used but falling back to OCSP still? Is OSCP fallback going to be removed?

The most recent blogposts about Mozilla's CRLite implementation are 4 years old: https://blog.mozilla.org/security/tag/crlite/ At the time, Let's Encrypt did not publish CRLs and the posts state that the CRL Revocation Points are used. Even though Let's Encrypt started publishing CRLs two years later, they are not populating the CRL Distribution Point in their certs. I see some CCADB parsing is done in this repo. Are the Let's Encrypt CRLs pulled into CRLite from there?

It would be good to write another blogpost containing the current - and future planned - state/operation of CRLite. Especially in light of Let's Encrypt's recent notice of intent to move away from OCSP, and the near total consensus of the CAB forum to make OCSP optional.

Thanks

onepeople158 commented 1 month ago

Same question

jcjones commented 1 month ago

I can't speak on most of these questions, not being privy to the internals of anything, but the question of whether Let's Encrypt's CRLs are included is demonstrably true:

 → cargo build
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.23s
→ ./target/debug/rust-query-crlite --update prod -vvv https revoked-isrgrootx2.letsencrypt.org
INFO - Fetching ct-logs records from remote settings https://firefox.settings.services.mozilla.com/v1/buckets/security-state/collections/
INFO - Fetching cert-revocations records from remote settings https://firefox.settings.services.mozilla.com/v1/buckets/security-state/collections/
INFO - Fetching filter from https://firefox-settings-attachments.cdn.mozilla.net/security-state-staging/cert-revocations/9e5e72ee-ea45-49a8-a1b9-cdc31564a195.filter
INFO - Fetching https://firefox-settings-attachments.cdn.mozilla.net/security-state-staging/cert-revocations/51a586b4-252a-409c-b4ed-31665f4801d0.stash
INFO - Fetching https://firefox-settings-attachments.cdn.mozilla.net/security-state-staging/cert-revocations/3dc0ea38-5deb-4589-9359-933342c69dd4.stash
INFO - Fetching https://firefox-settings-attachments.cdn.mozilla.net/security-state-staging/cert-revocations/aa82e4d2-045f-471c-9938-d86e400411f4.stash
DEBUG - Loaded certificate from revoked-isrgrootx2.letsencrypt.org
DEBUG - Issuer DN: C=US, O=Let's Encrypt, CN=E6
DEBUG - Serial number: 030d172f419a94dd8be2c7bd6be2194988c2
DEBUG - Issuer SPKI hash: d016e1fe311948aca64f2de44ce86c9a51ca041df6103bb52a88eb3f761f57d7
DEBUG - Issuer enrollment key: +F05gi7EOabN4qhZhwwXNr8vE8oQyodlrJilLpcRm9s=
DEBUG - SCT from non-enrolled DigiCert Yeti2024 Log at 1725465610584.
DEBUG - SCT from Google 'Argon2024' log at 1725465610593 is in observed interval [1654791529771, 1725818854502].
ERROR - revoked-isrgrootx2.letsencrypt.org Revoked