Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Current state of CRLite #313

Open
elardus-erasmus opened this issue Aug 20, 2024 · 2 comments
Open

Current state of CRLite #313

elardus-erasmus opened this issue Aug 20, 2024 · 2 comments

Comments

@elardus-erasmus
Copy link

Are Let's Encrypt CRLs enrolled in CRLite?
Does FF perform CRLite revocation, or is it still used for telemetry, or is it used but falling back to OCSP still? Is OSCP fallback going to be removed?

The most recent blogposts about Mozilla's CRLite implementation are 4 years old:
https://blog.mozilla.org/security/tag/crlite/
At the time, Let's Encrypt did not publish CRLs and the posts state that the CRL Revocation Points are used. Even though Let's Encrypt started publishing CRLs two years later, they are not populating the CRL Distribution Point in their certs. I see some CCADB parsing is done in this repo. Are the Let's Encrypt CRLs pulled into CRLite from there?

It would be good to write another blogpost containing the current - and future planned - state/operation of CRLite. Especially in light of Let's Encrypt's recent notice of intent to move away from OCSP, and the near total consensus of the CAB forum to make OCSP optional.

Thanks
@onepeople158
Copy link

Same question

@jcjones
Copy link
Contributor

jcjones commented Sep 9, 2024

I can't speak on most of these questions, not being privy to the internals of anything, but the question of whether Let's Encrypt's CRLs are included is demonstrably true:

 → cargo build
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.23s
→ ./target/debug/rust-query-crlite --update prod -vvv https revoked-isrgrootx2.letsencrypt.org
INFO - Fetching ct-logs records from remote settings https://firefox.settings.services.mozilla.com/v1/buckets/security-state/collections/
INFO - Fetching cert-revocations records from remote settings https://firefox.settings.services.mozilla.com/v1/buckets/security-state/collections/
INFO - Fetching filter from https://firefox-settings-attachments.cdn.mozilla.net/security-state-staging/cert-revocations/9e5e72ee-ea45-49a8-a1b9-cdc31564a195.filter
INFO - Fetching https://firefox-settings-attachments.cdn.mozilla.net/security-state-staging/cert-revocations/51a586b4-252a-409c-b4ed-31665f4801d0.stash
INFO - Fetching https://firefox-settings-attachments.cdn.mozilla.net/security-state-staging/cert-revocations/3dc0ea38-5deb-4589-9359-933342c69dd4.stash
INFO - Fetching https://firefox-settings-attachments.cdn.mozilla.net/security-state-staging/cert-revocations/aa82e4d2-045f-471c-9938-d86e400411f4.stash
DEBUG - Loaded certificate from revoked-isrgrootx2.letsencrypt.org
DEBUG - Issuer DN: C=US, O=Let's Encrypt, CN=E6
DEBUG - Serial number: 030d172f419a94dd8be2c7bd6be2194988c2
DEBUG - Issuer SPKI hash: d016e1fe311948aca64f2de44ce86c9a51ca041df6103bb52a88eb3f761f57d7
DEBUG - Issuer enrollment key: +F05gi7EOabN4qhZhwwXNr8vE8oQyodlrJilLpcRm9s=
DEBUG - SCT from non-enrolled DigiCert Yeti2024 Log at 1725465610584.
DEBUG - SCT from Google 'Argon2024' log at 1725465610593 is in observed interval [1654791529771, 1725818854502].
ERROR - revoked-isrgrootx2.letsencrypt.org Revoked

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jcjones @elardus-erasmus @onepeople158