Removal of "Revocation Lists" feature (Options -> Advanced -> Revocation Lists)

Brian Smith bsmith at mozilla.com
Tue Apr 30 14:28:12 PDT 2013


Hi all,

I propose we remove the "Revocation Lists" feature (Options -> Advanced -> Revocation Lists). Are there any objections? If so, please explain your objection.

A certificate revocation list (CRL) is a list of revoked certificates, published by the certificate authority that issued the certificates. These lists vary from 1KB to potentially hundreds of megabytes in size.

Very large CRLs are not super common but they exist: Reportedly, GoDaddy (A CA in our root CA program) has a 41MB CRL. And, Verisign has at least one CRL that is close to 1MB on its own, and that's not the only CRL that they have. the US Department of Defense is another example of an organization known to have extremely large CRLs.

The "Revocation Lists" feature allows a user to configure Firefox to poll the CAs server on a regular interval. As far as I know, Firefox is the only browser to have such a feature. Other browser either ignore CRLs completely or download CRLs on an "as needed" basis based on a URL embedded in the certificate. For example, in its default configuration, Google Chrome ignores CRLs, AFAICT (they use some indirect mechanism for handling revocation, which will be discussed in another thread). AFAICT, the "Revocation Lists" feature was added to Firefox a long time ago when there were IPR concerns about the "as needed" behavior. However, my understanding is that those concerns are no longer justified. In another thread, we will be discussing about whether or not we should implement the "as needed" mechanism. However, I think that we can make this decision independently of that decision.

Obviously, the vast majority of users have no hope of figuring out what this feature is, what it does, or how to use it.

Because of the potential bandwidth usage issues, and UX issues, it doesn't seem like a good idea to add this feature to Mobile. But, also, if a certificate feature isn't important enough for mobile*, then why is it important for desktop? We should be striving for platform parity here.

Finally, this feature complicates significant improvements to the core certificate validation logic that we are making.

For all these reasons, I think it is time for this feature to go.

Cheers,
Brian

[*] Note: I make a distinction between things that haven't been done *yet* for mobile vs. things that we really have no intention to do.


More information about the firefox-dev mailing list