Revoking Intermediate Certificates: Introducing OneCRL

Users of Firefox from Firefox 37 will be protected by a new feature called OneCRL. This is a new mechanism we have introduced to push lists of revoked intermediate certificates to the browser.

Using OCSP for certificate revocation doesn’t serve users very well. For online revocation checks, either you have a system that fails open or you accept the performance penalty of checks that are more strict (as is the case for EV certificates). OCSP stapling can remove the need for live revocation checks, but currently, only only around 9% of TLS connections use it.

OneCRL helps speed up revocation checking by maintaining a centralized list of revoked certificates and pushing it out to browsers. Currently, if a serious incident occurs that requires certificates to be revoked, we release an update to Firefox to address the problem. This is slow because it takes some time for users to get the security update and restart their browsers. There’s also cost involved in producing an update (and users downloading it).

Firefox already has a mechanism for periodically checking for things that may harm users called blocklisting. OneCRL extends the blocklist to include certificates which should be revoked in addition to the errant add-ons, plugins and buggy graphics drivers currently included. This lets users get the benefit of fresh revocation information without having to update or restart their browser.

The other major benefit of OneCRL is speed. For certificates covered by OneCRL, there is no need to do live OCSP checks, so revocation checking incurs no additional latency. The is especially important for EV certificates, where a positive OCSP response is required.

Right now, OneCRL only covers CA intermediate certificates (in order to limit the size of the blocklist). OneCRL is updated when a CA in Mozilla’s root program notifies Mozilla that an intermediate certificate needs to be revoked.

The initial version of OneCRL that we have today is an important step. It will speed up revocation checking, especially for sites that use EV certificates. But we’re not done yet. We’re working on scaling up OneCRL so that its benefits apply more broadly, and on automating the collection of revocation information so that it gets to browsers more quickly.