Now, OneCRL works only with intermediate certificates

Mar 4, 2015 23:13 GMT  ·  By

The next stable version of Mozilla Firefox will no longer require an update in order to revoke a digital certificate in its store when a major incident demands such action, thanks to the implementation of a new certificate revocation mechanism called OneCRL.

The feature will replace the OCSP (online certificate status protocol) and push an updated revocation list to the web browser without doing live checks, thus greatly improving the response time from the developer for mitigating a bad certificate issue.

OneCRL is designed as part of the blocklist feature, which is thus extended to include digital certificates. At the moment, only intermediate certificates are covered; these act as a proxy for the root cert to maintain the chain of trust. Another factor taken into consideration for this decision is to keep the blocklist at a smaller size.

In a blog post published on Tuesday, Mozilla says that apart from prompt reaction, this development also cuts down on the costs implied by the release of a new browser version and users downloading it.

The developer says that the functionality of the feature in Firefox 37 is only the beginning, as improvements are to follow, automating the collection of revocation data being one of the goals.