-
Notifications
You must be signed in to change notification settings - Fork 6
Technology Overview
CRLite is a WebPKI-wide certificate revocation system, to be distributed via Remote Settings for all Firefox users, replacing OCSP. We're experimenting with it now using a pre-production CRLite instance and manual inspection and submission of CRLite filter files to Remote Settings.
As of this writing, CRLite consists of several components:
Bulk storage of all unexpired certificates in the Web PKI, as well as CT log metadata. They are organized in a hierarchy:
logs
/<url>
ct
/<expiration date string>
/issuer
/<issuer SPKI string>
/certs
/<certificate SPKI string>
The logs entries contain information used by ct-mapreduce to keep track of CT log downloads.
The ct entries contain the certificate PEM data for all non-expired certificates in the Web PKI. They are bucketed first by their notAfter expiration date and hour, making it easy to filter out irrelevant certificates. Then they are bucketed by the issuer's public key.
The active set of unexpired certificate serial numbers, their issuers, and metadata (such as CRL distribution URLs) are maintained in Redis, which is then queried for the construction of CRLite filters. As ct-mapreduce downloads from CT, relevant certificates are inserted into Redis. If there's a problem with the Redis data, or the instance needs to be reset for any reason, there's a rebuild tool that reconstructs the data.
https://github.com/mozilla/crlite/tree/master/containers/crlite-fetch
This uses the ct-fetch tool from ct-mapreduce to download from all CT logs, placing the certificates into Firestore and the Memorystore/Redis cache. This container runs as an always-on Kubernetes deployment.
https://github.com/mozilla/crlite/tree/master/containers/crlite-generate
This run-to-completion Kubernetes cronjob uses several tools to construct a CRLite filter, and publish it, ultimately to Remote Settings.
https://github.com/mozilla/crlite/tree/master/containers/crlite-rebuild
This run-to-completion Kubernetes job is used when the Memorystore/Redis cache is invalid in some way. It reads all unexpired entries from the Google Firestore and rebuilds the Memorystore data.
Metrics are published to Stackdriver for overall system health, as are logs. Errors and warnings are generally of two categories:
- Problems with infrastructure performance, which are still being addressed via adjustments to how operations are performed
- Problems with the WebPKI, which might well be used by the Mozilla CA Root Program for enforcement