Fossa Guard V0.2.2. Call for OCSP support

Fossa Team has updated Fossa Guard to V0.2.2 following requests from our users about extension hangs up while working with certificates issued by cacert.org.

A small investigation has been done with Certificate Revocation Lists (CRLs) available at https://isc.sans.edu/crls.html and it was discovered that CAcert's CRL is the biggest one -  around 8Mb.

It contains certificates revoked since 2002 which looks reasonable only in the case when there are certificates issued for 14+ years which have a high probability of being revoked.

Unfortunately is not practical to handle such big CRLs in the browser thus we limited size of supported CRL by 512Kb to avoid time-consuming download and decoding.

So it looks like there is a strong request to implement Online Certificate Status Protocol (OCSP) support in new versions of Fossa Guard making possible to perform single certificate check if it has been revoked or not.

New certificate validation and CRL support

In V0.2.1 Fossa Guard has changed certificate validation procedure by new crypto lib integration.

New certificate validation mechanism checks full certificate chain up to the Root certificate (which should be definitely in the list of trusted) with respect to corresponding Certificate Revocation Lists (CRLs).

Thus a CRL management mechanism was introduced to let new certificate validation performs full-functional validity check.

On each certificate validation, Fossa Guard checks actuality of all CRLs mentioned in CRL distribution points in the certificate and in trusted certificates.

CRLs with expired dates are downloaded using Fetch API and are stored in the local storage.

Then corresponding stored CRLs are routed to certificate validation routine inside the crypto lib.

Please note that from V0.2.1 due to CRL support Fossa Guard requires permission to download files from all the sites.

Fossa Guard V0.2.1 is available

Hi All

Fossa Guard V0.2.1 is available now to bring users new certificate management abilities:

• Certificate Re-enrollment as simple as possible utilizing existing key pair and passphrase meaning once your current free certificate (limited by 3 months) expires you will be able easily to renew it to continue S/MIME mailing at the same time keeping a possibility to read your old emails. 
• Certificate Revocation Lists (CRL) support  implemented to allow you explicitly revoke any your certificate issued by Fossa.me server. The revoked certificate will no longer pass certificate validation. CRL is updated every hour at Fossa.me server so that your recipients can be aware within 1 hour since you revoke your certificate on the server. 

Note that Certificate validation mechanism has been also changed to fully support CRLs including downloading and actualization the lists of revoked certificates for all certificates in the extension.

There are also several improvements and bug fixes:

• Signed message now includes Fossa Root F1, Fossa Authority F2 certificates as well helping 3d party clients to easily build full Fossa certificate chain.
• Certificate import mechanism has been improved so that extension detects CA certificates and proposes corresponding storage providing certificate preview with SHA-1 / SHA-256 fingerprints.
• Missing MIME types support: application/x-pkcs7-mime, application/x-pkcs7-signature 
• Email address longer than 32 symbols has been cut inside EST component on Fossa.me server. Now it's fixed. Thanks a lot to Kim and Michael who reported us the problem. 
• Bug when extension freezes on certificate chain validation with self-signed certificate - thanks to Armin.

Thanks to our 145 users! Your feedback is highly appreciated.

Everybody welcome to try our new version and discover how easy secure S/MIME mailing  can be.

Fossa S/MIME certificates stay free for personal usage and are renewable now.

Best regards,
Fossa Team