Bug 802302: Remove obsolete OCSP responder override UI and API, r=honzab
authorBrian Smith <bsmith@mozilla.com>
Mon, 15 Oct 2012 20:39:11 -0700
changeset 120898 65359d53e0db2a44aa72cf80cfefb02ebc403fd6
parent 120897 4ed8af50dc10f98b29142c566b0abfdc40f46edd
child 120899 b36d5c933092c4f0b57ea58c58e5b7916e0f2088
push id1997
push userakeybl@mozilla.com
push dateMon, 07 Jan 2013 21:25:26 +0000
treeherdermozilla-beta@4baf45cdcf21 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewershonzab
bugs802302
milestone19.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 802302: Remove obsolete OCSP responder override UI and API, r=honzab
security/manager/ssl/public/Makefile.in
security/manager/ssl/public/nsIOCSPResponder.idl
security/manager/ssl/public/nsIX509CertDB.idl
security/manager/ssl/src/Makefile.in
security/manager/ssl/src/nsNSSCertificateDB.cpp
security/manager/ssl/src/nsNSSComponent.cpp
security/manager/ssl/src/nsOCSPResponder.cpp
security/manager/ssl/src/nsOCSPResponder.h
toolkit/locales/en-US/chrome/mozapps/preferences/ocsp.dtd
toolkit/mozapps/preferences/ocsp.js
toolkit/mozapps/preferences/ocsp.xul
--- a/security/manager/ssl/public/Makefile.in
+++ b/security/manager/ssl/public/Makefile.in
@@ -52,17 +52,16 @@ XPIDLSRCS = \
     nsIUserCertPicker.idl \
     nsIASN1PrintableItem.idl \
     nsICMSDecoder.idl \
     nsICMSEncoder.idl \
     nsICMSMessageErrors.idl \
     nsICMSMessage.idl \
     nsICMSMessage2.idl \
     nsINSSCertCache.idl \
-    nsIOCSPResponder.idl \
     nsIPK11Token.idl \
     nsIPKCS11ModuleDB.idl \
     nsIPKCS11Module.idl \
     nsICRLManager.idl \
     nsISMimeCert.idl \
     nsIStreamCipher.idl \
     nsIKeyModule.idl \
     nsIProtectedAuthThread.idl \
deleted file mode 100644
--- a/security/manager/ssl/public/nsIOCSPResponder.idl
+++ /dev/null
@@ -1,12 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "nsISupports.idl"
-
-[scriptable, uuid(96b2f5ae-4334-11d5-ba27-00108303b117)]
-interface nsIOCSPResponder : nsISupports {
-  readonly attribute wstring responseSigner;
-  readonly attribute wstring serviceURL;
-};
-
--- a/security/manager/ssl/public/nsIX509CertDB.idl
+++ b/security/manager/ssl/public/nsIX509CertDB.idl
@@ -14,17 +14,17 @@ interface nsIInterfaceRequestor;
 %{C++
 #define NS_X509CERTDB_CONTRACTID "@mozilla.org/security/x509certdb;1"
 %}
 
 /**
  * This represents a service to access and manipulate 
  * X.509 certificates stored in a database.
  */
-[scriptable, uuid(da48b3c0-1284-11d5-ac67-000064657374)]
+[scriptable, uuid(eb426311-69cd-4a74-a7db-a4a215854c78)]
 interface nsIX509CertDB : nsISupports {
 
   /**
    *  Constants that define which usages a certificate
    *  is trusted for.
    */
   const unsigned long UNTRUSTED       =      0;
   const unsigned long TRUSTED_SSL     = 1 << 0;
@@ -236,24 +236,16 @@ interface nsIX509CertDB : nsISupports {
    *  @param aCerts The array of all certificates to be exported.
    */
   void exportPKCS12File(in nsISupports aToken,
                         in nsIFile aFile,
                         in unsigned long count,
                         [array, size_is(count)] in nsIX509Cert aCerts);
 
   /**
-   *  An array of all known OCSP responders within the scope of the 
-   *  certificate database.
-   *
-   *  @return Array of OCSP responders, entries are QIable to nsIOCSPResponder.
-   */
-  nsIArray getOCSPResponders();
-
-  /**
    *  Whether OCSP is enabled in preferences.
    */
   readonly attribute boolean isOcspOn;
 
   /*
    *  Decode a raw data presentation and instantiate an object in memory.
    *
    *  @param base64 The raw representation of a certificate,
--- a/security/manager/ssl/src/Makefile.in
+++ b/security/manager/ssl/src/Makefile.in
@@ -51,17 +51,16 @@ CPPSRCS = 				\
   nsCMS.cpp 	                \
   nsCertPicker.cpp                \
   nsCRLInfo.cpp \
   nsNSSCertCache.cpp \
   nsNSSCertHelper.cpp \
   nsNSSCertificateDB.cpp \
   nsNSSCertTrust.cpp \
   nsNSSCertValidity.cpp \
-  nsOCSPResponder.cpp \
   nsUsageArrayHelper.cpp \
   nsCRLManager.cpp \
   nsNSSShutDown.cpp \
   nsNTLMAuthModule.cpp \
   nsSmartCardMonitor.cpp \
   nsSmartCardEvent.cpp \
   nsStreamCipher.cpp \
   nsKeyModule.cpp \
--- a/security/manager/ssl/src/nsNSSCertificateDB.cpp
+++ b/security/manager/ssl/src/nsNSSCertificateDB.cpp
@@ -15,17 +15,16 @@
 #include "nsNSSCertHelper.h"
 #include "nsNSSCertCache.h"
 #include "nsCRT.h"
 #include "nsICertificateDialogs.h"
 #include "nsNSSCertTrust.h"
 #include "nsIFile.h"
 #include "nsPKCS12Blob.h"
 #include "nsPK11TokenDB.h"
-#include "nsOCSPResponder.h"
 #include "nsReadableUtils.h"
 #include "nsIMutableArray.h"
 #include "nsArrayUtils.h"
 #include "nsNSSShutDown.h"
 #include "nsIPrefService.h"
 #include "nsIPrefBranch.h"
 #include "nsComponentManagerUtils.h"
 #include "nsIPrompt.h"
@@ -1207,95 +1206,16 @@ nsNSSCertificateDB::ExportPKCS12File(nsI
     localRef = do_QueryInterface(aToken);
   }
   blob.SetToken(localRef);
   //blob.LoadCerts(aCertNames, count);
   //return blob.ExportToFile(aFile);
   return blob.ExportToFile(aFile, certs, count);
 }
 
-
-static SECStatus 
-GetOCSPResponders (CERTCertificate *aCert,
-                   SECItem         *aDBKey,
-                   void            *aArg)
-{
-  nsIMutableArray *array = static_cast<nsIMutableArray*>(aArg);
-  PRUnichar* nn = nullptr;
-  PRUnichar* url = nullptr;
-  char *serviceURL = nullptr;
-  char *nickname = nullptr;
-  uint32_t i, count;
-
-  // Are we interested in this cert //
-  if (!nsOCSPResponder::IncludeCert(aCert)) {
-    return SECSuccess;
-  }
-
-  // Get the AIA and nickname //
-  serviceURL = CERT_GetOCSPAuthorityInfoAccessLocation(aCert);
-  if (serviceURL) {
-    url = ToNewUnicode(NS_ConvertUTF8toUTF16(serviceURL));
-    PORT_Free(serviceURL);
-  }
-
-  nickname = aCert->nickname;
-  nn = ToNewUnicode(NS_ConvertUTF8toUTF16(nickname));
-
-  nsCOMPtr<nsIOCSPResponder> new_entry = new nsOCSPResponder(nn, url);
-  nsMemory::Free(nn);
-  nsMemory::Free(url);
-
-  // Sort the items according to nickname //
-  array->GetLength(&count);
-  for (i=0; i < count; ++i) {
-    nsCOMPtr<nsIOCSPResponder> entry = do_QueryElementAt(array, i);
-    if (nsOCSPResponder::CompareEntries(new_entry, entry) < 0) {
-      array->InsertElementAt(new_entry, i, false);
-      break;
-    }
-  }
-  if (i == count) {
-    array->AppendElement(new_entry, false);
-  }
-  return SECSuccess;
-}
-
-
-
-/*
- * getOCSPResponders
- *
- * Export a set of certs and keys from the database to a PKCS#12 file.
-*/
-NS_IMETHODIMP 
-nsNSSCertificateDB::GetOCSPResponders(nsIArray ** aResponders)
-{
-  nsNSSShutDownPreventionLock locker;
-  SECStatus sec_rv;
-  nsCOMPtr<nsIMutableArray> respondersArray =
-    do_CreateInstance(NS_ARRAY_CONTRACTID);
-  if (!respondersArray) {
-    return NS_ERROR_OUT_OF_MEMORY;
-  }
-
-  sec_rv = PK11_TraverseSlotCerts(::GetOCSPResponders,
-                                  respondersArray,
-                                  nullptr);
-  if (sec_rv != SECSuccess) {
-    goto loser;
-  }
-
-  *aResponders = respondersArray;
-  NS_IF_ADDREF(*aResponders);
-  return NS_OK;
-loser:
-  return NS_ERROR_FAILURE;
-}
-
 /*
  * NSS Helper Routines (private to nsNSSCertificateDB)
  */
 
 #define DELIM '\001'
 
 /*
  * GetSortedNameList
--- a/security/manager/ssl/src/nsNSSComponent.cpp
+++ b/security/manager/ssl/src/nsNSSComponent.cpp
@@ -1039,43 +1039,24 @@ static CipherPref CipherPrefs[] = {
  {"security.ssl3.rsa_null_md5", SSL_RSA_WITH_NULL_MD5}, // No encryption with RSA authentication and an MD5 MAC
  {"security.ssl3.rsa_seed_sha", TLS_RSA_WITH_SEED_CBC_SHA}, // SEED encryption with RSA and a SHA1 MAC
  {nullptr, 0} /* end marker */
 };
 
 static void
 setNonPkixOcspEnabled(int32_t ocspEnabled, nsIPrefBranch * pref)
 {
-  switch (ocspEnabled) {
-  case 0:
+  // Note: this preference is numeric vs bolean because previously we
+  // supported more than two options.
+  if (!ocspEnabled) {
     CERT_DisableOCSPChecking(CERT_GetDefaultCertDB());
     CERT_DisableOCSPDefaultResponder(CERT_GetDefaultCertDB());
-    break;
-  case 1:
+  } else {
     CERT_EnableOCSPChecking(CERT_GetDefaultCertDB());
     CERT_DisableOCSPDefaultResponder(CERT_GetDefaultCertDB());
-    break;
-  case 2:
-    {
-      char *signingCA = nullptr;
-      char *url = nullptr;
-
-      // Get the signing CA and service url //
-      pref->GetCharPref("security.OCSP.signingCA", &signingCA);
-      pref->GetCharPref("security.OCSP.URL", &url);
-
-      // Set OCSP up
-      CERT_EnableOCSPChecking(CERT_GetDefaultCertDB());
-      CERT_SetOCSPDefaultResponder(CERT_GetDefaultCertDB(), url, signingCA);
-      CERT_EnableOCSPDefaultResponder(CERT_GetDefaultCertDB());
-
-      nsMemory::Free(signingCA);
-      nsMemory::Free(url);
-    }
-    break;
   }
 }
 
 #define CRL_DOWNLOAD_DEFAULT false
 #define OCSP_ENABLED_DEFAULT 1
 #define OCSP_REQUIRED_DEFAULT 0
 #define FRESH_REVOCATION_REQUIRED_DEFAULT false
 #define MISSING_CERT_DOWNLOAD_DEFAULT false
deleted file mode 100644
--- a/security/manager/ssl/src/nsOCSPResponder.cpp
+++ /dev/null
@@ -1,125 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "nsOCSPResponder.h"
-
-#include "nsCOMPtr.h"
-#include "nsIDateTimeFormat.h"
-#include "nsDateTimeFormatCID.h"
-#include "nsComponentManagerUtils.h"
-#include "nsReadableUtils.h"
-
-#include "certdb.h"
-
-/* Implementation file */
-NS_IMPL_ISUPPORTS1(nsOCSPResponder, nsIOCSPResponder)
-
-nsOCSPResponder::nsOCSPResponder()
-{
-  /* member initializers and constructor code */
-}
-
-nsOCSPResponder::nsOCSPResponder(const PRUnichar * aCA, const PRUnichar * aURL)
-{
-  mCA.Assign(aCA);
-  mURL.Assign(aURL);
-}
-
-nsOCSPResponder::~nsOCSPResponder()
-{
-  /* destructor code */
-}
-
-/* readonly attribute */
-NS_IMETHODIMP nsOCSPResponder::GetResponseSigner(PRUnichar** aCA)
-{
-  NS_ENSURE_ARG(aCA);
-  *aCA = ToNewUnicode(mCA);
-  return NS_OK;
-}
-
-/* readonly attribute */
-NS_IMETHODIMP nsOCSPResponder::GetServiceURL(PRUnichar** aURL)
-{
-  NS_ENSURE_ARG(aURL);
-  *aURL = ToNewUnicode(mURL);
-  return NS_OK;
-}
-
-bool nsOCSPResponder::IncludeCert(CERTCertificate *aCert)
-{
-  CERTCertTrust *trust;
-  char *nickname;
-
-  trust = aCert->trust;
-  nickname = aCert->nickname;
-
-  PR_ASSERT(trust != nullptr);
-
-  // Check that trust is non-null //
-  if (trust == nullptr) {
-    return false;
-  }
-
-  if ( ( ( trust->sslFlags & CERTDB_INVISIBLE_CA ) ||
-         (trust->emailFlags & CERTDB_INVISIBLE_CA ) ||
-         (trust->objectSigningFlags & CERTDB_INVISIBLE_CA ) ) ||
-       nickname == NULL) {
-      return false;
-  }
-  if ((trust->sslFlags & CERTDB_VALID_CA) ||
-      (trust->emailFlags & CERTDB_VALID_CA) ||
-      (trust->objectSigningFlags & CERTDB_VALID_CA)) {
-      return true;
-  }
-  return false;
-}
-
-// CmpByCAName
-//
-// Compare two responders their token name.  Returns -1, 0, 1 as
-// in strcmp.  No token name (null) is treated as >.
-int32_t nsOCSPResponder::CmpCAName(nsIOCSPResponder *a, nsIOCSPResponder *b)
-{
-  int32_t cmp1;
-  nsXPIDLString aTok, bTok;
-  a->GetResponseSigner(getter_Copies(aTok));
-  b->GetResponseSigner(getter_Copies(bTok));
-  if (aTok != nullptr && bTok != nullptr) {
-    cmp1 = Compare(aTok, bTok);
-  } else {
-    cmp1 = (aTok == nullptr) ? 1 : -1;
-  }
-  return cmp1;
-}
-
-// ocsp_compare_entries
-//
-// Compare two responders.  Returns -1, 0, 1 as
-// in strcmp.  Entries with urls come before those without urls.
-int32_t nsOCSPResponder::CompareEntries(nsIOCSPResponder *a, nsIOCSPResponder *b)
-{
-  nsXPIDLString aURL, bURL;
-  nsAutoString aURLAuto, bURLAuto;
-
-  a->GetServiceURL(getter_Copies(aURL));
-  aURLAuto.Assign(aURL);
-  b->GetServiceURL(getter_Copies(bURL));
-  bURLAuto.Assign(bURL);
-
-  if (!aURLAuto.IsEmpty()) {
-    if (!bURLAuto.IsEmpty()) {
-      return nsOCSPResponder::CmpCAName(a, b);
-    } else {
-      return -1;
-    }
-  } else {
-    if (!bURLAuto.IsEmpty()) {
-      return 1;
-    } else {
-      return nsOCSPResponder::CmpCAName(a, b);
-    }
-  }
-}
-
deleted file mode 100644
--- a/security/manager/ssl/src/nsOCSPResponder.h
+++ /dev/null
@@ -1,31 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef __NSOCSPRESPONDER_H__
-#define __NSOCSPRESPONDER_H__
-
-#include "nsIOCSPResponder.h"
-#include "nsString.h"
-
-#include "certt.h"
-
-class nsOCSPResponder : public nsIOCSPResponder
-{
-public:
-  NS_DECL_ISUPPORTS
-  NS_DECL_NSIOCSPRESPONDER
-
-  nsOCSPResponder();
-  nsOCSPResponder(const PRUnichar*, const PRUnichar*);
-  virtual ~nsOCSPResponder();
-  /* additional members */
-  static int32_t CmpCAName(nsIOCSPResponder *a, nsIOCSPResponder *b);
-  static int32_t CompareEntries(nsIOCSPResponder *a, nsIOCSPResponder *b);
-  static bool IncludeCert(CERTCertificate *aCert);
-private:
-  nsString mCA;
-  nsString mURL;
-};
-
-#endif
--- a/toolkit/locales/en-US/chrome/mozapps/preferences/ocsp.dtd
+++ b/toolkit/locales/en-US/chrome/mozapps/preferences/ocsp.dtd
@@ -1,17 +1,9 @@
 <!-- This Source Code Form is subject to the terms of the Mozilla Public
    - License, v. 2.0. If a copy of the MPL was not distributed with this
    - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
 
 <!ENTITY ocspDialog.title             "Certificate Validation">
 <!ENTITY enableOCSP.label             "Use the Online Certificate Status Protocol (OCSP) to confirm the current validity of certificates">
 <!ENTITY enableOCSP.accesskey         "U">
-<!ENTITY certOCSP2.label              "Validate a certificate if it specifies an OCSP server">
-<!ENTITY certOCSP2.accesskey          "V">
-<!ENTITY proxyOCSP2.label             "Validate all certificates using the following OCSP server:">
-<!ENTITY proxyOCSP2.accesskey         "a">
-<!ENTITY serviceURL.label             "Service URL:">
-<!ENTITY serviceURL.accesskey         "S">
-<!ENTITY signingCA.label              "Response Signer:">
-<!ENTITY signingCA.accesskey          "R">
 <!ENTITY requireOCSP.label            "When an OCSP server connection fails, treat the certificate as invalid">
 <!ENTITY requireOCSP.accesskey        "W">
--- a/toolkit/mozapps/preferences/ocsp.js
+++ b/toolkit/mozapps/preferences/ocsp.js
@@ -1,93 +1,22 @@
 // -*- Mode: Java; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
 
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 var gOCSPDialog = {
-  _certDB         : null,
-  _OCSPResponders : null,
-  _cacheRadio     : 0,
-
-  init: function ()
-  {
-    this._certDB = Components.classes["@mozilla.org/security/x509certdb;1"]
-                             .getService(Components.interfaces.nsIX509CertDB);
-    this._OCSPResponders = this._certDB.getOCSPResponders();
+  _updateUI: function (called_by) {
+    var securityOCSPEnabled = document.getElementById("security.OCSP.enabled");
+    var enableOCSP = document.getElementById("enableOCSP");
+    var requireOCSP = document.getElementById("requireOCSP");
 
-    var signingCA = document.getElementById("signingCA");
-    const nsIOCSPResponder = Components.interfaces.nsIOCSPResponder;
-    for (var i = 0; i < this._OCSPResponders.length; ++i) {
-      var ocspEntry = this._OCSPResponders.queryElementAt(i, nsIOCSPResponder);
-      var menuitem = document.createElement("menuitem");
-      menuitem.setAttribute("value", ocspEntry.responseSigner);
-      menuitem.setAttribute("label", ocspEntry.responseSigner);
-      signingCA.firstChild.appendChild(menuitem);
-    }
-    
-    var signingCAPref = document.getElementById("security.OCSP.signingCA");
-    if (!signingCAPref.hasUserValue)
-      signingCA.selectedIndex = 0;
-    else {
-      // We need to initialize manually since auto-initialization is often 
-      // called prior to menulist population above.
-      signingCA.value = signingCAPref.value;
-    }
-    this.chooseServiceURL();
-  },
-  
-  _updateUI: function (called_by)
-  {
-    var signingCA = document.getElementById("security.OCSP.signingCA");
-    var serviceURL = document.getElementById("security.OCSP.URL");
-    var securityOCSPEnabled = document.getElementById("security.OCSP.enabled");
-    var requireWorkingOCSP = document.getElementById("security.OCSP.require");
-    var enableOCSPBox = document.getElementById("enableOCSPBox");
-    var certOCSP = document.getElementById("certOCSP");
-    var proxyOCSP = document.getElementById("proxyOCSP");
-
-    var OCSPPrefValue = parseInt(securityOCSPEnabled.value);
-
-    if (called_by == 0) {
-      // the radio button changed, or we init the stored value from prefs
-      enableOCSPBox.checked = (OCSPPrefValue != 0);
-    }
-    else {
-      // the user toggled the checkbox to enable/disable OCSP
-      var new_val = 0;
-      if (enableOCSPBox.checked) {
-        // now enabled. if we have a cached radio val, restore it.
-        // if not, use the first setting
-        new_val = (this._cacheRadio > 0) ? this._cacheRadio : 1;
-      }
-      else {
-        // now disabled. remember current value
-        this._cacheRadio = OCSPPrefValue;
-      }
-      securityOCSPEnabled.value = OCSPPrefValue = new_val;
+    if (called_by) {
+      securityOCSPEnabled.value = enableOCSP.checked ? 1 : 0
+    } else {
+      enableOCSP.checked = parseInt(securityOCSPEnabled.value) != 0;
     }
 
-    certOCSP.disabled = (OCSPPrefValue == 0);
-    proxyOCSP.disabled = (OCSPPrefValue == 0);
-    signingCA.disabled = serviceURL.disabled = OCSPPrefValue == 0 || OCSPPrefValue == 1;
-    requireWorkingOCSP.disabled = (OCSPPrefValue == 0);
-    
+    requireOCSP.disabled = !enableOCSP.checked;
     return undefined;
-  },
-  
-  chooseServiceURL: function ()
-  {
-    var signingCA = document.getElementById("signingCA");
-    var serviceURL = document.getElementById("serviceURL");
-    var CA = signingCA.value;
-    
-    const nsIOCSPResponder = Components.interfaces.nsIOCSPResponder;
-    for (var i = 0; i < this._OCSPResponders.length; ++i) {
-      var ocspEntry = this._OCSPResponders.queryElementAt(i, nsIOCSPResponder);
-      if (CA == ocspEntry.responseSigner) {
-        serviceURL.value = ocspEntry.serviceURL;
-        break;
-      }
-    }
   }
 };
--- a/toolkit/mozapps/preferences/ocsp.xul
+++ b/toolkit/mozapps/preferences/ocsp.xul
@@ -13,59 +13,26 @@
   %ocspDTD;
 ]>
 
 <prefwindow id="OCSPDialog" type="child"
             xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
             dlgbuttons="accept,cancel"
             title="&ocspDialog.title;">
 
-  <prefpane id="OCSPDialogPane" onpaneload="gOCSPDialog.init();">
+  <prefpane id="OCSPDialogPane" onpaneload="gOCSPDialog._updateUI(0)">
     <script type="application/javascript" src="chrome://mozapps/content/preferences/ocsp.js"/>
 
     <preferences>
       <preference id="security.OCSP.enabled"    name="security.OCSP.enabled"   type="int"/>
-      <preference id="security.OCSP.signingCA"  name="security.OCSP.signingCA" type="string"/>
-      <preference id="security.OCSP.URL"        name="security.OCSP.URL"       type="string"/>
       <preference id="security.OCSP.require"    name="security.OCSP.require"   type="bool"/>
     </preferences>
     
-    <checkbox id="enableOCSPBox" label="&enableOCSP.label;" accesskey="&enableOCSP.accesskey;"
-              oncommand="gOCSPDialog._updateUI(1);"/>
-    <radiogroup id="securityOCSPEnabled" preference="security.OCSP.enabled"
-                onsyncfrompreference="return gOCSPDialog._updateUI(0);"
-                class="indent">
-      <radio value="0" hidden="true"/>
-      <radio id="certOCSP" value="1" label="&certOCSP2.label;"
-             accesskey="&certOCSP2.accesskey;"/>
-      <radio id="proxyOCSP" value="2" label="&proxyOCSP2.label;"
-             accesskey="&proxyOCSP2.accesskey;"/>
-
-      <grid class="indent" flex="1">
-        <columns>
-          <column/>
-          <column flex="1"/>
-        </columns>
-          
-        <rows>
-          <row align="center">
-            <label value="&signingCA.label;" accesskey="&signingCA.accesskey;" control="signingCA"/>
-            <hbox id="signingCABox" flex="1">
-              <menulist id="signingCA" flex="1"
-                        preference="security.OCSP.signingCA"
-                        oncommand="gOCSPDialog.chooseServiceURL()">
-                <menupopup/>
-              </menulist>
-            </hbox>            
-          </row>
-          <row align="center">
-            <label value="&serviceURL.label;" accesskey="&serviceURL.accesskey;" control="serviceURL"/>
-            <textbox id="serviceURL" preference="security.OCSP.URL"/>
-          </row>
-        </rows>
-      </grid>
-    </radiogroup>
-    <separator class="thin"/>
-    <checkbox id="requireWorkingOCSP" preference="security.OCSP.require" 
+    <checkbox id="enableOCSP"
+              label="&enableOCSP.label;"
+              accesskey="&enableOCSP.accesskey;"
+              oncommand="gOCSPDialog._updateUI(1)"/>
+    <checkbox id="requireOCSP"
+              preference="security.OCSP.require"
               label="&requireOCSP.label;"
               accesskey="&requireOCSP.accesskey;"/>
   </prefpane>
 </prefwindow>