CA:SalesforceCommunity: Difference between revisions

Jump to navigation Jump to search

CA:SalesforceCommunity (view source)

Revision as of 00:17, 10 January 2017

1,282 bytes removed ,  10 January 2017
Updated to match current process
m (Clarification about PEM data)
(Updated to match current process)
Line 233: Line 233:
Mozilla has implemented a revocation list push mechanism in Firefox called [https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/ OneCRL], which pushes a [[CA:ImprovingRevocation#Preload_Revocations_of_Intermediate_CA_Certificates|revocation list of intermediate certificates]] to Firefox browsers on a regular basis, asynchronously and independently of any SSL site visit. This improves security by ensuring the browser has a comprehensive list of revocations in a manner that is not likely to be blocked by a network attacker.  
Mozilla has implemented a revocation list push mechanism in Firefox called [https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/ OneCRL], which pushes a [[CA:ImprovingRevocation#Preload_Revocations_of_Intermediate_CA_Certificates|revocation list of intermediate certificates]] to Firefox browsers on a regular basis, asynchronously and independently of any SSL site visit. This improves security by ensuring the browser has a comprehensive list of revocations in a manner that is not likely to be blocked by a network attacker.  


If the revocation of an intermediate certificate is due to a security concern, send email to security@mozilla.org. Otherwise, currently the way to notify Mozilla of an intermediate certificate revocation is to [https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificates submit a bug report] into the mozilla.org Bugzilla system.
If the revocation of an intermediate certificate is due to a security concern, send email to security@mozilla.org. Otherwise, enter the revoked intermediate certificate information into the CCADB as described below. Then a Mozilla representative will verify the revoked intermediate certificate data, and update the 'OneCRL Status' to "Ready to Add". Then a Mozilla process will cause the revoked intermediate certificate data to be added to OneCRL. The Mozilla representative will follow up to ensure the data has been added to OneCRL, and then will update the record in the CCADB to change the 'OneCRL Status' to "Added to OneCRL".


In the future we plan to use the CCADB to track revocation of intermediate certificates. We plan to provide an automated system that will verify the revocation and take the appropriate action to get the intermediate certificate added to OneCRL. For now we ask CAs to provide both a Bugzilla Bug and enter the data into Salesforce.
The best way to add revoked intermediate certificate data to the CCADB is to first add the [[CA:SalesforceCommunity#Add_Intermediate_Certificate_Data_to_Salesforce|intermediate certificate record]], and then mark the record as Revoked. This is the way all intermediate certificate revocations must be entered unless the certificate was [[CA:CertificatePolicyV2.1#Technical_Constraints_or_Auditing.2FDisclosure_of_Intermediate_Certificates|Technically Constrained]] via Extended Key Usage and Name Constraint settings.
 
The best way to add revoked intermediate certificate data to Salesforce is to first add the [[CA:SalesforceCommunity#Add_Intermediate_Certificate_Data_to_Salesforce|intermediate certificate record]], and then mark the record as Revoked. This is the way all intermediate certificate revocations must be entered unless the certificate was [[CA:CertificatePolicyV2.1#Technical_Constraints_or_Auditing.2FDisclosure_of_Intermediate_Certificates|Technically Constrained]] via Extended Key Usage and Name Constraint settings.


To add a revoked intermediate certificate, or to mark an intermediate certificate in an existing record as revoked:
To add a revoked intermediate certificate, or to mark an intermediate certificate in an existing record as revoked:
Line 250: Line 248:
# Click on "Edit"
# Click on "Edit"
# Click on the "Revocation Status" field and select "Revoked".
# Click on the "Revocation Status" field and select "Revoked".
#* Do NOT select "Verified" or added to "Added to OneCRL", because we will use those status options to indicate progress on getting the data into OneCRL.
# Enter the "Date of Revocation"
# Enter the "Date of Revocation"
# Click on the "RFC 5280 Revocation Reason Code" field and select the corresponding revocation reason.
# Click on the "RFC 5280 Revocation Reason Code" field and select the corresponding revocation reason.
# Click on "Save" button
# Click on "Save" button


If the revoked intermediate certificate was [[CA:CertificatePolicyV2.1#Technical_Constraints_or_Auditing.2FDisclosure_of_Intermediate_Certificates|Technically Constrained]] via Extended Key Usage and Name Constraint settings, but you would still like to add it to OneCRL and you are unable to provide the PEM data for the certificate, then you can add the data about the revoked intermediate certificate as follows.
If the revoked intermediate certificate was [[CA:CertificatePolicyV2.1#Technical_Constraints_or_Auditing.2FDisclosure_of_Intermediate_Certificates|Technically Constrained]] via Extended Key Usage and Name Constraint settings, but you would still like to add it to OneCRL and you are unable to provide the PEM data for the certificate, then send email to Kathleen with the following information:
# Find the root certificate that signed the intermediate certificate
* Certificate Issuer Field
#* Type the name of your CA or the name of the root certificate into the Search bar at the top of the window. Click on the name of the root certificate to open the record.
* Certificate Subject Field
#* Or click on "CA Owners/Certificates" tab, then in "View:" select "Community User's CA Owners/Certificates" and click on "Go!". Click on the name of the root certificate to open the record.
* Certificate Serial Number
# Click on the "New Intermediate Cert" button.
* OCSP URL linking to the OCSP response for that serial number
# Click on the "Edit" button.
* CRL URL linking to the CRL that contains that serial number
# Click on the "Revocation Status" field and select "Revoked".
* Valid To (GMT) -- notAfter date of the revoked certificate
# Enter the "Date of Revocation"
# Click on the "RFC 5280 Revocation Reason Code" field and select the corresponding revocation reason.
# In the "CA Owner/Certificate Name" field enter a name that we can use in Salesforce to identify the revoked certificate.
#* Copy-and-paste the same name into the "Certificate Subject Common Name" field.
# Copy-and-paste the text in the "Parent CA Owner/Certificate" field into the "Certificate Issuer Common Name" field.
# Enter the following additional information:
#* Certificate Serial Number
#* OCSP URL linking to the OCSP response for that serial number
#* CRL URL linking to the CRL that contains that serial number
#* Valid To (GMT) -- notAfter date of the revoked certificate
# Click the "Save" button.


= Required Annual Updates =
= Required Annual Updates =
Kathleen Wilson
Confirmed users, Administrators
5,526

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/1159019"

Navigation menu