Confirmed users, Administrators
5,526
edits
CA:MaintenanceAndEnforcement: Difference between revisions
Jump to navigation
Jump to search
m
→Actively Distrusting a Certificate
| Line 113: | Line 113: | ||
#* As per [http://www.mozilla.org/projects/security/security-bugs-policy.html Mozilla's Policy for Handling Security Bugs] a security concern may be reported by sending email to [mailto:security@mozilla.org security@mozilla.org] or by [https://bugzilla.mozilla.org/enter_bug.cgi?alias=&product=Core&component=Security&bug_severity=critical filing a bug.] | #* As per [http://www.mozilla.org/projects/security/security-bugs-policy.html Mozilla's Policy for Handling Security Bugs] a security concern may be reported by sending email to [mailto:security@mozilla.org security@mozilla.org] or by [https://bugzilla.mozilla.org/enter_bug.cgi?alias=&product=Core&component=Security&bug_severity=critical filing a bug.] | ||
# Decide on course of action | # Decide on course of action | ||
#* Depending on the situation, discussion to determine the course of action may occur in security-group@mozilla.com and/or in mozilla.dev.security. | #* Depending on the situation, discussion to determine the course of action may occur in security-group@mozilla.com email list and/or in the mozilla.dev.security.policy forum. | ||
#* The bug will be updated to indicate corresponding decisions. | #* The bug will be updated to indicate corresponding decisions. | ||
# Implement Code Change | # Implement Code Change | ||
#* If it is determined that a certificate needs to be actively distrusted, then the following will be done. | #* If it is determined that a certificate needs to be actively distrusted, then the following will be done. | ||
#** Update NSS by adding a new entry to the built-in root cert list, | #** Update NSS by adding a new entry to the built-in root cert list, to take away trust instead of giving trust. This is done with a separate "distrust" flag, and is called '''Active Distrust'''. Active Distrust can be done for any root, intermediate, or leaf certificate. Currently Active Distrust is done by using a combination of the certificate Serial Number and Issuer (the entire certificate is not needed). | ||
#** A problem with this approach arises if the certificate to be Actively Distrusted has been cross-signed with another root certificate that is included in NSS. This could lead us to have to ask every CA in Mozilla's program if they have cross-signed with the root or intermediate certificate that is to be Actively Distrusted. If there is such cross-signing, then the change to the built-in root cert list will also have to include the Issuer/Serial number combination for the cross-signed certificate chain. | #** A problem with this approach arises if the certificate to be Actively Distrusted has been cross-signed with another root certificate that is included in NSS. This could lead us to have to ask every CA in Mozilla's program if they have cross-signed with the root or intermediate certificate that is to be Actively Distrusted. If there is such cross-signing, then the change to the built-in root cert list will also have to include the Issuer/Serial number combination for the cross-signed certificate chain. | ||
# Test | # Test | ||
| Line 124: | Line 124: | ||
# Release | # Release | ||
#* NSS security update, or new version of NSS roots module can be released independently. | #* NSS security update, or new version of NSS roots module can be released independently. | ||
#* Firefox chemspill update | #* Firefox chemspill update, which is an off-schedule release that addresses live security vulnerabilities. Some Linux users of Firefox use their OS version of NSS, so they would have to make sure that they pick up the new version of NSS. | ||
# Communication / Announcements | # Communication / Announcements | ||
#* | #* Announcement in mozilla.dev.security.policy | ||
#* If the Active Distrust is the result of a security incident, then Redhat Security Response team triggers creation of a [http://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures CVE (security incident number)] and references the new version of NSS or root module. | #* If the Active Distrust is the result of a security incident, then Redhat Security Response team triggers creation of a [http://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures CVE (security incident number)] and references the new version of NSS or root module. | ||
#* May send an email communication to all CAs, depending on situation. | #* May send an email communication to all CAs, depending on situation. | ||
#* May post in [http://blog.mozilla.org/security/ Mozilla security blog,] depending on situation. | #* May post in [http://blog.mozilla.org/security/ Mozilla security blog,] depending on situation. | ||
# Result | # Result | ||
#* | #* Users will get an error message when they try to browse to a website that uses (or chains up to) the Actively Distrusted certificate. | ||
#* The Certificate Manager displays the Actively Distrusted certificate in the same manner as other certificates, and the trust bits may be manually turned on by users. | #* The Certificate Manager displays the Actively Distrusted certificate in the same manner as other certificates, and the trust bits may be manually turned on by users. | ||