Confirmed users, Administrators
5,526
edits
CA:MaintenanceAndEnforcement: Difference between revisions
→Potential Problems, Prevention, Response
| Line 56: | Line 56: | ||
'''Problem:''' MD5-based certs issued | '''Problem:''' MD5-based certs issued | ||
* Prevention: Don't accept MD5-based certs. {{bug|650355}}, in Firefox 16. | * Prevention: Don't accept MD5-based certs. {{bug|650355}}, in Firefox 16. | ||
'''Problem:''' Cert issued with weak RSA key | '''Problem:''' Cert issued with weak RSA key | ||
* Prevention: Don't accept certs signed with weak RSA keys. {{bug|360126}}, needs to be implemented. | * Prevention: Don't accept certs signed with weak RSA keys. {{bug|360126}}, needs to be implemented. | ||
'''Problem:''' Cert issued without enough key usage info | '''Problem:''' Cert issued without enough key usage info | ||
| Line 75: | Line 73: | ||
'''Problem:''' CA mis-issued a large number (e.g. hundreds) of end-entity certificates that they can enumerate | '''Problem:''' CA mis-issued a large number (e.g. hundreds) of end-entity certificates that they can enumerate | ||
* Minimum Response: Actively distrust the intermediate certificates that the mis-issued certificates chain up to, and push out an update to all Mozilla products. Depending on the situation, also consider distrusting the root certificate that the mis-issued certificates chain up to. | * Minimum Response: Actively distrust the intermediate certificates that the mis-issued certificates chain up to, and push out an update to all Mozilla products. Depending on the situation, also consider distrusting the root certificate that the mis-issued certificates chain up to, or all of the root certificates owned by that CA. | ||
'''Problem:''' CA mis-issued an unknown number of un-enumerated end-entity certificates | '''Problem:''' CA mis-issued an unknown number of un-enumerated end-entity certificates | ||