MozillaWiki

CA:ImprovingRevocation: Difference between revisions

Page Discussion

CA:ImprovingRevocation (view source)

Revision as of 01:33, 10 January 2017

1,386 bytes removed ,  10 January 2017
Updated to match current process
m (added link to NSS product in bugzilla)
(Updated to match current process)
Line 99: Line 99:
Mozilla has implemented a revocation list push mechanism in Firefox called [https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/ OneCRL], which pushes a revocation list of intermediate certificates to Firefox browsers on a regular basis, asynchronously and independently of any SSL site visit. This improves security by ensuring the browser has a comprehensive list of revocations in a manner that is not likely to be blocked by a network attacker.  
Mozilla has implemented a revocation list push mechanism in Firefox called [https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/ OneCRL], which pushes a revocation list of intermediate certificates to Firefox browsers on a regular basis, asynchronously and independently of any SSL site visit. This improves security by ensuring the browser has a comprehensive list of revocations in a manner that is not likely to be blocked by a network attacker.  


We encourage CAs to start participating in this effort now by sending Mozilla previously revoked intermediate certificates by submitting a bug report into the mozilla.org Bugzilla system, filed against the "CA Certificates" component of the "NSS" product. (https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificates)
Further information about revoked intermediate certificates: [[CA:RevokedSubCAcerts|https://wiki.mozilla.org/CA:RevokedSubCAcerts]]


* Discussion: [https://groups.google.com/d/msg/mozilla.dev.security.policy/cNd16FZz6S8/t3GwjaFXx-kJ mozilla.dev.security.policy]
* Discussion: [https://groups.google.com/d/msg/mozilla.dev.security.policy/cNd16FZz6S8/t3GwjaFXx-kJ mozilla.dev.security.policy]
Line 105: Line 105:
* Code Change: {{Bug|1024809}}
* Code Change: {{Bug|1024809}}


* Dependencies:  
* Policy Change:
** This will require a bootstrapping effort where we ask all CAs to provide us with a comprehensive list previous relevant revocations.  
** https://wiki.mozilla.org/CA:SalesforceCommunity#Add_Revoked_Intermediate_Certificate_Data_to_Salesforce
** Will require a notification mechanism for CAs to inform us of which certs to add to the revocation list.
** https://github.com/mozilla/pkipolicy/issues/48
** In the short term, we will (probably) respond to the revocation notification by issuing a browser security update that contains the updated list of revoked certificates. In the long term, we may have a lighter-weight mechanism for updating the browser with updated revocation information, similar to Google's CRLSet mechanism.
 
* Policy Change: To be discussed and proposed in the mozilla.dev.security.policy forum.


==== When To Notify Mozilla ====
==== When To Notify Mozilla ====
We encourage CAs to notify us of all revoked intermediate certificates chaining to a root certificate included in [[CA:IncludedCAs|Mozilla's root store]] that are revoked before the certificate has expired.
CAs must notify Mozilla of all revoked non-technically-constrained intermediate certificates chaining to a root certificate included in [[CA:IncludedCAs|Mozilla's root store]] that are revoked before the certificate has expired.


When a CA revokes an intermediate certificate chaining to a root certificate included in [[CA:IncludedCAs|Mozilla's root store]], the CA '''must''' notify Mozilla if the certificate was revoked for one or more of the following reasons. '''Time Frame''' for such notification: within 24 hours of revocation of the intermediate certificate  
When a CA revokes an intermediate certificate chaining to a root certificate included in [[CA:IncludedCAs|Mozilla's root store]], the CA '''must''' notify Mozilla if the certificate was revoked for one or more of the following reasons. '''Time Frame''' for such notification: within 24 hours of revocation of the intermediate certificate  
Line 135: Line 132:
'''How to''' notify Mozilla of a revocation  
'''How to''' notify Mozilla of a revocation  
* If the revocation is due to a security concern or of revocation of a website certificate whose revocation was not prompted by the certificate owner, send email to security@mozilla.org.  
* If the revocation is due to a security concern or of revocation of a website certificate whose revocation was not prompted by the certificate owner, send email to security@mozilla.org.  
* To notify us of an intermediate certificate revocation, submit a bug report into the [https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS mozilla.org Bugzilla system], filed against the "CA Certificates" component of the "NSS" product. Whenever possible, the CA should send us the revoked certificate itself, along with the rfc5280 revocation reason code. If the CA cannot send us the revoked  certificate, then the information listed below will be needed. 
* Otherwise, enter the data about the revoked intermediate certificate into the [[CA:SalesforceCommunity#Add_Revoked_Intermediate_Certificate_Data_to_Salesforce|Common CA Database]].
** Serial number of the revoked certificate
** Link to the OCSP response for that serial number
** Link to the CRL that contains that serial number
** notAfter date of the revoked certificate
** rfc5280 revocation reason code
 
* Process Change: To be determined, but may include changes to the Inclusion Process, and EV treatment (maybe EV treatment is only granted when the CA is providing this information?)


=== OCSP GET ===
=== OCSP GET ===
Kathleen Wilson
Confirmed users, Administrators
5,526

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/1159028"