CA:EV Revocation Checking: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
No edit summary
(Redirected to the page with current content)
 
(39 intermediate revisions by 3 users not shown)
Line 1: Line 1:
== EV certificates and revocation checking ==
#redirect: [[CA/EV_Processing_for_CAs]]
 
When a site presents an Extended Validation (EV) certificate to Firefox 3, the UI displayed to the user is dependent on the type and results of revocation checking in effect for that certificate. This page attempts to clarify the rules for the various possible cases. (See [https://bugzilla.mozilla.org/show_bug.cgi?id=405139 bug 405139] for the original motivation behind this.)
 
===Introduction===
 
In order to inform the user about the status of a connection to a web site, Firefox introduces new user interface elements that may display identity information. When a connection is active to a valid EV site, a green area will be displayed to the left of the address bar, showing the company name and country name of the web site owner. For the remainder of this page, these user interface elements are being referred to as "EV identity indicators".
 
Firefox 3 will include a list of root certificates which have been explicitly approved by Mozilla.org for EV status, each associated to an EV policy OID. This list is in addition to the root certificates used for classic SSL verification (also called Domain Verification or DV).
 
===Requirements===
 
In order to the see the EV identity indicators in the Firefox user interface (UI), Firefox requires the SSL connection to the server and the certificates involved must pass many checks. ALL of the following is required.
 
- EV happens on top of DV. As a precondition for EV, the server certificate must pass all the classic tests for SSL connections.
 
- The certificate verification engine (NSS) must be able to find a valid chain (the chain) from the server cert to one of the EV approved roots (the root) that come with Firefox.
 
- The server certificate may contain one more policy extensions. A server certificate must not contain multiple EV policy OIDs. The server certificate must contain exactly one EV policy OID.
 
- At least, a chain consists of the root and the server cert. In addition the chain may contain zero or more intermediate certificates. If present, each intermediate certificate must implicitly or explicitly allow the EV policy OID listed in the server certificate.
 
- The server certificate must pass an explicit test for revocation.
 
- At this time NSS is not capable of downloading CRLs on demand.
 
- As a consequence of above requirements and limitations, the server certificate must contain an Authority Information Access (AIA) extension that carries an OCSP URI using the http protocol. (Needs work. See ***bug 413997).
 
- Firefox must be able to complete an OCSP request and response transaction with the given OCSP server. In other words, when an OCSP server connection fails, Firefox treats the server certificate as invalid for EV. (This is true for the first check for each server certificate in a Firefox session. Firefox uses volatile caching to reduce the number of OCSP transactions performed.)
 
- Firefox must be able to verify the received OCSP response. The response must confirm the server certificate is not revoked.
 
- OCSP must be enabled in the application, which is the default configuration used by Firefox. (security.ocsp.enabled)
 
Irrelevant properties
- it does not matter if the root explicitly contains a policy extension with the associated policy OID. Why? It is expected that most roots will not contain it.
- it does not matter if the certificate carries information about CRL download locations (CRLDP) for revocation checking. Why? The certificate verification engine (NSS) in Firefox is unable to download CRLs on demand. Consequently, Firefox will not rely on CRLs for EV related revocation checking. Even if a server certificate contains a CRLDP, even if a CRL is already locally available, NSS will ignore it for its EV revocation tests. (This behavior may change in a future version of NSS and or Firefox.)
 
===Open bugs===
***
- A server certificate that lacks OCSP AIA information will pass the required OCSP test. https://bugzilla.mozilla.org/show_bug.cgi?id=413997

Latest revision as of 21:02, 30 December 2021

Redirect to:

Retrieved from "https://wiki.allizom.org/index.php?title=CA:EV_Revocation_Checking&oldid=1239732"