Confirm, administrator
5,526
edits
Changes
Created page with "{{FeatureStatus |Feature name=Browser CRL |Feature stage=Draft |Feature status=In progress |Feature health=OK }} {{FeatureTeam |Feature product manager=SId Stamm |Feature feat..."
{{FeatureStatus
|Feature name=Browser CRL
|Feature stage=Draft
|Feature status=In progress
|Feature health=OK
}}
{{FeatureTeam
|Feature product manager=SId Stamm
|Feature feature manager=David Keeler
|Feature lead engineer=David Keeler
|Feature security lead=Curtis Koenig
|Feature privacy lead=Sid Stamm
}}
{{FeaturePageBody
|Feature overview=Implement a revocation list push mechanism in Firefox, which will push revocation lists of certificates to Firefox browsers on a regular basis, asynchronously and independently of any SSL site visit. This will improve security by ensuring the browser has a comprehensive list of revocations in a manner that is not likely to be blocked by a network attacker.
We should be able to use this revocation push mechanism to quickly revoke (distrust) root certificates, intermediate certificates, and end-entity certificates.
Every time we have to distrust a certificate for any reason (such as a security compromise or an instance of MITM) we either have to create an emergency update or quickly get it into an upcoming release (when the timing works in our favor and allows us to do so). We need to make it less costly, easier, and faster to distrust certificates.
When a CA revokes an intermediate certificate due to a security concern, Mozilla should give an Untrusted Connection error for websites with certs signed by the revoked intermediate certificate.
https://wiki.mozilla.org/CA:ImprovingRevocation#Preload_Revocations_of_Intermediate_CA_Certificates
When a CA revokes an end-entity certificate due to a security concern, Mozilla should give an Untrusted Connection error for websites with that SSL certs.
https://wiki.mozilla.org/CA:ImprovingRevocation#Preload_Revocations_of_Certain_End-Entity_Certificates
|Feature users and use cases=There are currently three use cases this feature addresses:
# A CA is no longer trusted (in its entirety), so needs to be treated as revoked.
# A CA's intermediate certificate is no longer trusted, so needs to be treated as revoked.
# The key of an end-entity certificate belonging to a high-profile entity is compromised (e.g. a bank, government, etc.), so needs to be treated as revoked.
Instead of spinning up and releasing a binary update, we simply add entries as appropriate to the Browser CRL. Next time the user's browser pings us for updates, we ship them the new Browser CRL and the changes instantly take effect.
|Feature requirements=# The ability to revoked (and treat as revoked) root certificates, intermediate certificates, and end-entity certificates.
# The ability to use specific keys to identify which certificates to treat as revoked.
# The ability to undo a block should one be applied erroneously
'''Non-goals'''
This will not serve the same purpose as shipping a white-list of all intermediate certificates, which is another proposal under discussion.
This does not solve revocation in general. We will not add Joe Schmoe's compromised server certificate to the blocklist.
|Feature ux design=There should not be any UX changes.
|Feature implementation plan=Previously this feature request was called "Cert BLocklist via Update Ping"
https://wiki.mozilla.org/Security/Features/Cert_Blocklist_via_Update_Ping
It was originally thought that the easiest way to implement this feature would be to piggyback on the blocklist. Whoever works on creating this Browser CRL feature should consider that, as well as other implementation strategies.
}}
{{FeatureInfo
|Feature priority=P2
|Feature rank=999
|Feature theme=Product Hardening
|Feature roadmap=Security
|Feature secondary roadmap=Platform
|Feature engineering team=Security
}}
{{FeatureTeamStatus}}
|Feature name=Browser CRL
|Feature stage=Draft
|Feature status=In progress
|Feature health=OK
}}
{{FeatureTeam
|Feature product manager=SId Stamm
|Feature feature manager=David Keeler
|Feature lead engineer=David Keeler
|Feature security lead=Curtis Koenig
|Feature privacy lead=Sid Stamm
}}
{{FeaturePageBody
|Feature overview=Implement a revocation list push mechanism in Firefox, which will push revocation lists of certificates to Firefox browsers on a regular basis, asynchronously and independently of any SSL site visit. This will improve security by ensuring the browser has a comprehensive list of revocations in a manner that is not likely to be blocked by a network attacker.
We should be able to use this revocation push mechanism to quickly revoke (distrust) root certificates, intermediate certificates, and end-entity certificates.
Every time we have to distrust a certificate for any reason (such as a security compromise or an instance of MITM) we either have to create an emergency update or quickly get it into an upcoming release (when the timing works in our favor and allows us to do so). We need to make it less costly, easier, and faster to distrust certificates.
When a CA revokes an intermediate certificate due to a security concern, Mozilla should give an Untrusted Connection error for websites with certs signed by the revoked intermediate certificate.
https://wiki.mozilla.org/CA:ImprovingRevocation#Preload_Revocations_of_Intermediate_CA_Certificates
When a CA revokes an end-entity certificate due to a security concern, Mozilla should give an Untrusted Connection error for websites with that SSL certs.
https://wiki.mozilla.org/CA:ImprovingRevocation#Preload_Revocations_of_Certain_End-Entity_Certificates
|Feature users and use cases=There are currently three use cases this feature addresses:
# A CA is no longer trusted (in its entirety), so needs to be treated as revoked.
# A CA's intermediate certificate is no longer trusted, so needs to be treated as revoked.
# The key of an end-entity certificate belonging to a high-profile entity is compromised (e.g. a bank, government, etc.), so needs to be treated as revoked.
Instead of spinning up and releasing a binary update, we simply add entries as appropriate to the Browser CRL. Next time the user's browser pings us for updates, we ship them the new Browser CRL and the changes instantly take effect.
|Feature requirements=# The ability to revoked (and treat as revoked) root certificates, intermediate certificates, and end-entity certificates.
# The ability to use specific keys to identify which certificates to treat as revoked.
# The ability to undo a block should one be applied erroneously
'''Non-goals'''
This will not serve the same purpose as shipping a white-list of all intermediate certificates, which is another proposal under discussion.
This does not solve revocation in general. We will not add Joe Schmoe's compromised server certificate to the blocklist.
|Feature ux design=There should not be any UX changes.
|Feature implementation plan=Previously this feature request was called "Cert BLocklist via Update Ping"
https://wiki.mozilla.org/Security/Features/Cert_Blocklist_via_Update_Ping
It was originally thought that the easiest way to implement this feature would be to piggyback on the blocklist. Whoever works on creating this Browser CRL feature should consider that, as well as other implementation strategies.
}}
{{FeatureInfo
|Feature priority=P2
|Feature rank=999
|Feature theme=Product Hardening
|Feature roadmap=Security
|Feature secondary roadmap=Platform
|Feature engineering team=Security
}}
{{FeatureTeamStatus}}
