Confirmed users, Administrators
5,526
edits
CA:ImprovingRevocation: Difference between revisions
Jump to navigation
Jump to search
→Preload Revocations of Intermediate CA Certificates
| Line 97: | Line 97: | ||
Push revocation information of revoked intermediate CA certificates to clients. | Push revocation information of revoked intermediate CA certificates to clients. | ||
Mozilla has implemented a revocation list push mechanism in Firefox called [https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/ OneCRL], which pushes a revocation list of intermediate certificates to Firefox browsers on a regular basis, asynchronously and independently of any SSL site visit. This improves security by ensuring the browser has a comprehensive list of revocations in a manner that is not likely to be blocked by a network attacker. | |||
We encourage CAs to start participating in this effort now by sending Mozilla previously revoked intermediate certificates by submitting a bug report into the mozilla.org Bugzilla system, filed against the "CA Certificates" component of the "NSS" product. (https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificates) | We encourage CAs to start participating in this effort now by sending Mozilla previously revoked intermediate certificates by submitting a bug report into the mozilla.org Bugzilla system, filed against the "CA Certificates" component of the "NSS" product. (https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificates) | ||
| Line 113: | Line 113: | ||
'''When''' To Notify Mozilla: | '''When''' To Notify Mozilla: | ||
We encourage CAs to notify us of all revoked intermediate certificates chaining to a root certificate included in [[CA:IncludedCAs|Mozilla's root store]] that are revoked before the certificate has expired. | |||
When a CA revokes an intermediate certificate chaining to a root certificate included in [[CA:IncludedCAs|Mozilla's root store]], the CA '''must''' notify Mozilla if the certificate was revoked for one or more of the following reasons. '''Time Frame''' for such notification: within 24 hours of revocation of the intermediate certificate | |||
* Technical Issue - There is a problem with the intermediate certificate such that the certificate may be inappropriately used. This includes, but is not limited to, wrong key usage, incorrect name constraints, etc. | * Technical Issue - There is a problem with the intermediate certificate such that the certificate may be inappropriately used. This includes, but is not limited to, wrong key usage, incorrect name constraints, etc. | ||
* An externally-operated subordinate CA certificate has been revoked or replaced (for any reason) before it has expired. | * Cessation of business operation - An externally-operated subordinate CA certificate has been revoked or replaced (for any reason) before it has expired. | ||
* According to [http://csrc.nist.gov/publications/drafts/nistir-7924/draft_nistir_7924.pdf NIST IR 7924] a Trust Anchor Manager (TAM) is an Authority who manages a repository of trusted Root CA Certificates. As specified in Section 5.7, the TAM will require the CA to provide notification when: | * According to [http://csrc.nist.gov/publications/drafts/nistir-7924/draft_nistir_7924.pdf NIST IR 7924] a Trust Anchor Manager (TAM) is an Authority who manages a repository of trusted Root CA Certificates. As specified in Section 5.7, the TAM will require the CA to provide notification when: | ||
** Root CA compromise -- Compromise of CA private signing key (Notification shall be made in an authenticated and trusted manner... earliest feasible time and shall not exceed <24> hours beyond determination of compromise or loss unless otherwise required by law enforcement) | ** Root CA compromise -- Compromise of CA private signing key (Notification shall be made in an authenticated and trusted manner... earliest feasible time and shall not exceed <24> hours beyond determination of compromise or loss unless otherwise required by law enforcement) | ||
| Line 141: | Line 143: | ||
* Process Change: To be determined, but may include changes to the Inclusion Process, and EV treatment (maybe EV treatment is only granted when the CA is providing this information?) | * Process Change: To be determined, but may include changes to the Inclusion Process, and EV treatment (maybe EV treatment is only granted when the CA is providing this information?) | ||
=== OCSP GET === | === OCSP GET === | ||