Confirmed users, Administrators
5,526
edits
CA:MaintenanceAndEnforcement: Difference between revisions
Jump to navigation
Jump to search
m
→Actively Distrusting a Certificate
m (→Concerns) |
|||
| Line 102: | Line 102: | ||
#* The bug will be updated to indicate corresponding decisions. | #* The bug will be updated to indicate corresponding decisions. | ||
# Implement Code Change | # Implement Code Change | ||
#* If it is determined that a certificate needs to be actively distrusted, then the following will be done. | #* Add the corresponding intermediate or end-entity certificates to [https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/ OneCRL]. | ||
#* If it is determined that a certificate needs to be actively distrusted in NSS, then the following will also be done. | |||
#** Update NSS by adding a new entry to the built-in root cert list, to take away trust instead of giving trust. This is done with a separate "distrust" flag, and is called '''Active Distrust'''. Active Distrust can be done for any root, intermediate, or leaf certificate. Active Distrust does not require the entire certificate, because it may be done with a combination of the certificate Serial Number and Issuer. Note: The built-in cert list has two types of entries; cert entries and trust entries. A (dis)trust entry can be added without adding a corresponding cert entry. | #** Update NSS by adding a new entry to the built-in root cert list, to take away trust instead of giving trust. This is done with a separate "distrust" flag, and is called '''Active Distrust'''. Active Distrust can be done for any root, intermediate, or leaf certificate. Active Distrust does not require the entire certificate, because it may be done with a combination of the certificate Serial Number and Issuer. Note: The built-in cert list has two types of entries; cert entries and trust entries. A (dis)trust entry can be added without adding a corresponding cert entry. | ||
#** A problem with this approach arises if the certificate to be Actively Distrusted has been cross-signed with another root certificate that is included in NSS. This could lead us to have to ask every CA in Mozilla's program if they have cross-signed with the root or intermediate certificate that is to be Actively Distrusted. If there is such cross-signing, then the change to the built-in root cert list will also have to include the Issuer/Serial number combination for the cross-signed certificate chain. | #** A problem with this approach arises if the certificate to be Actively Distrusted has been cross-signed with another root certificate that is included in NSS. This could lead us to have to ask every CA in Mozilla's program if they have cross-signed with the root or intermediate certificate that is to be Actively Distrusted. If there is such cross-signing, then the change to the built-in root cert list will also have to include the Issuer/Serial number combination for the cross-signed certificate chain. | ||