Changes

Jump to: navigation, search

CA/Required or Recommended Practices

2,811 bytes removed, 21:29, 3 May 2018
Cleaned up the OCSP section
OCSP responders should be set up to listen on a standard port (e.g. port 80), because firewalls may block ports other than 80/443. Firefox and some other clients do not work with HTTPS OCSP responders, and many firewalls block requests that aren't over port 80, so OCSP responders must be accessible over HTTP (not only HTTPS) on port 80.
As per the [https://www.cabforum.org/documents.html CA/Browser Forum’s Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates], the :# The OCSP URI must be provided in the certificate, except when OCSP stapling is used. BR #13(sections 7.1.2.2 (section 4, 7.91.10 in BR version 12.3): "The CA # CAs SHALL update information provided via support an Online Certificate Status ProtocolOCSP capability using the GET method..." From Appendix B (section 74.19.2 in BR version 1.310) regarding authorityInformationAccess in Subordinate CA Certificate and Subscriber Certificate: "With the exception of stapling ... this extension MUST be present ... and it MUST contain the HTTP URL of the Issuing CA’s OCSP responder..." As per the [https://www.cabforum.org/documents.html CA/Browser Forum’s Guidelines for EV Certs], CAs must provide an # OCSP capability Responders SHALL NOT respond “Good” for end-entity certificates that are issued after Dec 31, 2010Unissued Certificates. (section 4. Mozilla is considering technical ways to enforce this OCSP requirement such that if Firefox cannot obtain a valid response from the OCSP responder, then the certificate will not be given EV treatment9. ({{Bug|585122}}10# OCSP service for end-entity certs must Responses shall be updated at least every four days, and OCSP responses must have a maximum expiration time of ten days(section 4.9. 10) RFC 2560, sections 2# CAs MUST NOT issue OCSP responder certificates using SHA-1 (section 7.2, 21.6, 3)# OCSP responses MUST conform to RFC6960 and/or RFC5019.2 and (section 4.2.2.2 define the requirements for the OCSP response signer's certificate and certificate chain. NSS enforces these requirements exactly9.9)
You MUST test your OCSP service in Firefox! We expect OCSP responders to function without error in Mozilla products. To test in Firefox:
* Go to Firefox -> Preferences... -> Advanced Privacy & Security -> Certificates
* Check the box for "Query OCSP responder servers to confirm the current validity of certificates"
* Close the popup
* You may need to clear your history cache
* Browse to a website whose SSL certificate chains up to your root and has the corresponding OCSP URI in the AIA extension.
 
Errors that CAs sometimes encounter when testing OCSP in Firefox:
* Error code: sec_error_ocsp_unauthorized_response
** Please read section 4.2.2.2 "Authorized Responders" on pages 10-11 of RFC 2560. CAs that emit certificates for the general public must use a configuration that conforms to either rule 2 or 3. NSS also supports rule 1, but it requires manually configuring Firefox to set the [[CA:OCSP-TrustedResponder|trusted OCSP responder.]] This makes this choice relevant only when the Firefox installation is part of a centralized deployment where a local OCSP responder has been setup to send back OCSP responses for all the CAs that are locally trusted. The IETF pkix group that authored RFC 2560 has confirmed that rule 1 is intended to cover similar situations and not public deployments.
* Error code: sec_error_ocsp_bad_http_response
** the http response from the OCSP responder had some result code other than 200.
** The http 200 response from the OCSP responder could not be decoded.
* Error code: sec_error_ocsp_invalid_signing_cert
** OCSP response signer's certificate was issued by the CA that issued the certificate whose status is being checked, but the response signer's certificate does not bear an ExtendedKeyUsage extension with the OCSP Responder OID, or
** OCSP response signer's certificate chain does not validate (e.g. expired, or bad signature, etc.)
** Trusted OCSP Responder Signing cert has not been imported. Mozilla users should not have to find and install the OCSP responder's certificate. See [[CA:Problematic_Practices#OCSP_Responses_signed_by_a_certificate_under_a_different_root|Potentially Problematic Practices.]]
* Error code: sec_error_bad_database
** the OCSP response gives a cert subject name to identify its signer's certificate, but no certificate by that name can be found -- not in the response, not in the database, and not in the cert chain of the certificate whose status is being checked. See [https://bugzilla.mozilla.org/show_bug.cgi?id=560091 this bugzilla bug] for more details.
=== Network Security Controls ===
Kathleen Wilson
Confirm, administrator
5,526
edits
Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/1193277"

Navigation menu