CA:ImprovingRevocation: Difference between revisions

CA:ImprovingRevocation (view source)

Revision as of 17:38, 22 August 2013

1,853 bytes removed , 22 August 2013

→‎Preload Revocations of Intermediate CA Certificates

Kathleen Wilson

Confirmed users, Administrators

5,526

edits

@@ Line 124: / Line 124: @@
 * Policy Change: To be proposed and discussed in the mozilla.dev.security.policy forum. This draft still needs work, and consideration of the following things.
-** Can we use the notification policy expressed in [http://csrc.nist.gov/publications/drafts/nistir-7924/draft_nistir_7924.pdf NIST IR 7924], Section 5.7 (starting on page 36)?
+** Consider using the notification policy expressed in [http://csrc.nist.gov/publications/drafts/nistir-7924/draft_nistir_7924.pdf NIST IR 7924], Section 5.7.
-*** Trust Anchor Manager (TAM): Authorities who manage a repository of trusted Root CA Certificates. ... As specified in Section 5.7, the TAM will require the CA to provide notification of a compromise, and in response, the TAM will take appropriate action.
-*** According to NIST IR 7924 section 5.7 the CA must notify the TAM when:
-**** Root CA compromise -- Compromise of CA private signing key (Notification shall be made in an authenticated and trusted manner... earliest feasible time and shall not exceed <24> hours beyond determination of compromise or loss unless otherwise required by law enforcement)
-**** Intermediate or Subordinate CA key compromise (revocation information shall be published immediately in the most expedient, authenticated, and trusted manner but within <18> hours)
-**** Compromise of CSS key (If the CSS is self-signed and the CSS certificate expiration is more than <7> days away, the vendor shall immediately notify the trust anchor managers)
-**** RA key compromised (the revocation information shall be published within <24> hours in the most expedient, authenticated, and trusted manner)
-**** Suspected or detected compromise of any CA system or subsystem
-**** Physical or electronic penetration of any CA system or subsystem
-**** Successful denial of service attacks on any CA system or subsystem
-**** Any incident preventing a CA from issuing and publishing a CRL or OCSP prior to the time indicated in the nextUpdate field in the currently published CRL or OCSP suspected or detected compromise of a certificate status server (CSS) if
-***** the CSS certificate has a lifetime of more than <72> hours; and
-***** the CSS certificate cannot be revoked (e.g., an OCSP responder certificate with the id-pkix-ocsp-nocheck extension)
-**** When computing resources, software, and/or data are corrupted
 ** The policy should also take into account the [[CA:RevocationBackground | reason for revocation,]] and possibly who operates the intermediate certificate (e.g. CA versus subCA).
 ** EARLY DRAFT of text to add to MaintenancePolicy.html after item 3: 4. CAs must notify Mozilla within 24 hours of revocation of an intermediate certificate for any reason and of revocation of a website certificate whose revocation was not prompted by the certificate owner. To notify us of a revocation due to a security concern or of revocation of a website certificate whose revocation was not prompted by the certificate owner, send email to security@mozilla.org. To notify us of an intermediate certificate revocation, submit a bug report into the mozilla.org Bugzilla system, filed against the "CA Certificates" component of the "NSS" product. Whenever possible, the CA should send us the revoked certificate itself, along with the rfc5280 revocation reason code. If the CA cannot send us the revoked  certificate, then the information listed below will be needed.