|
|
| Line 116: |
Line 116: |
| * Dependencies: | | * Dependencies: |
| ** This will require a bootstrapping effort where we ask all CAs to provide us with a comprehensive list previous relevant revocations. (September 2013?) | | ** This will require a bootstrapping effort where we ask all CAs to provide us with a comprehensive list previous relevant revocations. (September 2013?) |
| ** The CAs in our program must notify us when intermediate certificates that chain up to any of their roots that are included in Firefox have been revoked. Mozilla will deliver these revocations to Firefox through the revocation set. For CAs that regularly revoke intermediate certificates, we will consider implementing a whitelist of intermediate certificates to prevent too many updates to the revocation set.
| | ** In the short term, we will (probably) respond to the revocation notification by issuing a browser security update that contains the updated list of revoked certificates. In the long term, we may have a lighter-weight mechanism for updating the browser with updated revocation information, similar to Google's CRLSet mechanism. |
| ** In addition, the CAs in our program must notify us of any mis-issuances and of any certificates that are to be revoked because some important constraint is missing or invalid (e.g. an end-entity certificate is given the statusResponder EKU, or a subscriber certificate was given the isCA=true basic constraint without meeting the requirements for such subscriber CA certificates).
| |
| ** The CA should send us details of the revocation, including the issuer subject name, the subject serial number, a link to the OCSP response for the revocation, and an assertion that the certificate was revoked for one of the reasons that we consider the issuing CA to be responsible for (they should say which reason it was). The easiest and best way to transmit this information is to simply attach the revoked certificate to the notification, assuming it contains the OCSP AIA URL. The link to the OCSP response that contains the revocation is needed to verify the authenticity of the email and to verify the exact encoding of the issuer and serial number.
| |
| ** In the short term, we will (probably) respond to the revocation notification by issueing a browser security update that contains the updated list of revoked certificates. In the long term, we may have a lighter-weight mechanism for updating the browser with updated revocation information, similar to Google's CRLSet mechanism. | |
|
| |
|
| * Policy Change: To be discussed and proposed in the mozilla.dev.security.policy forum. | | * Policy Change: To be discussed and proposed in the mozilla.dev.security.policy forum. |