CA/Maintenance and Enforcement: Difference between revisions

CA/Maintenance and Enforcement (view source)

Revision as of 17:28, 24 September 2018

149 bytes added , 24 September 2018

m

minor updates

Kathleen Wilson

Confirmed users, Administrators

5,526

edits

@@ Line 103: / Line 103: @@
 = Actively Distrusting a Certificate =
-[https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla's Root Store Policy] and the [https://cabforum.org/ CA/Browser Forum's] Baseline Requirements list some of the reasons why a certificate should be revoked. For the common revocations, CRL and OCSP revocation checking are sufficient. However, in extenuating circumstances, such as those listed above, Mozilla may take additional action to protect users by actively distrusting a certificate.
+[https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla's Root Store Policy] and the [https://cabforum.org/baseline-requirements/ CA/Browser Forum's Baseline Requirements] list some of the reasons why a certificate should be revoked. For the common revocations, CRL and OCSP revocation checking are sufficient. However, in extenuating circumstances, such as those listed above, Mozilla may take additional action to protect users by actively distrusting a certificate.
 The steps to actively distrust a certificate are as follows.
@@ Line 118: / Line 118: @@
 # Implement Code Change
 #* Add the corresponding intermediate or end-entity certificates to [https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/ OneCRL].
-#* If it is determined that a certificate needs to be actively distrusted in NSS, then the following will also be done.
+#* If it is determined that a certificate needs to be actively distrusted in [https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS NSS], then the following may also be done.
-#** Update NSS by adding a new entry to the built-in root cert list, to take away trust instead of giving trust. This is done with a separate "distrust" flag, and is called '''Active Distrust'''. Active Distrust can be done for any root, intermediate, or leaf certificate. Active Distrust does not require the entire certificate, because it may be done with a combination of the certificate Serial Number and Issuer. Note: The built-in cert list has two types of entries; cert entries and trust entries. A (dis)trust entry can be added without adding a corresponding cert entry.
+#** Update [https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS NSS] by adding a new entry to the built-in root cert list, to take away trust instead of giving trust. This is done with a separate "distrust" flag, and is called '''Active Distrust'''. Active Distrust can be done for any root, intermediate, or leaf certificate. Active Distrust does not require the entire certificate, because it may be done with a combination of the certificate Serial Number and Issuer. Note: The built-in cert list has two types of entries; cert entries and trust entries. A (dis)trust entry can be added without adding a corresponding cert entry.
 #** A problem with this approach arises if the certificate to be Actively Distrusted has been cross-signed with another root certificate that is included in NSS. This could lead us to have to ask every CA in Mozilla's program if they have cross-signed with the root or intermediate certificate that is to be Actively Distrusted. If there is such cross-signing, then the change to the built-in root cert list will also have to include the Issuer/Serial number combination for the cross-signed certificate chain.
 # Test