Confirmed users, Administrators
5,526
edits
CA:MaintenanceAndEnforcement: Difference between revisions
→Potential Problems, Prevention, Response
| Line 54: | Line 54: | ||
[http://www.mozilla.org/projects/security/certs/policy/EnforcementPolicy.html Mozilla's Enforcement Policy] describes the steps that Mozilla may take to evaluate and respond to security concerns related to certificate operation and issuance. The following list may be used as a guideline of what to expect when certain types of issues are found, but this list is non-binding because the necessary actions and responses will vary depending on the situation. | [http://www.mozilla.org/projects/security/certs/policy/EnforcementPolicy.html Mozilla's Enforcement Policy] describes the steps that Mozilla may take to evaluate and respond to security concerns related to certificate operation and issuance. The following list may be used as a guideline of what to expect when certain types of issues are found, but this list is non-binding because the necessary actions and responses will vary depending on the situation. | ||
'''Problem:''' MD5-based | '''Problem:''' MD5-based certificate(s) issued | ||
* Prevention: Don't accept MD5-based certs. {{bug|650355}}, in Firefox 16. | * Prevention: Don't accept MD5-based certs. {{bug|650355}}, in Firefox 16. | ||
'''Problem:''' | '''Problem:''' Certificate(s) issued with weak RSA key | ||
* Prevention: Don't accept certs signed with weak RSA keys. {{bug|360126}}, needs to be implemented. | * Prevention: Don't accept certs signed with weak RSA keys. {{bug|360126}}, needs to be implemented. | ||
'''Problem:''' | '''Problem:''' Certificate(s) issued without enough key usage info | ||
* Prevention: Enforce key usage restrictions better. {{bug|725351}}, needs to be implemented. | * Prevention: Enforce key usage restrictions better. {{bug|725351}}, needs to be implemented. | ||
'''Problem:''' CA mis-issued a small number of SSL certificates that they can enumerate | '''Problem:''' CA mis-issued a small number of SSL certificates that they can enumerate | ||
* Minimum Response: Actively distrust that set of SSL certificates, and push out an update to all Mozilla products. Depending on the situation, also consider distrusting the intermediate or root certificate that the mis-issued certificates chain up to. | * Immediate Minimum Response: Actively distrust that set of SSL certificates, and push out an update to all Mozilla products. | ||
* Depending on the situation, also consider distrusting the intermediate or root certificate that the mis-issued certificates chain up to. | |||
'''Problem:''' CA mis-issued a small number of code signing certificates | '''Problem:''' CA mis-issued a small number of code signing certificates that they can enumerate | ||
* Minimum Response: Actively distrust that set of code signing certificates, and push out an update to all Mozilla products. Depending on the situation, also consider distrusting the intermediate or root certificate that the mis-issued certificates chain up to. | * Immediate Minimum Response: Actively distrust that set of code signing certificates, and push out an update to all Mozilla products. | ||
* Depending on the situation, also consider distrusting the intermediate or root certificate that the mis-issued certificates chain up to. | |||
'''Problem:''' CA mis-issued a small number of email certificates | '''Problem:''' CA mis-issued a small number of email certificates that they can enumerate | ||
* Minimum Response: Actively distrust that set of email certificates in Thunderbird, and push out an update to Thunderbird. Depending on the situation, also consider distrusting the intermediate or root certificate that the mis-issued certificates chain up to. | * Immediate Minimum Response: Actively distrust that set of email certificates in Thunderbird, and push out an update to Thunderbird. | ||
* Depending on the situation, also consider distrusting the intermediate or root certificate that the mis-issued certificates chain up to. | |||
'''Problem:''' CA mis-issued a large number (e.g. hundreds) of end-entity certificates that they can enumerate | '''Problem:''' CA mis-issued a large number (e.g. hundreds) of end-entity certificates that they can enumerate | ||
* Minimum Response: Actively distrust the intermediate certificates that the mis-issued certificates chain up to, and push out an update to all Mozilla products. Depending on the situation, also consider distrusting the root certificate that the mis-issued certificates chain up to, or all of the root certificates owned by that CA. | * Immediate Minimum Response: Actively distrust the intermediate certificates that the mis-issued certificates chain up to, and push out an update to all Mozilla products. | ||
* Depending on the situation, also consider distrusting the root certificate that the mis-issued certificates chain up to, or all of the root certificates owned by that CA. | |||
'''Problem:''' CA mis-issued an unknown number of un-enumerated end-entity certificates | '''Problem:''' CA mis-issued an unknown number of un-enumerated end-entity certificates | ||
* Minimum Response: Actively distrust the intermediate and root certificates that the mis-issued certificates chain up to, and push out an update to all Mozilla products. Depending on the situation, also consider distrusting all of the root certificates owned by that CA. | * Immediate Minimum Response: Actively distrust the intermediate and root certificates that the mis-issued certificates chain up to, and push out an update to all Mozilla products. | ||
* Depending on the situation, also consider distrusting all of the root certificates owned by that CA. | |||
'''Problem:''' CA mis-issued | '''Problem:''' CA mis-issued a small number of intermediate certificates that they can enumerate | ||
* Minimum Response: Actively distrust the intermediate | * Immediate Minimum Response: Actively distrust the intermediate certificates, and push out an update to all Mozilla products. | ||
* Depending on the situation, also consider distrusting the root certificate or all of the root certificates owned by that CA. | |||
'''Problem:''' CA mis-issued | '''Problem:''' CA mis-issued an unknown number of un-enumerated intermediate certificates | ||
* Minimum Response: Actively distrust the intermediate and root | * Immediate Minimum Response: Actively distrust the intermediate and root certificates, and push out an update to all Mozilla products. | ||
* Depending on the situation, also consider distrusting all of the root certificates owned by that CA. | |||
= Actively Distrusting a Certificate = | = Actively Distrusting a Certificate = | ||