And for the benefit of readers of the thread not already familiar with this, below are the two documented browser approaches to revocation of intermediates that I'm aware of, for Firefox and Chrome.
Both require browser-maintained (not CA-maintained) lists of revoked certificates to be updated with the intermediate, in order for clients to enforce an intermediate's revocation. --------------------- Firefox: https://wiki.mozilla.org/CA:RevocationPlan "Revocation of intermediate certificates is only checked during EV validation." "The main focus of OneCRL is to cover intermediate CA certificates." --------------------- Chrome: https://dev.chromium.org/Home/chromium-security/crlsets "Online (i.e. OCSP and CRL) checks are not, generally, performed by Chrome. They can be enabled in the options and, in some cases, the underlying system certificate library always performs these checks no matter what Chromium does. Otherwise they are only performed when verifying an EV certificate that is not covered by a fresh CRLSet." "For size reasons, the list doesn't include all CRLs - EV CRLs and CRLs with good reason codes are taken in preference. CRLs which cover intermediates are typically small and valuable so we try to take as many as possible." On Sat, Jun 25, 2016 at 10:50 AM, Peter Bowen <[email protected]> wrote: > On Sat, Jun 25, 2016 at 3:50 AM, Ben Laurie <[email protected]> wrote: > > On 25 June 2016 at 00:56, Rob Stradling <[email protected]> > wrote: > >> On 24/06/16 14:38, Rob Stradling wrote: > >>> > >>> I've just updated https://crt.sh/mozilla-disclosures. > >>> > >>> There's now a separate grouping for undisclosed intermediates for which > >>> all observed paths to a trusted root have been "revoked". > >>> > >>> A path is considered to be "revoked" if at least one intermediate in > the > >>> path has been 1) disclosed to Salesforce AND 2) marked as Revoked in > >>> Salesforce and/or OneCRL. > > > > I am curious how this is supposed to work. The issuer is identified by > > the Issuer DN. Revoked certificates are identified by serial number > > (in CRLs). So ... how is an intermediate ever revoked, in reality? > > It is not the CA that is revoked, it is the path from the trust anchor > to the CA that is revoked. The Mozilla requirement is not disclosure > of Issuers, it is the disclosure of CA certificates. Given this, > revocation is a reasonable check. > > Thanks, > Peter > -- konklone.com | @konklone <https://twitter.com/konklone> _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
