Re: Sanctions short of distrust

Fri, 02 Sep 2016 12:16:40 -0700 

September 2016 11:19:49 UTC+1, Gervase Markham wrote:

Have you considered what was done for CNNIC? In that case, we
distrusted all certificates issued after a certain time. We used
a whitelist for determining this, but it would be possible to use
the notBefore date in the certificate. A CA could dodge this by
backdating, but if the CA were also committed to putting all its
certs in to CT, then the backdating would be noticeable.

Jakob Bohm (?) wrote:

That's a good point, I knew of the CNNIC outcome but didn't add it to
my list. It has the obvious GOOD factor that we know Mozilla can
successfully do it.

I suspect that a whitelist will almost always prove necessary. Even
the suspicion of backdating happening undermines the value of this
sanction.


   This is approaching a workable technical solution.

   The certificate transparency system is already well defined.

   Firefox could have flags associated with root certificates, perhaps
as follows:

   1. For certs under this root cert, always check
      certificate revocation list. (presumably via OCSP).
      Fail if revoked.

   2. For certs under this root cert, always check
      CA's certificate transparency server.   Fail
     if not found.

   3. For certs under this root cert, always check
      Mozilla-run whitelist in addition to other
      checks. This would probably be in the form
      of a CT server which tracked the CA's CT
      server, but from which certificates could
      be deleted if necessary.

This provides the requested mechanism short of distrust.  Only
#3 is new; Google Chrome already does #1 and #2.  #3 would
be turned on in case of problems at a CA.

Google's statements in 2015 indicated that it was their intention
to do something quite similar in Chrome:

https://docs.google.com/viewer?a=v&pid=sites&srcid=ZGVmYXVsdGRvbWFpbnxjZXJ0aWZpY2F0ZXRyYW5zcGFyZW5jeXxneDoyZGU5Yjg1MmVjNzc5NjQz

Much of that has already been done.

CT support in Firefox was proposed in 2013 and a patch was generated,
but seems to be languishing. Last update was in January 2016.
The problem appears to be policy, not technology.  See:

   https://bugzilla.mozilla.org/show_bug.cgi?id=944175


                        John Nagle
                        SiteTruth


_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to