On 09/02/2016 01:04 PM, Patrick Figel wrote:
On 02/09/16 21:14, John Nagle wrote:
2. For certs under this root cert, always check CA's certificate
transparency server. Fail if not found.
To my knowledge, CT does not have any kind of online check
mechanism. SCTs can be embedded in the certificate (at the time of
issuance), delivered as part of the TLS handshake or via OCSP
stapling.
You're supposed to be able to check if a cert is known by
querying an OCSP responder. OCSP stapling is just a faster way
to do that. Commercial OCSP responders are available. See
https://www.ejbca.org/docs/architecture-ocsp.html
https://technet.microsoft.com/en-us/library/cc770413(v=ws.10).aspx
and there's an open source responder:
https://www.nexusgroup.com/globalassets/media/documents/productsheet_eng/nexus_ps_ocsp-responder_en.pdf
What I'm suggesting is that mandatory external OCSP checking
against a Mozilla-operated server be enabled on a per-root-cert basis.
Mozilla's server would get its data from the CA's CT information, and,
after checking for problems, and removing any questionable certs,
would make it available on an OCSP server. Firefox would check
that server if the root cert was flagged for it. For CAs with problems,
this would give Mozilla fine-grained sanction control.
John Nagle
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
