On Thu, Feb 2, 2017 at 9:37 PM Jakob Bohm <[email protected]> wrote:
> On 03/02/2017 05:22, Ryan Sleevi wrote: > > On Thu, Feb 2, 2017 at 3:59 PM, Jakob Bohm <[email protected]> > wrote: > > > >> On 02/02/2017 00:46, Kathleen Wilson wrote: > >> > >>> All, > >>> > >>> I've added another Potentially Problematic Practice, as follows. > >>> > >>> > https://wiki.mozilla.org/CA:Problematic_Practices#Issuer_Encoding_in_CRL > >>> The encoding of the Issuer field in the CRL should be byte-for-byte > >>> equivalent with the encoding of the Issuer in the certificate; that is, > >>> using the exact same string types and field contents. The specs (RFC > 2459, > >>> RFC 3280, RFC 5280) permit them to mismatch, but that causes > compatibility > >>> issues with various clients -- in such cases client software might not > find > >>> the entry for the revoked certificate in the CRL. > >>> > >>> As always, I will appreciate your thoughtful and constructive feedback. > >>> > >>> We ran into this situation several times while adding entries to OneCRL > >>> for revoked intermediate certificates, because our script pulled the > data > >>> from the CAs' CRLs where possible. > >>> > >>> We have filed https://bugzilla.mozilla.org/show_bug.cgi?id=1330968 to > >>> update the OneCRL client to be encoding agnostic when doing the Issuer > >>> comparisons. > >>> > >>> > >> What should a CA do if they have used different encodings of the same > >> issuer DN in different certs that point to the same CRL location? > >> > >> Wouldn't a more proper set of rules be: > >> > >> 1. The encoding of the Issuer field in the CRL must be the same as in > >> the SubjectDN in the issuing certificate. > >> > >> 2. The IssuerDN in all future issued certificates must the same as in > >> the SubjectDN in the issuing certificate. > >> > >> 3. If any previously issued certificates did not follow rule 2, the CA > >> must publish a list of the exact IssuerDN encodings used in such > >> certificates. > >> > > > > What value does 3 provide? > > > > It provides data to allow services such as OneCRL (or even direct CRL > checking code in applications) to work around such past practices by > simply using a table of known Issuer name in certificate to actual > subject name in issuing certificate mappings, rather than trying to > implement fuzzy matching algorithms. So don't you think it's useful and important to state the goal you're trying to achieve when you propose Mozilla be prescriptive of all CAs? Put differently, there is a considerably high bar for requiring CAs take some action - or answer a particular question. Making sure it's clear why can help evaluate the value of what you propose, otherwise it's very easy to dismiss such suggestions as random non sequitors. > > The data is minimal and compact, unlike CT logs. For example, this appears as a nonsequitor, because no one has proposed sending CT logs to clients (the contextual way to read this suggestion, given the statement that follows). Another way to read it (ignoring what follows) suggests perhaps confusion between a CT log (which clients don't download) and an SCT (which is minimal and compact for what it is). Or it could be read that you're suggesting someone simply comb the CT logs, extract the CRL URLs, and compare those against the issuer fields present. While it seems highly unlikely you're proposing the last option, given your expressed disdain and occasional confusion about CT, I mention it because it's example of where the data can be independently obtained, rather than using the threat of force (which is, implicitly, what is behind every CA communication - the threat of removal), and arguably in a way that more accurately captures practical impact. The complete dataset > from all public CAs combined is likely to be just a few kilobytes > uncompressed, much less compressed. > > Potentially, this same table as a substitute for fuzzy mapping can also > be used when building/following certificate chains. Right, so just to follow: You're proposing that, rather than list it as a problematic practice for an edge case from a few CAs, Mozilla use a CA communication - possibly with a change to the Baseline Requirements - so that they can write additional code that no other client implements and ship several kilobytes (at least) of data and code. It does seem like Kathleen's current proposal is far more reasonable, and so no, your proposal does not seem like a proper set of rules. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
