> Date: Wed, 07 Nov 2007 22:35:32 +0200
> From: "Eddy Nigg (StartCom Ltd.)" <[EMAIL PROTECTED]>
> Subject: Re: Inclusion of VeriSign EV root in Firefox 3 betas for
> testing
> To: Frank Hecker <[EMAIL PROTECTED]>
> Cc: dev-tech-crypto@lists.mozilla.org
>
> Frank Hecker wrote:
> > Eddy Nigg (StartCom Ltd.) wrote:
> >
> >> Frank, the best test might be, if you could point us to a
> site signed by
> >> the root in question. We could simply follow the chain up
> to the CA root
> >> already in NSS.
> >>
> >
> > I gave an example already in my previous message:
> > <https://www.fnac.com/>. <https://www.paypal.com/> shows
> this as well.
> >
> OK, thanks! Looks like it's chained to an existing root....
There appears to be some confusion around this root. Let me try to
clarify:
Microsoft made a significant change in Windows Vista regarding embedded
root certificates: the OS ships with only a small handful of
certificates deemed essential to Windows. That does not include
VeriSign's roots. Instead, Microsoft has built into Vista the ability to
obtain trusted root certificates silently, on demand from Windows
Update. This ability is part of Windows XP as well, although XP shipped
with a large number of roots. On XP or Vista, if the OS ever encounters
a root certificate that it does not have in its cached root store, it
will check with Windows Update to see if it can obtain the root there.
If Windows Update knows about the root, it will return the root
certificate along with any meta-data that goes along with it. For
example, roots that can sign EV certificates are marked with special
meta data, not with any special indication in the certificate itself.
It's important to note that if Windows XP or Vista encounters a root
that is already in its cached root store, it will not check with Windows
Update to see if the meta-data has changed. And if a root is downloaded
from Windows Update, it will remain in the computer's root cache until
it expires.
When VeriSign planned to create a new certificate hierarchy from which
to issue EV SSL certificates, we naturally wanted to use our existing
root as the root of that hierarchy. That root is widely deployed in a
large number of browsers, both on desktops and handheld devices such as
cell phones. These older browsers know nothing of EV and cannot display
green toolbars, yet it is a firm requirement that they should be able to
establish a secure SSL session with EV-protected web sites. They should
not display any warning dialog, such as they might if the web site's
certificate chained up to an unknown, untrusted root.
We needed Microsoft to create the meta-data for our root that would
indicate that it is a root that can issue EV certificates. However,
there was a problem: Microsoft pointed out that Vista, since it did not
ship with our root, would retrieve our root and the associated EV
meta-data; but XP, since it shipped with our root, would not fetch the
EV meta-data from Windows Update. XP users would not be able to see the
green toolbar.
We investigated many ways of getting the root meta-data into Windows XP
systems. Microsoft suggested creating a new root that would carry the EV
meta-data, and cross-sign the new root with our old root. This is the
solution we implemented.
Web servers with a VeriSign EV cert are configured with the end entity
cert and two intermediate CAs: the EV CA and a cross-signed cert. The
chain looks like this:
end-entity int. CA cross-cert
issuer: EV CA -> PCA3-G5 -> PCA3-G5
subject: <www.foo.com> -> EV CA -> PCA3
Hence, old browsers will see this end-entity cert as chaining up to
PCA3, our old root that is already in their browsers. They will accept
it as a trusted chain.
If the IE7 on Vista user has our PCA3-G5 root and then hits this site,
the browser will see that the end-entity cert appears to chain up to two
roots: the old PCA3 root, and the new EV root called PCA3-G5. The path
to the old root is 4 levels deep, and the path to the new root is 3
levels deep. IE7 favors the shorter chain, and thus accepts this cert as
a trusted cert that chains up to an EV-capable root.
I'm sure I've confused a lot of people with this. I can try to go into
more detail if necessary.
-Rick Andrews
--
Rick Andrews __o Phone: 650-426-3401
VeriSign, Inc. _ \>,_ Fax: 650-426-5195
487 E. Middlefield Rd. ...(_)/ (_) URL: www.verisign.com
Mountain View, CA 94043 email: [EMAIL PROTECTED]
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
