Re: About upcoming limits on trusted certificates

2020-03-13 Thread Santhan via dev-security-policy 
On Wednesday, March 11, 2020 at 4:11:56 PM UTC-7, Kathleen Wilson wrote: 
> To start with, it is common for a domain name to be purchased for one 
> year. A certificate owner that was able to prove ownership/control of 
> the domain name last year might not have renewed the domain name. So why 
> should they be able to get a renewal cert without having that re-checked?

I thought Domain control must be validated each time, or at least that use to 
be the case (as I remember it from a long time ago). So I went looking for the 
particular text and noted it was changed in BR 1.5.2. 

BR 1.5.1 section 3.2.2.4, paragraph 2 states,

"The CA SHALL confirm that, as of the date the Certificate issues...".

BR 1.5.2 section 3.2.2.4, paragraph 2 states,

"The CA SHALL confirm that prior to issuance..."

I've always interpreted 3.2.2.4's "as of the date" to mean that regardless of 
the reuse allowance, domain validate must be performed every single time, which 
made a lot of sense. Why ballot 190 changed this is a mystery to me. 

Thanks,
Santhan
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Question about the issuance of OCSP Responder Certificates by technically constrained CAs

2019-09-10 Thread Santhan via dev-security-policy 
On Tuesday, September 10, 2019 at 6:53:47 AM UTC-7, Robin Alden wrote:
> > The aforementioned comments, however, indicate CAs have reported that 
> > Microsoft does [require the EKU chaining].
> I agree that statement is true, but I think it inadvertently misleads.
> 
> We cannot speak for Microsoft about what their requirements for 
> id-kp-OCSPSigning are, and we are not aware of documentation from Microsoft 
> that sets out the answer, but we do have experience that sheds some light on 
> the matter.
> 
> The Scenario
> ===
> We are a root CA.
> In compliance with Mozilla CA policy we signed a constrained intermediate CA 
> certificate whose public key corresponded to a private key held by a customer 
> organization.
> The constrained intermediate CA was to sign end entity certificates.
> The constrained intermediate CA was not directly to sign OCSP responses, but 
> instead was to sign an OCSP responder certificate that would be used to sign 
> OCSP responses.
> 
> The intermediate CA certificate included an EKU, but the EKU did not include 
> id-kp-OCSPSigning.
> 
> The first certificate that the intermediate CA was to sign was the OCSP 
> responder certificate, and the OCSP responder certificate was to include an 
> EKU with id-kp-OCSPSigning.
> 
> The Problem
> ===
> The customer was using Microsoft's Certificate Authority platform to issue 
> end entity certificates using the Intermediate CA.
> 
> The customer found they were unable to issue the OCSP responder certificate 
> (including id-kp-OCSPSigning) because the Microsoft CA software would not 
> issue such a certificate since the signing CA (i.e. the intermediate CA) had 
> an EKU but did not include id-kp-OCSPSigning.  I.e. Microsoft's Certificate 
> Authority requires EKU chaining.
> 
> An 'obvious' solution would have been to re-issue the Intermediate CA 
> certificate and include id-kp-OCSPSigning in its EKU.  Obviously wrong in 
> this case since had we done so the Intermediate CA (i.e. our customer) would 
> then have been able to sign OCSP responses for any certificate issued by our 
> Root CA.
> 
> Another solution would have been to re-issue the Intermediate CA certificate 
> and omit the EKU extension altogether but this would have been against policy 
> since the BRs require the EKU to be present for a CA to be considered 
> technically constrained.
> 
> The fix
> =
> The work around was for us to create for our customer a second CA certificate 
> that had an EKU including id-kp-OCSPSigning and used the same public key and 
> subjectDN as the Intermediate CA certificate, but this time for us to sign it 
> with an untrusted CA.
> 
> We anticipate that the customer could also have created a self-signed CA for 
> themselves using the Intermediate CA key, but did not test that.
> 
> The Microsoft CA Platform was then happy to sign an OCSP responder 
> certificate including id-kp-OCSPSigning from this second untrusted CA.
> Since the key and subjectDN for the untrusted CA are the same as the key and 
> subjectDN of the Intermediate CA certificate, this OCSP responder certificate 
> also chains up through the Issuing CA to our trusted root.
> 
> The OCSP responder could now be provisioned and the Intermediate CA could 
> then begin to issue end entity certificates whose OCSP responses were signed 
> by the OCSP responder certificate's key.
> 
> The take-away
> 
> The OCSP responses for the end entity certificates worked fine with browsers 
> on the web.
> As far as the relying parties were concerned, the only certificate that 
> included id-kp-OCSPSigning was the OCSP responder certificate.  No other 
> certificate in the chain included id-kp-OCSPSigning.
> 
> So, while it is true to say that "Microsoft does require the EKU chaining", 
> for id-kp-OCSPSigning the only place we have observed them to require it is 
> in the Microsoft Certificate Authority software.
> 
> We have no reason to believe that their operating systems or browsers require 
> EKU chaining for id-kp-OCSPSigning in the web PKI.
> 
> Does anyone have any evidence to the contrary?
> 
> Regards
> Robin Alden
> Sectigo Limited

This sounds right to me and I definitely remember ADCS behaving this way. Also 
the CRLF_IGNORE_INVALID_POLICIES flag will let you override and issue 
regardless, but obviously not recommended because it overrides all policy 
errors. 

Thanks,
Santhan
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: 2019.08.28 Let’s Encrypt OCSP Responder Returned “Unauthorized” for Some Precertificates

2019-09-03 Thread Santhan via dev-security-policy 
On Thursday, August 29, 2019 at 4:37:04 PM UTC-7, Jacob Hoffman-Andrews wrote:
> Also filed at https://bugzilla.mozilla.org/show_bug.cgi?id=1577652
> 
> On 2019.08.28 we read Apple’s bug report at 
> https://bugzilla.mozilla.org/show_bug.cgi?id=1577014 about DigiCert’s OCSP 
> responder returning incorrect results for a precertificate. This prompted us 
> to run our own investigation. We found in an initial review that for 35 of 
> our precertificates, we were serving incorrect OCSP results (“unauthorized” 
> instead of “good”). Like DigiCert, this happened when a precertificate was 
> issued, but the corresponding certificate was not issued due to an error.
> 
> We’re taking these additional steps to ensure a robust fix:
>   - For each precertificate issued according to our audit logs, verify that 
> we are serving a corresponding OCSP response (if the precertificate is 
> currently valid).
>   - Configure alerting for the conditions that create this problem, so we can 
> fix any instances that arise in the short term.
>   - Deploy a code change to Boulder to ensure that we serve OCSP even if an 
> error occurs after precertificate issuance.

Out of curiosity, what software is checking OCSP for a pre-cert and why? Why 
does any software need the OCSP status of a pre-cert when it doesn't have the 
corresponding final cert?
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy