Re: Revoking Trust in one ANSSI Certificate
Am 2013-12-11 23:59, schrieb Gervase Markham: Look again. It seems that it now contains 1106 certificates (!), with widely varying revocation dates. Can't confirm that for any of the following CRL DPs: http://www.icp.minefi.gouv.fr/igca.crl (1 entry) http://www.icp.minefi.gouv.fr/ac-racine.crl (empty) http://crl1.dgtpe.fr/AC_Racine_DGTPE.crl (empty) These are the CRL DPs in the first, second and third sub-ca cert, respectively (containing the revocations for the root, first SubCA and second SubCA). The CRL for the third Sub-CA has 1110 certificates, but there is no CRL DP pointing to it in the fourth cert - you need to manually get it from http://crl1.dgtpe.fr/AC_DGTPE_Signature_Authentification.crl According to that CRL, the fourth Sub-CA is indeed revoked. The first revoked serial is 0x0313DC, the last one is 0x031F90. That's a range of ~3000 certificates. That's a lot of revocations, but that doesn't need to mean much. 432 are Key compromise 323 are Superseded 268 are Cessation Of Operation 42 are Affiliation Changed and I think the rest is without a reason extension. Kind regards, Jan -- Please avoid sending mails, use the group instead. If you really need to send me an e-mail, mention FROM NG in the subject line, otherwise my spam filter will delete your mail. Sorry for the inconvenience, thank the spammers... ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Revoking Trust in one ANSSI Certificate
Le 11/12/13 01:08, Kathleen Wilson a écrit : Based on the list that Rob provided, there may be other domains that we might consider including. For example: *.ac-martinique.fr *.ac-creteil.fr *.ac-orleans-tours.fr *.education.fr *.ac-poitiers.fr As this list includes domains from the ministry of education (the ac- prefix is for academy), I feel obliged to point out the following : http://www.education.gouv.fr/cid3/les-rectorats-et-services-departementaux-de-l-education-nationale.html According to this page (from the french national education administration, which is one of the biggest, if not the biggest administrative body in France), there are actually 30 academies (regional bodies of the ministry of education), whose domains are : *.ac-aix-marseille.fr *.ac-amiens.fr *.ac-besancon.fr *.ac-bordeaux.fr *.ac-caen.fr *.ac-clermont.fr *.ac-corse.fr *.ac-creteil.fr *.ac-dijon.fr *.ac-grenoble.fr *.ac-guadeloupe.fr *.ac-guyane.fr *.ac-lille.fr *.ac-limoges.fr *.ac-lyon.fr *.ac-martinique.fr *.ac-mayotte.fr *.ac-montpellier.fr *.ac-nancy-metz.fr *.ac-nantes.fr *.ac-nice.fr *.ac-orleans-tours.fr *.ac-noumea.nc *.ac-paris.fr (and *.sorbonne.fr as well ?) *.ac-poitiers.fr *.ac-polynesie.pf *.ac-reims.fr *.ac-rennes.fr *.ac-reunion.fr *.ac-rouen.fr *.ac-spm.fr *.ac-strasbourg.fr *.ac-toulouse.fr *.ac-versailles.fr *.ac-wf.wf Or maybe they all should be put under *.education.fr ? S. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Revoking Trust in one ANSSI Certificate
On Wed, Dec 11, 2013 at 1:49 AM, Samuel L samuel.la...@sealweb.eu wrote: Le 11/12/13 01:08, Kathleen Wilson a écrit : Based on the list that Rob provided, there may be other domains that we might consider including. For example: *.ac-martinique.fr *.ac-creteil.fr *.ac-orleans-tours.fr *.education.fr *.ac-poitiers.fr [snip] According to this page (from the french national education administration, which is one of the biggest, if not the biggest administrative body in France), there are actually 30 academies (regional bodies of the ministry of education), whose domains are : snip Thanks for the very helpful information. I think we should first ask ANSSI to help those academies migrate to a different CA. My understanding is that the French government already has used certificates from other CAs: Entrust: https://www.amendes.gouv.fr/portail/index.jsp?lang=en Certplus/Certinomis: https://www.tresor.economie.gouv.fr/autorisations-prealables-des-investissements-etrangers-en-france So, it seems reasonable to think we could work with ANSSI to coordinate the migration of websites that aren't serving critical government functions to the other CAs that the French government is already using, in a reasonably fast timeframe. I'd like us to try that first. Cheers, Brian -- Mozilla Networking/Crypto/Security (Necko/NSS/PSM) ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Revoking Trust in one ANSSI Certificate
On 10/12/13 06:20, Jan Schejbal wrote: The third sub-ca cert (Subject AC DGTPE Signature Authentification) includes a CRL DP for a CRL issued by sub-ca 2, validity 2011-09-09 to 2014-09-13. The CRL is empty. Look again. It seems that it now contains 1106 certificates (!), with widely varying revocation dates. It would be interesting to know by what process this happened. Were these certs revoked in the past but the CRL not updated due to some technical issue? Or have they just decided to do a blanket revocation of every cert issued? Or something else? Am I correct in the assumption that this means that the only way this CA can deal with Sub-CA compromises effectively is asking for an emergency update of all software relying on the certificates? AIUI, yes. Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Revoking Trust in one ANSSI Certificate
Am 2013-12-10 12:09, schrieb Jan Schejbal: 5. Appears unable to operate a CA properly as per Erwann's mail (e.g. no valid CRLs). I had a look at the CRLs of the certificates in the chain. The first sub-ca cert in the chain (Subject MINEFI-AUTORITE DE CERTIFICATION RACINE) includes a CRL DP which provides a CRL issued by the root, valid from 2013-12-01 through 2014-01-08. This CRL contains one certificate with a revocation date in 2008. The second sub-ca cert (Subject AC Racine DGTPE) includes a CRL DP for a CRL issued by sub-ca 1, validity 2013-06-04 to 2015-06-04. The CRL is empty. The third sub-ca cert (Subject AC DGTPE Signature Authentification) includes a CRL DP for a CRL issued by sub-ca 2, validity 2011-09-09 to 2014-09-13. The CRL is empty. The fourth and final sub-ca cert (Subject AC DG Trésor SSL), does not contain a CRL DP. Thus, if I understand it correctly, the CA cannot effectively revoke the Trésor Sub-CA without revoking other Sub-CAs. Further, any revocation will have limited effectiveness for at least one month, since signed CRLs valid until then already exist for the entire chain. Even then, the CA would need to revoke the MINEFI Sub-CA - otherwise, the revocation will have limited effectiveness for many more months. No OCSP responders are specified in the certificates. Am I correct in the assumption that this means that the only way this CA can deal with Sub-CA compromises effectively is asking for an emergency update of all software relying on the certificates? (Even under the assumption that software does check CRLs, that is.) By the way, CAs were informed in February 2012 that they will need to comply with v1 of the CAB BR by July 2012. These requirements already state that OCSP is mandatory effective January 2013. They also explicitly prohibit CRLs with nextUpdate values more than 12 months from the thisUpdate value. Such a CRL was issued in 2013, i.e. long after the effective date of the BR. The 2011 audit statement https://bug666771.bugzilla.mozilla.org/attachment.cgi?id=661038 appears to claim that they fulfill the 1.0 BR, however, they seem to have audited themselves?!? Kind regards, Jan -- Please avoid sending mails, use the group instead. If you really need to send me an e-mail, mention FROM NG in the subject line, otherwise my spam filter will delete your mail. Sorry for the inconvenience, thank the spammers... ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Revoking Trust in one ANSSI Certificate
On 10/12/13 00:48, Erwann Abalea wrote: Le lundi 9 décembre 2013 23:15:01 UTC+1, Brian Smith a écrit : One thing that would really help would be an attempt to document which publicly-accessible websites are using certificates that chain (only) to the ANSSI root. I heard the claim that most French public government websites actually use certificates that chain to a different CA. That has led me to wonder how much the ANSSI root is actually used by public websites. Having a list of domains that use certs that chain to ANSSI root is likely to have some significant bearing on the decisions about what to do. But, it will be a while before I would have time to compile such a list. Working on such a list on my spare time. Unfortunately, it's not a small hierarchy. Attached is a list of server identities (SAN-dNSNames, SAN-iPAddresses and Subject-CNs) from all the certs I can find that chain only to the CN = IGC/A Root and that would be trusted for server authentication by browsers. I tried to send a larger file just now (with more info), but I'd forgotten that this list has a 40KB limit on attachments. Hopefully it won't reject this .zip file... -- Rob Stradling Senior Research Development Scientist COMODO - Creating Trust Online ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Revoking Trust in one ANSSI Certificate
On Mon, Dec 9, 2013 at 2:17 PM, Jan Schejbal jan.schejbal_n...@gmx.dewrote: I would really love to see the explanation how someone accidentally issues and deploys a MitM Sub-CA... I think it will turn out to be essentially the same reason that Microsoft got burned with the Flame attack. Just because an organization has PKI expertise does not mean that it is evenly shared in the organization or that everyone understands what the constraints are. The organization does not have managing crypto as its primary goal so the processes that manage the CA do not include awareness of current crypto affairs as a requirement. I have similar concerns about DANE. The expectations that are placed on the registries and registrars are quite interesting. -- Website: http://hallambaker.com/ ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Revoking Trust in one ANSSI Certificate
On Tue, Dec 10, 2013 at 4:08 PM, Kathleen Wilson kwil...@mozilla.com wrote: Constrain the currently-included IGC/A root certificate to a certain set of domains. I think the restriction needs to be along the lines of *.gouv.fr. I think it might help to explain the rationale for the choice of *.gouv.fr: ANSSI is run by the French government and *.gouv.fr are government websites. Thus, restricting ANSSI to issuing certificates under *.gouv.fr limits the negative impact of any mis-issuance to French government websites--i.e. they could only harm themselves if so restricted. Also, enabling *.gouv.fr sites that use ANSSI-issued certificates to continue working would minimize disruption to essential government services, like tax collecting, etc. Removing ANSSI completely may be too disruptive to these essential services. My personal opinion is that it is unlikely that all other browsers would follow us if we completely removed ANSSI, but I think it would be reasonable to expect other browsers to add constraints to *.gouv.fr. In case it isn't obvious, I support this proposal. Cheers, Brian -- Mozilla Networking/Crypto/Security (Necko/NSS/PSM) ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Revoking Trust in one ANSSI Certificate
From the information we have to date, I think the CAs that try hard to run a conformant operation can be justifiably upset that this behaviour is tolerated. All the best. Tim. On Dec 9, 2013, at 4:19 PM, Eddy Nigg eddy_n...@startcom.org wrote: On 12/09/2013 11:12 PM, From Ryan Sleevi: According to https://wiki.mozilla.org/CA:Communications#January_10.2C_2013 (see the Responses section), this CA has indicated that they do not expect to begin operating in full compliance to the Baseline Requirements and to Mozilla's 2.1 Inclusion Policy until Dec 2015/January 2016. Thanks Ryan - then we probably should understand what Mozilla does or intends to do in such cases. Maybe this shows that something must be done (when we are assuming that by today every CA is compliant already and this should not be possible according to BR AND Mozilla's requirements). -- Regards Signer: Eddy Nigg, StartCom Ltd. XMPP:start...@startcom.org Blog: http://blog.startcom.org/ Twitter: http://twitter.com/eddy_nigg ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Revoking Trust in one ANSSI Certificate
Let's start with the basics: what is the cert subject, serial number, date info? None of the four browser notices provided any of that. Surely there is no reason to keep it secret, is there?From: Jan SchejbalSent: Monday, December 9, 2013 1:19 PMTo: mozilla-dev-security-pol...@lists.mozilla.orgReply To: jan.schejbal_n...@gmx.deSubject: Re: Revoking Trust in one ANSSI CertificateHi,could we please have the certificates/chains involved in this, and couldthe corresponding bug (I assume there is one) maybe be made public?Especially of interest would be the dates when the certificates wereissued, when they were first used for MitM, when this was reported tothe CA by Google, and when the CA revoked the certificate.From what I understood, the hierarchy was as follows:ANSSI+-Treasury Sub-CA +-MitM-CA (installed on MitM device)+-Fake endpoint certificatesIs this assumption correct? If so:Was the "Treasury Sub-CA" revoked, or only the "MitM-CA"?Which of these certs are the ones blacklisted by Mozilla?The publicly available information about this is currently quitelimited. Having a meaningful debate on that basis is difficult.We already had a similar case once - Trustwave. The differences are thatthey admitted it before getting caught, and that since that incident,everyone remotely involved in PKI management should know that this issomething you don't do.I would really love to see the explanation how someone accidentallyissues and deploys a MitM Sub-CA...Kind regards,Jan___dev-security-policy mailing listdev-security-policy@lists.mozilla.orghttps://lists.mozilla.org/listinfo/dev-security-policy ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Revoking Trust in one ANSSI Certificate
Brian,I was thinking it would be beneficial if ANSSI would provide a host:port that would have the bad chain installed. This allows for anyone to check if their browser has been updated to un-trust the intermediate.I make this suggestion in addition to the points you raise below, and I think it's fair to ask this of any CA that behaves badly. From: Brian SmithSent: Monday, December 9, 2013 4:15 PMTo: Eddy NiggCc: mozilla-dev-security-pol...@lists.mozilla.orgSubject: Re: Revoking Trust in one ANSSI CertificateOne thing that would really help would be an attempt to document whichpublicly-accessible websites are using certificates that chain (only)to the ANSSI root. I heard the claim that most French publicgovernment websites actually use certificates that chain to adifferent CA. That has led me to wonder how much the ANSSI root isactually used by public websites. Having a list of domains that usecerts that chain to ANSSI root is likely to have some significantbearing on the decisions about what to do. But, it will be a whilebefore I would have time to compile such a list.I think it would also help to document in this thread the ways we knowthat ANSSI is not complying with our CA program. Lack of OCSP AIA URIin the certificates is one example. Are there other ways that ANSSI isnon-compliant?Cheers,BrianOn Mon, Dec 9, 2013 at 1:18 PM, Eddy Nigg eddy_n...@startcom.org wrote: On 12/09/2013 11:12 PM, From Ryan Sleevi: According to https://wiki.mozilla.org/CA:Communications#January_10.2C_2013 (see the Responses section), this CA has indicated that they do not expect to begin operating in full compliance to the Baseline Requirements and to Mozilla's 2.1 Inclusion Policy until Dec 2015/January 2016. Thanks Ryan - then we probably should understand what Mozilla does or intends to do in such cases. Maybe this shows that something must be done (when we are assuming that by today every CA is compliant already and this should not be possible according to BR AND Mozilla's requirements). -- Regards Signer: Eddy Nigg, StartCom Ltd. XMPP:start...@startcom.org Blog:http://blog.startcom.org/ Twitter: http://twitter.com/eddy_nigg ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy-- Mozilla Networking/Crypto/Security (Necko/NSS/PSM)___dev-security-policy mailing listdev-security-policy@lists.mozilla.orghttps://lists.mozilla.org/listinfo/dev-security-policy ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
