Closed
Bug 1091232
Opened 10 years ago
Closed 10 years ago
Regenerate Pinning list due to October 2014 batch of root changes
Categories
(Core :: Security: PSM, defect)
Core
Security: PSM
Tracking
()
RESOLVED
FIXED
mozilla36
People
(Reporter: kwilson, Assigned: keeler)
References
Details
Attachments
(1 file, 1 obsolete file)
9.14 KB,
patch
|
keeler
:
review+
|
Details | Diff | Splinter Review |
Please regenerate the pinning list and notify the corresponding site operators regarding the October 2014 batch of root changes in Bug #1088147 In particular, the following root certificates will either be removed or have their websites trust bit turned off. Bug #986014 "Thawte Server CA", "Thawte Premium Server CA", "Verisign Class 3 Public Primary Certification Authority - G2", "Equifax Secure eBusiness CA 1", Bug #1047011 // "GTE CyberTrust Global Root", already commented out Bug #1083294 "America Online Root Certification Authority 1", "America Online Root Certification Authority 2",
Comment 1•10 years ago
|
||
What will happen to sites that pinned these keys using the HPKP mechanism? It seems incomplete to regenerate the preloaded list without also doing something for HPKP-based key pinning.
Assignee | ||
Comment 2•10 years ago
|
||
(In reply to Brian Smith (:briansmith, :bsmith, use NEEDINFO?) from comment #1) > What will happen to sites that pinned these keys using the HPKP mechanism? > It seems incomplete to regenerate the preloaded list without also doing > something for HPKP-based key pinning. Given that next to zero sites are using HPKP, I don't think it's worth the added complexity to address this at the moment. It's not even clear to me what the right thing to do is - in theory if a site has added a pin corresponding to the key of a root we're removing, they could still send that root as cross-signed by another root. In that case, we would want to keep and enforce that pin.
Assignee | ||
Comment 3•10 years ago
|
||
Assignee | ||
Comment 4•10 years ago
|
||
Comment on attachment 8524783 [details] [diff] [review] patch Review of attachment 8524783 [details] [diff] [review]: ----------------------------------------------------------------- ::: security/manager/boot/src/StaticHPKPins.h @@ -40,5 @@ > "MhmwkRT/SVo+tusAwu/qs0ACrl8KVsdnnqCHo/oDfk8="; > > -/* America Online Root Certification Authority 1 */ > -static const char kAmerica_Online_Root_Certification_Authority_1Fingerprint[] = > - "I4SdCUkj1EpIgbY6sYXpvhWqyO8sMETZNLx/JuLSzWk="; The changes in this file could wait for the Saturday automatic update if we wanted. ::: security/manager/tools/PreloadedHPKPins.json @@ +128,5 @@ > "AffirmTrust Networking", > "AffirmTrust Premium", > "AffirmTrust Premium ECC", > + // "America Online Root Certification Authority 1", > + // "America Online Root Certification Authority 2", Google doesn't appear to have these in transport_security_state_static.certs @@ +176,4 @@ > "thawte Primary Root CA", > "thawte Primary Root CA - G2", > "thawte Primary Root CA - G3", > + // "Thawte Server CA", I think Google does have these in transport_security_state_static.certs, but the way we create our own Google pinset means we don't pick them up - I imagine this should be fixed?
Comment 5•10 years ago
|
||
Comment on attachment 8524783 [details] [diff] [review] patch Review of attachment 8524783 [details] [diff] [review]: ----------------------------------------------------------------- ::: security/manager/tools/PreloadedHPKPins.json @@ +128,5 @@ > "AffirmTrust Networking", > "AffirmTrust Premium", > "AffirmTrust Premium ECC", > + // "America Online Root Certification Authority 1", > + // "America Online Root Certification Authority 2", Maybe we should send followup mail to agl. @@ +176,4 @@ > "thawte Primary Root CA", > "thawte Primary Root CA - G2", > "thawte Primary Root CA - G3", > + // "Thawte Server CA", We could pick them up the same way we did facebook's intermediate (before Chromium started pinning them).
Attachment #8524783 -
Flags: review?(mmc) → review+
Assignee | ||
Comment 6•10 years ago
|
||
I decided to land this without the changes to the generated static pins file, since they included unrelated changes. That file will get updated on Saturday (hopefully). In the case of the deprecated roots on Google's list, AGL said it's ok to remove them. https://hg.mozilla.org/integration/mozilla-inbound/rev/82967a14f25f
Attachment #8524783 -
Attachment is obsolete: true
Attachment #8525445 -
Flags: review+
https://hg.mozilla.org/mozilla-central/rev/82967a14f25f
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla36
You need to log in
before you can comment on or make changes to this bug.
Description
•