Closed Bug 1091232 Opened 10 years ago Closed 10 years ago

Regenerate Pinning list due to October 2014 batch of root changes

Categories

(Core :: Security: PSM, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla36

People

(Reporter: kwilson, Assigned: keeler)

References

Details

Attachments

(1 file, 1 obsolete file)

Please regenerate the pinning list and notify the corresponding site operators regarding the October 2014 batch of root changes in Bug #1088147

In particular, the following root certificates will either be removed or have their websites trust bit turned off.

Bug #986014
"Thawte Server CA",
"Thawte Premium Server CA",
"Verisign Class 3 Public Primary Certification Authority - G2", 
"Equifax Secure eBusiness CA 1",

Bug #1047011
// "GTE CyberTrust Global Root",
already commented out

Bug #1083294
"America Online Root Certification Authority 1",
"America Online Root Certification Authority 2",
What will happen to sites that pinned these keys using the HPKP mechanism? It seems incomplete to regenerate the preloaded list without also doing something for HPKP-based key pinning.
(In reply to Brian Smith (:briansmith, :bsmith, use NEEDINFO?) from comment #1)
> What will happen to sites that pinned these keys using the HPKP mechanism?
> It seems incomplete to regenerate the preloaded list without also doing
> something for HPKP-based key pinning.

Given that next to zero sites are using HPKP, I don't think it's worth the added complexity to address this at the moment. It's not even clear to me what the right thing to do is - in theory if a site has added a pin corresponding to the key of a root we're removing, they could still send that root as cross-signed by another root. In that case, we would want to keep and enforce that pin.
Attached patch patch (obsolete) — Splinter Review
Assignee: nobody → dkeeler
Status: NEW → ASSIGNED
Attachment #8524783 - Flags: review?(mmc)
Comment on attachment 8524783 [details] [diff] [review]
patch

Review of attachment 8524783 [details] [diff] [review]:
-----------------------------------------------------------------

::: security/manager/boot/src/StaticHPKPins.h
@@ -40,5 @@
>    "MhmwkRT/SVo+tusAwu/qs0ACrl8KVsdnnqCHo/oDfk8=";
>  
> -/* America Online Root Certification Authority 1 */
> -static const char kAmerica_Online_Root_Certification_Authority_1Fingerprint[] =
> -  "I4SdCUkj1EpIgbY6sYXpvhWqyO8sMETZNLx/JuLSzWk=";

The changes in this file could wait for the Saturday automatic update if we wanted.

::: security/manager/tools/PreloadedHPKPins.json
@@ +128,5 @@
>          "AffirmTrust Networking",
>          "AffirmTrust Premium",
>          "AffirmTrust Premium ECC",
> +        // "America Online Root Certification Authority 1",
> +        // "America Online Root Certification Authority 2",

Google doesn't appear to have these in transport_security_state_static.certs

@@ +176,4 @@
>          "thawte Primary Root CA",
>          "thawte Primary Root CA - G2",
>          "thawte Primary Root CA - G3",
> +        // "Thawte Server CA",

I think Google does have these in transport_security_state_static.certs, but the way we create our own Google pinset means we don't pick them up - I imagine this should be fixed?
Comment on attachment 8524783 [details] [diff] [review]
patch

Review of attachment 8524783 [details] [diff] [review]:
-----------------------------------------------------------------

::: security/manager/tools/PreloadedHPKPins.json
@@ +128,5 @@
>          "AffirmTrust Networking",
>          "AffirmTrust Premium",
>          "AffirmTrust Premium ECC",
> +        // "America Online Root Certification Authority 1",
> +        // "America Online Root Certification Authority 2",

Maybe we should send followup mail to agl.

@@ +176,4 @@
>          "thawte Primary Root CA",
>          "thawte Primary Root CA - G2",
>          "thawte Primary Root CA - G3",
> +        // "Thawte Server CA",

We could pick them up the same way we did facebook's intermediate (before Chromium started pinning them).
Attachment #8524783 - Flags: review?(mmc) → review+
Attached patch patch v2Splinter Review
I decided to land this without the changes to the generated static pins file, since they included unrelated changes. That file will get updated on Saturday (hopefully).

In the case of the deprecated roots on Google's list, AGL said it's ok to remove them.

https://hg.mozilla.org/integration/mozilla-inbound/rev/82967a14f25f
Attachment #8524783 - Attachment is obsolete: true
Attachment #8525445 - Flags: review+
https://hg.mozilla.org/mozilla-central/rev/82967a14f25f
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla36
You need to log in before you can comment on or make changes to this bug.