Closed
Bug 1299579
Opened 8 years ago
Closed 8 years ago
Add Hongkong Post e-Cert CA 1 - 10 to OneCRL
Categories
(NSS :: CA Certificates Code, task)
NSS
CA Certificates Code
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: kathleen.a.wilson, Assigned: mgoodwin)
References
Details
Attachments
(3 files)
As per Bug #1267332: Comment 4: "Hongkong Post e-Cert CA 1 - 10" will continue issue client certificates to individuals and Comment 5: The real problem here is that the issuing certificate is using sha-1 with predictable serial numbers. As stated in the discussion in mozilla.dev.security.policy: "Hongkong Post e-Cert CA 1 - 10" is technically capable of issuing SSL certificates (that is, it's not constrained in any way to prevent it). We further know this precisely because it was, in the past, used to issue such certificates, and because in the present, it's still trusted for such certificates - because you have them expiring. Reference: https://groups.google.com/d/msg/mozilla.dev.security.policy/Ng99HcqhZtI/bkcimGlECAAJ Therefore, I think we should add the attached intermediate certificates to OneCRL. issuer: C=HK, O=Hongkong Post, CN=Hongkong Post Root CA 1 not before: Sat Jan 09 2010 06:09:23 GMT-0800 (PST) not after: Sun May 14 2023 21:52:29 GMT-0700 (PDT) subject: C=HK, O=Hongkong Post, CN=Hongkong Post e-Cert CA 1 - 10 sha1 hash: 3C:8C:89:7A:80:67:71:35:65:62:62:01:E9:EB:20:26:2E:1D:58:CB sha256 hash: 52:74:CC:53:BC:06:1F:9F:98:44:30:F4:01:A9:D3:BA:35:A2:0C:EE:BC:E8:8E:6D:FA:71:B2:69:A7:C6:40:D2 issuer: C=HK, O=Hongkong Post, CN=Hongkong Post Root CA 1 not before: Fri Jan 08 2010 23:21:56 GMT-0800 (PST) not after: Sun May 14 2023 21:52:29 GMT-0700 (PDT) subject: C=HK, O=Hongkong Post, CN=Hongkong Post e-Cert CA 1 - 10 sha1 hash: 8E:7D:C5:7B:71:9E:F6:ED:AF:E3:71:DC:93:2E:3B:D7:DA:86:C2:7A sha256 hash: 44:E2:49:32:FB:1C:D3:0D:D9:4B:20:C2:F0:F3:B7:B9:EB:33:B5:C3:BF:C9:34:4B:C4:7A:51:67:BF:BD:2A:13
|
Reporter | |
Updated•8 years ago
|
Assignee: nobody → mgoodwin
|
|
Reporter | |
Comment 1•8 years ago
|
||
|
|
Reporter | |
Comment 2•8 years ago
|
||
|
|
Reporter | |
Comment 3•8 years ago
|
||
Matt, as discussed please run compatibility tests for this. Thanks!
What about our existing SSL server certs, which are still valid until 31 Dec 2016? Majority of those cert. subscribers are offering government and public services to residents of Hong Kong. And I believe the impact to residents of Hong Kong will be huge when the browser suddenly prompt a warning of insecure. In fact, all those cert. subscribers have their own plans to migrate to new SHA-256 SSL server certs by 31 Dec 2016. Are those existing SSL server certs going to be put in a white list at the same time?
|
|
Reporter | |
Comment 5•8 years ago
|
||
Man, Please provide the number of SSL certs (signed by this intermediate) that expire in September, October, November, and December.
Kathleen, the number of SSL certs that are going to expire are: September 18 October 28 November 24 December 17 In 2017 14 (They were issued before our transition plan in 2014. We will revoke them by 31 Dec 2016 as we committed earlier.) Grateful if Mozilla would consider putting them in a whitelist, and Mozilla's effort is highly appreciated.
|
Assignee | |
Comment 7•8 years ago
|
||
(In reply to Kathleen Wilson from comment #3) > Matt, as discussed please run compatibility tests for this. Thanks! Do you need any assistance with setting this up? If so, ni? me, please.
Flags: needinfo?(mwobensmith)
Hi Kathleen, please let me know how I should provide the list of "exipiring" SSL certs to you and in what format, if a whitelist is considered. BTW, if I am useful for testing cases, e.g. any other kinds of certs issued under this SubCA would be untrusted by Firefox, I volunteer to help as well.
Flags: needinfo?(kwilson)
|
|
Reporter | |
Comment 9•8 years ago
|
||
Hi Man, after discussing with Mozilla engineers, here is the approach that we plan to take: We will add the "Hongkong Post e-Cert CA 1 - 10" intermediate cert to OneCRL at the end of October. Please replace all of the SSL certs chaining up to this intermediate cert that expire after October, because we do not plan to add them to a whitelist. We believe that this is a reasonable compromise. However, if there is compelling evidence to do so, we will add the intermediate cert to OneCRL earlier -- we will let you know if this becomes necessary.
Flags: needinfo?(kwilson)
|
||
Comment 10•8 years ago
|
||
We have already sent notifications to the subscribers of those SSL certs that expire after October so that they can replace their SHA-1 SSL certs with SHA-256 SSL certs as soon as possible, before end of October. Furthermore, we will also revoke all existing valid SHA-1 SSL certs, that will expire after 31 December 2016, in end of December 2016.
|
||
Comment 11•8 years ago
|
||
A run of TLS Canary on the top ~290,000 secure sites indicates no breakage for this removal. Testing note: I've not been able to test by blocking this cert directly via OneCRL. Instead, I isolated all top sites that chained to this cert's root, and then examined all of these sites' chains directly. None of them contained the intermediate cert included here, and therefore none should be affected by this change.
|
|
||
Updated•8 years ago
|
Flags: needinfo?(mwobensmith)
|
||
Comment 12•8 years ago
|
||
I ran the query against the dataset of the tls observatory and could only find 25 valid certificates from this issuer (out of ~1.8M certs).
|
|
Reporter | |
Comment 13•8 years ago
|
||
Thanks, Matt and Julien, for checking the compatibility impact of this change! Mark, Please add to OneCRL towards the end of this month, as per Comment #9.
|
|
||
Comment 14•8 years ago
|
||
Comment on attachment 8799530 [details]
TLS Observatory listing of websites using Hongkong Post Root CA 1
For your information, only 14 out of the 25 sites are using our SSL cert issued from Sub CA "Hongkong Post e-Cert CA 1 - 10", that should be added to OneCRL.
The other 11 sites are using our SSL cert issued from SubCA "Hongkong Post e-Cert CA 1 - 15", that is BR-compliant, including:
www.tid.gov.hk
vs1.doj.gov.hk
www1.licensing.gov.hk
www2.licensing.gov.hk
www.heritage.gov.hk
www.csis.gov.hk
www.reo-form.gov.hk
xpms.hyd.gov.hk
e-services2.oro.gov.hk
e-services1.oro.gov.hk
e-learning.housingauthority.gov.hk|
|
Reporter | |
Updated•8 years ago
|
Blocks: onecrl-meta
|
|
Reporter | |
Comment 15•8 years ago
|
||
Changing this bug to Resolved/Fixed, because the two 'Hongkong Post e-Cert CA 1 - 10' certificates have been added to OneCRL. Note that currently Thunderbird also checks OneCRL, so adding the 'Hongkong Post e-Cert CA 1 - 10' certificates to OneCRL had the side effect of also blocking those certs in Thunderbird. Bug #1312827 was filed to investigate making OneCRL only apply to certificates used in TLS connections.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
|
|
Reporter | |
Comment 16•7 years ago
|
||
(In reply to Kathleen Wilson from comment #15) > Note that currently Thunderbird also checks OneCRL, so adding the 'Hongkong > Post e-Cert CA 1 - 10' certificates to OneCRL had the side effect of also > blocking those certs in Thunderbird. Bug #1312827 was filed to investigate > making OneCRL only apply to certificates used in TLS connections. Just FYI... The fix for Bug #1312827 (make OneCRL only apply to TLS server certificates) was uplifted to Thunderbird 45.7.
You need to log in
before you can comment on or make changes to this bug.
Description
•