Open Bug 1317245 Opened 9 years ago Updated 3 years ago

Require id-kp-serverAuth for all TLS end-entity certificates

Categories

(Core :: Security: PSM, defect, P3)

Product:
Core
Component:
Security: PSM
Type:
defect

Tracking

()

People

(Reporter: gerv, Unassigned)

References

Details

(Whiteboard: [psm-backlog])

Not sure if this is an NSS or a PSM thing; feel free to reroute. Firefox should start requiring the presence of the extendedKeyUsage extension and the id-kp-serverAuth flag within that extension as a condition of treating a presented end-entity certificate as suitable for use in TLS. At the moment, we either require this condition or that EKU is not present. My proposal is to eliminate that second branch of the test. Telemetry suggests that no-EKU usage is non-existent and so we should be safe. https://mzl.la/2ePXFGM https://ipv.sx/telemetry/general-v2.html?channels=release&measure=SSL_SERVER_AUTH_EKU&target=0&absolute=0&relative=1 Note that this would not apply to intermediate certificates. The goal here is to have a clear, simple, well-defined and unambiguous condition as to what certs Firefox trusts, and so what certs are (generally) in scope for our root program requirements. Gerv
This may end up a duplicate of bug 985002 or vice-versa, but we can figure that out when we do the work.
Priority: -- → P2
See Also: → 985002
Whiteboard: [psm-backlog]
This is in fact a duplicate of 985002. See also 968817#c1 where I explained why this is a bad idea.
(In reply to Brian Smith (:briansmith, :bsmith, use NEEDINFO?) from comment #2) > This is in fact a duplicate of 985002. See also 968817#c1 where I explained > why this is a bad idea. I had forgotten how bugzilla linking works: bug 985002 and bug 968817 comment 1.
(In reply to Brian Smith (:briansmith, :bsmith, use NEEDINFO?) from comment #2) > This is in fact a duplicate of 985002. See also 968817#c1 where I explained > why this is a bad idea. But in bug 968817 comment 5 you say that we should try it. Gerv
JC: is this something you could schedule in? I believe it's the right thing to do from a policy perspective, and I assume the code patch would be simple. Gerv
Flags: needinfo?(jjones)
Sure thing, Gerv. I'll take this on once the Symantec stuff is completed. Keeler says it's not 100% straightforward, but close enough.
Flags: needinfo?(jjones)
Moving to p3 because no activity for at least 1 year(s). See https://github.com/mozilla/bug-handling/blob/master/policy/triage-bugzilla.md#how-do-you-triage for more information
Priority: P2 → P3
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.