Enable EV treatment for Symantec/DigiCert cross signatures

RESOLVED FIXED in Firefox 63

Status

()

enhancement
P1
major
RESOLVED FIXED
9 months ago
9 months ago

People

(Reporter: jcj, Assigned: jcj)

Tracking

(Blocks 1 bug)

Trunk
mozilla63
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox63+ fixed)

Details

(Whiteboard: [psm-assigned])

Attachments

(1 attachment)

Assignee

Description

9 months ago
There is a late-breaking EV compatibility concern with cross signatures for EV certificates:

Firefox's EV handling code always validates EV using the first EV policy OID expressed in a certificate. For compatibility certificates issued under a cross-signed root, if the first EV policy OID matches the original Symantec EV policy OID, then Firefox will attempt to verify that the root CA matches the original Symantec EV CA -- which it won't, as the root will be one of DigiCert's.  EV treatment will break.

This could be addressed by:
1) Changing the issued certificates to place the Symantec EV policy OID after the new Digicert EV policy OID.

2) Refactoring moz::pkix to process lists of EV policy OIDs.

3) Adding appropriate DigiCert root fingerprints as valid for the Symantec EV policy OIDs.

4) Removing the Symantec EV policy OIDs and letting the moz::pkix algorithm pick other EV policy OIDs to validate.


I believe #1 is unworkable for backward compatibility reasons. I also believe #2 is too late in the cycle for a substantial change.

I think #3 and #4 are both feasible. We'll need to figure out which is lower risk.


Requesting tracking for Firefox 63, as this needs to ship with the rest of the Symantec work.
Jeremy: my understanding is that removing the Symantec-specific EV OIDs from Firefox's list and replacing them with the generic CABF EV OID will have the effect of causing Firefox to ignore the Symantec OID in a certificatePolicies extension and move on to an OID that it recognizes. Looking at the cert on www.paypal.com, this would work because it contains both the Symantec OID and the CABF OID. This is #4 above, and it seems like a cleaner solution than what I proposed to you over email (#3 above). Are you aware of any problems caused by this approach, such as certs that only contain a Symantec EV OID?
Flags: needinfo?(jeremy.rowley)

Comment 2

9 months ago
Not sure, but I don't think all browsers use the CAB Forum OID for EV yet. Doesn't MS use the OID tied to each customer? If so, we'd break MS for Mozilla. 

The bigger problem is in Japan where feature phones won't show EV with the CAB Forum OID. They require either the Symantec OID if traced through the Symantec roots or the Verizon OID if traced through the Verizon roots
Flags: needinfo?(jeremy.rowley)
My understanding is that the certs could continue to contain both OIDs and Firefox would ignore the Symantec OID. We would only be removing the OIDs from Firefox's list of recognized EV OIDs. The concern with this would be if there is a need to issue certs that Firefox recognizes as EV but that don't include the CABF OID (J.C. please correct me if I'm misunderstanding this).
Assignee

Comment 4

9 months ago
(In reply to Wayne Thayer [:wayne] from comment #3)
> My understanding is that the certs could continue to contain both OIDs and
> Firefox would ignore the Symantec OID. We would only be removing the OIDs
> from Firefox's list of recognized EV OIDs. The concern with this would be if
> there is a need to issue certs that Firefox recognizes as EV but that don't
> include the CABF OID (J.C. please correct me if I'm misunderstanding this).

That's exactly right. We wouldn't remove the Symantec OID from the certs, just remove it from Firefox so that Firefox effectively requires the CABF OID to be present for these certificates to get EV treatment.

Comment 5

9 months ago
Okay - what about the Japan issue? Or does Firefox not work with feature phones? (Never used one myself - this is all second hand info).
Assignee

Comment 6

9 months ago
I don't think feature phones use Firefox. Their existing code would be unaffected if the old Symantec OID remains in place.

I think.
Assignee

Comment 7

9 months ago
Just to follow up again, I think if we're doing option #4 then we don't need any more information from DigiCert and can just proceed pulling all EV OIDs associated with the Syamntec distrust. Does that seem correct, Wayne?
Flags: needinfo?(wthayer)
What about the whitelisted intermediates? I did some spot checks and it appears that Apple and Google don't issue EV from their intermediates. For the whitelisted DigiCert cross-certificates signed by Symantec roots, presumably DigiCert would always include the CABF OID. Can we trust Firefox to prefer the shorter chain to a DC root in this scenario? If not, option #3 seems slightly less risky to me.

Jeremy: do we need to be concerned with certs issued by the whitelisted intermediates asserting a Symantec EV OID and expecting EV treatment?
Flags: needinfo?(wthayer) → needinfo?(jeremy.rowley)

Comment 9

9 months ago
I can't think of any issues or concerns with the plan. Anything asserting EV treatment in Firefox can get it from the CAB Forum OID or DigiCert OID.
Flags: needinfo?(jeremy.rowley)

Comment 10

9 months ago
(In reply to J.C. Jones [:jcj] from comment #7)
> Just to follow up again, I think if we're doing option #4 then we don't need
> any more information from DigiCert and can just proceed pulling all EV OIDs
> associated with the Syamntec distrust. Does that seem correct, Wayne?

I believe that the DigiCert root entries in ExtendedValidation.cpp need to be updated to use the CABF EV OID. They might be using DigiCert-specific EV OIDs, because it was relatively recent that we started always using the CABF EV OID.

Comment 11

9 months ago
I also recommend having DigiCert create a list of EV websites that they will check before and after make this change. Just to be safe.

Comment 12

9 months ago
We use the DigiCert EV OIDs over the CAB Forum EV OIDs in most cases. Too many older systems don't support the CAB Forum OIDs. Talking internally, I can't see a reason to continue using the Symantec EV OIDs in certs chaining through a DC root. Instead of the CAB Forum OID, we'd probably assert the DC EV OID

Comment 13

9 months ago
(In reply to Jeremy Rowley from comment #12)
> We use the DigiCert EV OIDs over the CAB Forum EV OIDs in most cases. Too
> many older systems don't support the CAB Forum OIDs.


So DigiCert's EV certs don't all have both the CABF EV OID and the DigiCert EV OID?

Comment 14

9 months ago
We do include both. However, the DigiCert EV OID is listed first, CAB Forum second. If Mozilla is only checking the first OID, then it'll only see the DigiCert EV OID
Assignee

Comment 15

9 months ago
There is a late-breaking EV compatibility concern with cross signatures for EV
certificates:

Firefox's EV handling code always validates EV using the first EV policy OID
expressed in a certificate. For compatibility certificates issued under a cross-
signed root, if the first EV policy OID matches the original Symantec EV policy
OID, then Firefox will attempt to verify that the root CA matches the original
Symantec EV CA -- which it won't, as the root will be one of DigiCert's. Without
a patch, EV treatment will break.

This patch removes all EV policy OIDs for roots mentioned in TrustOverride-
SymantecData.inc, letting the moz::pkix algorithm pick other EV policy OIDs to
validate. I verified that I removed all affected OIDs using the BASH shell
commands:

$ cd security/certverifier
$ grep "CN=" TrustOverride-SymantecData.inc | sed -e 's/.*\(CN=.*\).*/\1/' |
  sort | uniq | while read r; do
    echo $r; grep "$r" ExtendedValidation.cpp;
  done

Reviewers should help me ensure that I did not remove any unexpected EV policy
OIDs.
Assignee

Comment 16

9 months ago
(In reply to Jeremy Rowley from comment #14)
> We do include both. However, the DigiCert EV OID is listed first, CAB Forum
> second. If Mozilla is only checking the first OID, then it'll only see the
> DigiCert EV OID

mozilla::pkix will always take the first OID in the certificate that is whitelisted in ExtendedValidation.cpp. So in this case, Firefox will use the DigiCert EV policy OID, but we'd be in a good state to deprecate that EV policy OID and move to the CABForum EV policy OID in the future. (But not changing anything like that in this bug!)
Comment on attachment 9005285 [details]
Bug 1486838 - Enable EV treatment for Symantec/DigiCert cross signatures r?keeler

Dana Keeler [:keeler] (she/her) (use needinfo) has approved the revision.
Attachment #9005285 - Flags: review+

Comment 18

9 months ago
Pushed by jjones@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/ba4dd979f8e1
Enable EV treatment for Symantec/DigiCert cross signatures r=keeler

Comment 19

9 months ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/ba4dd979f8e1
Status: ASSIGNED → RESOLVED
Last Resolved: 9 months ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.