Closed Bug 1735386 Opened 3 years ago Closed 2 years ago

Revocation Checking for EV needs to be update due to changes in the CABF Baseline Requirements

Categories

(Core :: Security: PSM, task, P1)

task

Tracking

()

RESOLVED FIXED
100 Branch
Tracking Status
firefox100 --- fixed

People

(Reporter: kwilson, Assigned: keeler)

References

Details

(Whiteboard: [psm-assigned])

Attachments

(2 files)

https://wiki.mozilla.org/CA/EV_Processing_for_CAs#Revocation_Checking

An additional consideration for receiving the EV UI is that revocation checking
must succeed via OCSP (or some future revocation checking mechanism) for the
end-entity and intermediate CA certificate(s). If the security.OCSP.enabled preference
is set to ‘0’, OCSP checking is not performed and the EV UI will not appear for
otherwise valid EV certificates.

So currently Firefox requires OCSP to pass for the intermediate certificates, otherwise EV treatment will not be given.

https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.7.1-redlined.pdf
Section 7.1.2.2, Subordinate CA Certificate profile, shows that the OCSP responder URL in the authorityInformationAccess field changed from MUST to SHOULD be present.

https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.8.0.pdf
Section 7.1.2.2, Subordinate CA Certificate profile, says:

b. cRLDistributionPoints
This extension MUST be present and MUST NOT be marked critical. It MUST
contain the HTTP URL of the CA’s CRL service.

c. authorityInformationAccess
This extension SHOULD be present. It MUST NOT be marked critical.
It SHOULD contain the HTTP URL of the Issuing CA’s certificate (accessMethod =
1.3.6.1.5.5.7.48.2). It MAY contain the HTTP URL of the Issuing CA’s OCSP responder
(accessMethod = 1.3.6.1.5.5.7.48.1).

I just checked the very old versions of the BRs, and verified that the BRs have always required that the CRL be provided for intermediate certificates:
https://cabforum.org/wp-content/uploads/Baseline_Requirements_V1_1_3.pdf

Appendix B – Certificate Extensions (Normative)
(2) Subordinate CA Certificate
B. cRLDistributionPoints
This extension MUST be present and MUST NOT be marked critical. It MUST contain the > HTTP URL of the CA’s CRL service.

So we can either use CRL or just depend on OneCRL for checking the revocation status of the intermediate certificate.

Note: The potential downside of only using OneCRL being that CAs are not currently required to disclose intermediate certificates that are technically-constrained (via Name Constraints) in the CCADB, which is where we get our OneCRL data.

Note: I filed https://github.com/mozilla/tls-observatory/issues/429 in regards to updating the EV Checker tool.

With the following updates, it is sufficient for us to only check OneCRL for revocations of intermediate certificates, even for EV.

  1. Per https://github.com/mozilla/pkipolicy/pull/229 Mozilla is planning to require that all intermediate certs chaining up to root certs in our program be disclosed in the CCADB, even those that are technically constrained.

  2. Apple announced in the CA/Browser Forum meeting today: "Effective April 1, 2022, CA providers must disclose in the CCADB all CA certificates which chain up to their CA Certificate(s) included in the Apple Root Program." (see https://www.apple.com/certificateauthority/ca_program.html)

The severity field is not set for this bug.
:keeler, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(dkeeler)
Severity: -- → N/A
Type: defect → task
Flags: needinfo?(dkeeler)
Priority: -- → P3
Whiteboard: [psm-backlog]
Assignee: nobody → dkeeler
Priority: P3 → P1
Whiteboard: [psm-backlog] → [psm-assigned]

The Baseline Requirements no longer require an OCSP URI for EV certificate
intermediates. Since OneCRL covers intermediates anyways, OCSP checking for
intermediates can be skipped entirely.

Pushed by dkeeler@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/3b2603df26ef
adjust revocation checking for EV certificate intermediates to match Baseline Requirements r=jschanck
https://hg.mozilla.org/integration/autoland/rev/ca2c0170cb33
clean up some error handling in cert_storage creation r=jschanck
Regressions: 1762105
Regressions: 1762106
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 100 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: