Closed Bug 404592 Opened 17 years ago Closed 17 years ago

next phase in EV testing

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: KaiE, Assigned: KaiE)

References

Details

Attachments

(3 files)

Patch v1
1.96 KB, patch
rrelyea
: review+
mtschrep
: approval1.9+
Details | Diff | Splinter Review
Identity UI: FF2-with-Identity-Feedback versus FF3b2pre
9.29 KB, application/x-zip-compressed
Details
screen shot for comment 24
21.82 KB, image/png
Details 
We consider the following for the next round of EV testing:

- use NSS 3.12 alpha 2b
  (we attach the small diff on top of currently used alpha 2)

- adjust the revocation checking flags for the testing period

- use metadata to enable EV for verisign's EV certs, but only
  for the testing period, no decision about the final release yet
Attached patch Patch v1Splinter Review 
Update the tag and the PSM changes.
Note, even with these changes, it will still be necessary to set
  NSS_EV_TEST_HACK=USE_PKIX
to enable the new code path and get EV UI.

These patches will allow Nightly build users to turn on actual EV validation simply by turning on an environment variable. (No fake processing hacks, works with regular builds as well as debug, etc).
Comment on attachment 289520 [details] [diff] [review]
Patch v1

r+ rrelyea
Attachment #289520 - Flags: review+
Attachment #289520 - Flags: approval1.9?
Sounds excellent to me - will be nice to have actual testing sites available.  From what I can tell, Frank's already seeing EV cert submissions coming in, so we shouldn't need this for long before we start having approved roots to test against.
Attachment #289520 - Flags: approval1.9? → approval1.9+
Do we need a symmetrical bug to undo this when it comes to release time?
Landed by rrelyea earlier today.  I confirm that this works on trunk for https://www.paypal.com/ and https://signin.ebay.com/ with the environment variable set.  I don't want to resolve it though, until we get an answer to comment 6.
We probably should have a bug to undo the oid if Verisign doesn't get through Frank's EV process before we ship.

bob
I could be wrong, but it appears that all that is necessary for Larry to display "Identity Verified" is for the site to present a valid looking EV Certificate.

Internet Explorer, on the other hand, does not turn the location bar green unless the site presents and EV Certificate, and one of the following 2 conditions is met.

1.  It can verify that the certificate is still valid and has not been revoked.

2.  Anti-phishing checking is enabled and the site is not identified as a phishing site.

I turned OCSP and anti-phishing both off, and Larry still identifies any site presenting a Verisign EV Certificate as "Identity Verified".
(In reply to comment #9)
> I could be wrong, but it appears that all that is necessary for Larry to
> display "Identity Verified" is for the site to present a valid looking EV
> Certificate.
> 
> Internet Explorer, on the other hand, does not turn the location bar green
> unless the site presents and EV Certificate, and one of the following 2
> conditions is met.
> 
> 1.  It can verify that the certificate is still valid and has not been revoked.
> 
> 2.  Anti-phishing checking is enabled and the site is not identified as a
> phishing site.
> 
> I turned OCSP and anti-phishing both off, and Larry still identifies any site
> presenting a Verisign EV Certificate as "Identity Verified".
> 

Although I guess I should really file a Firefox bug on that.  Nevermind.
Third-party anti-phishing lists have absolutely nothing to do with Extended Validation by a CA, but you've got a good point about OCSP. When you file that bug please mention the bug # here.
(In reply to comment #11)
> Third-party anti-phishing lists have absolutely nothing to do with Extended
> Validation by a CA,

I was just reporting what Microsoft does.
Depends on: 402947
Yeah, checking or not checking anti-phishing blacklists is sort of orthogonal to EV - it's a good idea on its own, as is EV, but they solve different problems.  A site that was EV *and* on the blacklist would still be blocked, fwiw.

As for OCSP, I don't know - we ship with that enabled by default, and the EV guidelines even demand that CAs maintain quality of service on OCSP responders (by 2010 - they complain that existing OCSP server infrastructure isn't there yet) but if a user deliberately turns off OCSP checking, it seems like a pretty surprising side effect to me that we would also stop trusting valid, non-expired certs from EV roots.  Would we downgrade them to regular SSL status?  Why - the domain verification is arguably the most important point, since that's what ties it to the current site.  Would we downgrade other SSL certs?  Most don't have active OCSP responders in the first place.

I could understand a proposal that said we shouldn't treat a site as identified if it lists an OCSP responder, and we try to check it, but we don't get a reply.  That incents CAs to keep their OCSP responders up to snuff, but if there is truth to the complaint that it simply can't be done right now, that would also create a broken experience for certs, the vast majority of which are perfectly fine.

When we start seeing OCSP-stapling deployments out there, this question should arguably be revisited.  But even then, I would say that users who tell us not to do the OCSP check should still be given the information we have when it's signed by people we trust to supply it.

Please file the OCSP bug. That's part of the EV standard. Make sure I'm cc'ed on the bug.

Anti-phishing has nothing to do with the standard, so that isn't as critical.


bob
(In reply to comment #14)
> Please file the OCSP bug. That's part of the EV standard. Make sure I'm cc'ed
> on the bug.
> 
> Anti-phishing has nothing to do with the standard, so that isn't as critical.
> 
> 
> bob
> 
OK.  So I should file that under Core Security then as it is part of the standard?

(In reply to comment #14)
> Please file the OCSP bug. That's part of the EV standard. Make sure I'm cc'ed
> on the bug.
> 
> Anti-phishing has nothing to do with the standard, so that isn't as critical.
> 
> 
> bob
> 

I filed bug 405139 on that.
I downloaded the latest CVS code sometime yesterday, added some extra EV Policy OIDs to myTrustedEVInfos[], compiled it and fired it up...

I can see the new EV UI indicators when I first browse to an EV site, but I notice that whenever I switch to a different browser tab and then switch back again, the site's status has changed from "Identity Verified" (with Company Name & Country shown in the address bar) to "Location Verified" (with Company Name & Country having disappeared).

Does anyone else see this behaviour?
(In reply to comment #17)
> I can see the new EV UI indicators when I first browse to an EV site, but I
> notice that whenever I switch to a different browser tab and then switch back
> again, the site's status has changed from "Identity Verified" (with Company
> Name & Country shown in the address bar) to "Location Verified" (with Company
> Name & Country having disappeared).

See bug 402574
Thanks Johnathan.
By the way, I've noticed that the FF3b2pre EV UI looks quite different to FF2 with your Identity Feedback 0.8 add-on (see the screenshots.zip attachment).
Is the disappearance of the green background for "Company Name (Country)" intentional?
Or have I simply compiled something wrong?

(Sorry if this is the wrong bug # in which to raise this issue).
Blocks: 405139
(In reply to comment #19)
> By the way, I've noticed that the FF3b2pre EV UI looks quite different to FF2
> with your Identity Feedback 0.8 add-on (see the screenshots.zip attachment).
> Is the disappearance of the green background for "Company Name (Country)"
> intentional?
> Or have I simply compiled something wrong?

I assume Johnathan's add-on was a very early mockup.
I no longer get green when I compile the latest trunk, so I don't think you're compiling things wrong.
Blocks: 405906
(In reply to comment #6)
> Do we need a symmetrical bug to undo this when it comes to release time?

(In reply to comment #8)
> We probably should have a bug to undo the oid if Verisign doesn't get through
> Frank's EV process before we ship.


I filed bug 405906 as a reminder.

(In reply to comment #20)
> (In reply to comment #19)
> > By the way, I've noticed that the FF3b2pre EV UI looks quite different to FF2
> > with your Identity Feedback 0.8 add-on (see the screenshots.zip attachment).
> > Is the disappearance of the green background for "Company Name (Country)"
> > intentional?
> > Or have I simply compiled something wrong?
> 
> I assume Johnathan's add-on was a very early mockup.
> I no longer get green when I compile the latest trunk, so I don't think you're
> compiling things wrong.
 
The extension is indeed out of date at this point - it was a convenient test bed but the active code is now on trunk.  On the other hand, you absolutely will get the green background, and the Company Name (Country) treatment for _EV_ certificates, but neither of those for basic DV SSL.

The add-on treated all certs as EV to help test the UI, and trunk (without the environment variable approach introduced in this bug) has no EV roots currently, so in normal browsing you won't see it.  But if you enable the test mode, or if you use trunk once we add some EV roots, then yes, you should expect that treatment on EV sites, and it would be a bug if you weren't seeing it when you should.

Kai - are you saying that you aren't seeing that in test mode?

(In reply to comment #21)
> (In reply to comment #6)
> > Do we need a symmetrical bug to undo this when it comes to release time?
> 
> (In reply to comment #8)
> > We probably should have a bug to undo the oid if Verisign doesn't get through
> > Frank's EV process before we ship.
> 
> 
> I filed bug 405906 as a reminder.

Since Kai has opened this follow-up and nominated blocking, I think we can now resolve this bug, right Kai?
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
(In reply to comment #22)
> 
> you absolutely will get the green background, and the Company Name (Country) treatment for _EV_ certificates
> 
> Kai - are you saying that you aren't seeing that in test mode?

Correct. No green. I get gray.

I'll attach a screenshot.


(In reply to comment #23)
> I think we can now resolve this bug, right Kai?

right

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: