Closed
Bug 685286
Opened 14 years ago
Closed 3 years ago
Data-driven (not code-driven) blacklisting mechanism for certificates on issuer public key or issuer distinguished name
Categories
(NSS :: Libraries, defect, P1)
NSS
Libraries
Tracking
(status1.9.2 wanted, status1.9.1 wanted)
RESOLVED
FIXED
3.12.12
People
(Reporter: briansmith, Unassigned)
References
Details
Attachments
(1 file)
+++ This bug was initially created as a clone of Bug #642503 +++
+++ This bug was initially created as a clone of Bug #642395 +++
Mozilla would like to have a way of blocking certificates based on a blacklist of issuer public keys and/or a list of issuer subject names, in a way that we can update via our Firefox/Thunderbird update pings, which don't require rebuilding the trusted roots module, which we can ship with the next Firefox update.
One way of enabling this: Add a new API to NSS, which allows the application to register a post-validation callback that has the opportunity to change the result and error code reported by each verification function. Then the application can implement all this logic itself.
Another way would be to implement the DN/public key blocklisting in NSS, and allow the application to register an array issuer DNs or public keys to block.
My plan is to implement the first option.
Comment 1•14 years ago
|
||
Note that I filed bug 647868 which also contains detailed ideas.
Comment 2•14 years ago
|
||
The attached is an outline for a proposed format for emergency response to cryptographic security incidents.
This would enable emergency revocation of EE and CA certs plus pushing out policy for the affected domains (e.g. only respect this set of CA issuers for the domain, always use HTTPS, etc.)
Attachment #559204 -
Flags: feedback+
Comment 3•14 years ago
|
||
While all the desktop browsers have been patched, folk in the ME are more likely to be using mobile phones. These are not patched yet:
http://news.techworld.com/security/3301828/google-and-apple-fail-to-revoke-diginotar-ssl-certificates-on-smartphone/
Comment 4•14 years ago
|
||
(In reply to Phillip Hallam-Baker from comment #3)
> While all the desktop browsers have been patched, folk in the ME are more
> likely to be using mobile phones. These are not patched yet:
>
> http://news.techworld.com/security/3301828/google-and-apple-fail-to-revoke-
> diginotar-ssl-certificates-on-smartphone/
Firefox for Android is patched also.
| Reporter | ||
Comment 5•14 years ago
|
||
Phillip, we are not going to implement that in this bug. We already have a plan for a different implementation, which is what this bug is about. Please file a new about implementing your proposal in Product:Core Component:"Security - PSM".
| Reporter | ||
Updated•14 years ago
|
Assignee: bsmith → nobody
Comment 6•3 years ago
|
||
In the process of migrating remaining bugs to the new severity system, the severity for this bug cannot be automatically determined. Please retriage this bug using the new severity system.
Severity: major → --
You need to log in
before you can comment on or make changes to this bug.
Description
•