Closed Bug 685286 Opened 14 years ago Closed 3 years ago

Data-driven (not code-driven) blacklisting mechanism for certificates on issuer public key or issuer distinguished name

Categories

(NSS :: Libraries, defect, P1)

Tracking

(status1.9.2 wanted, status1.9.1 wanted)

RESOLVED FIXED
3.12.12
Tracking Status
status1.9.2 --- wanted
status1.9.1 --- wanted

People

(Reporter: briansmith, Unassigned)

References

Details

Attachments

(1 file)

+++ This bug was initially created as a clone of Bug #642503 +++ +++ This bug was initially created as a clone of Bug #642395 +++ Mozilla would like to have a way of blocking certificates based on a blacklist of issuer public keys and/or a list of issuer subject names, in a way that we can update via our Firefox/Thunderbird update pings, which don't require rebuilding the trusted roots module, which we can ship with the next Firefox update. One way of enabling this: Add a new API to NSS, which allows the application to register a post-validation callback that has the opportunity to change the result and error code reported by each verification function. Then the application can implement all this logic itself. Another way would be to implement the DN/public key blocklisting in NSS, and allow the application to register an array issuer DNs or public keys to block. My plan is to implement the first option.
Note that I filed bug 647868 which also contains detailed ideas.
The attached is an outline for a proposed format for emergency response to cryptographic security incidents. This would enable emergency revocation of EE and CA certs plus pushing out policy for the affected domains (e.g. only respect this set of CA issuers for the domain, always use HTTPS, etc.)
Attachment #559204 - Flags: feedback+
While all the desktop browsers have been patched, folk in the ME are more likely to be using mobile phones. These are not patched yet: http://news.techworld.com/security/3301828/google-and-apple-fail-to-revoke-diginotar-ssl-certificates-on-smartphone/
(In reply to Phillip Hallam-Baker from comment #3) > While all the desktop browsers have been patched, folk in the ME are more > likely to be using mobile phones. These are not patched yet: > > http://news.techworld.com/security/3301828/google-and-apple-fail-to-revoke- > diginotar-ssl-certificates-on-smartphone/ Firefox for Android is patched also.
Phillip, we are not going to implement that in this bug. We already have a plan for a different implementation, which is what this bug is about. Please file a new about implementing your proposal in Product:Core Component:"Security - PSM".
Assignee: bsmith → nobody

In the process of migrating remaining bugs to the new severity system, the severity for this bug cannot be automatically determined. Please retriage this bug using the new severity system.

Severity: major → --

OneCRL

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: