Hi, At the time, a certificate is issued by a Certificate Authority (CA), it is expected to be in use for its entire validity period. However, various circumstances may cause a certificate to become invalid, prior to the expiration of the validity period (Ex: compromise or suspected compromise of the corresponding private key). Under such circumstances, the issuing CA needs to revoke the certificate before their scheduled expiration date and should no longer be trusted.
CRL(Certificate Revocation List) and OCSP (Online Certificate Status Protocol) are two protocols used to check whether a given X509 Certificate is revoked by its Issuer. 1. *Certificate Revocation List (CRL) :* a list of digital certificates that have been revoked by the issuing CA 2. *Online Certificate Status Protocol (OCSP) : *an Internet protocol used for obtaining the revocation status of an X.509 digital certificate using the certificate serial number Proposed implementation is to include certificate validation with CRL and OCSP, in X509 authenticator which is for client X.509 certificate authentication. So that at the verification phase of SSL handshake, OCSP/CRL certificate verification process, is used to contact the relevant Certificate Authority(CA) to verify the validity of the given certificate. If the response says that the certificate is revoked, it means that the certificate is no longer trusted by the CA, in which case the SSL connection to the peer is terminated. Please find the following architectural considerations for the proposed implementation. *APIs or Services for CRL/OCSP Validation :* Certificate Revocation Verification should be exposed as an OSGI service in a matter where we can include validation methods additionally via extensions. *Get CRL and OCSP URLs :* - When a CA signs a certificate, it will normally encode the CRL and OCSP location/s into the certificate using "CRL Distribution Point" and "Authority Information Access" extensions respectively. - If CRL and OCSP location/s are not specified in the certificate or administrator wants to override that with a predefined locations in the server, we are planning to maintain a list of trusted CAs with CRL and OCSP location/s in registry. *Registry Structure* : Two registry resources as follows and comma separated CRL/OCSP URls as property values mapping with the CA issuer name. /_system/config/certificate/crl /_system/config/certificate/ocsp *Trusted CA List *: Consider the issuers in the default client-truststore of WSO2 products. *Caching Layer :* - Downloaded CRL from CRL URL or OCSP response from OCSP URL will be cached. - CA provides a CRL that is valid for a limited amount of time and specifies the lifetime validity of the CRL in the "Next Update" CRL field. This field indicates the date by which the next CRL will be issued. As mentioned in [1], the next CRL could be issued before the indicated date, but it will not be issued any later than the indicated date. So we should consider this property and validated the returned CRL from cache, since a certificate in the CRL can be temporary invalidated (Hold) rather a irreversibly revoked certificate and use of an outdated CRL creates security exposures. *Preference for CRL and OCSP :* - Able to disable one or both methods and to define preference between CRL and OCSP - this will be through file based configuration - If both methods has enabled, verified with OCSP first, followed by CRL - By default (if not configured), verified with OCSP *Other Considerations :* - Validate CRL returned from the CRL URL - CRL should signed by the issuer, so validate the issuer domain name. - Validate the signature of CRL with the issuer public certificate. - Validate the CRL "next update" date field for outdated CRLs. Appreciate your suggestions/comments. [1] https://tools.ietf.org/html/rfc5280 [2] https://tools.ietf.org/html/rfc6960 Thanks and Regards -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Email indu...@wso2.com Mobile 0772182255
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture