On Mon, Jul 28, 2014 at 12:05 PM, Kai Engert <k...@kuix.de> wrote: > On Mon, 2014-07-28 at 21:02 +0200, Kai Engert wrote: >> On Mon, 2014-07-28 at 11:00 -0700, Brian Smith wrote: >> > I suggest that, instead of including the cross-signing certificates in >> > the NSS certificate database, the mozilla::pkix code should be changed >> > to look up those certificates when attempting to find them through NSS >> > fails. >> >> We are looking for a way to fix all applications that use NSS, not just >> Firefox. Only Firefox uses the mozilla::pkix library. > > Actually, including intermediates in the Mozilla root CA list should > even help applications that use other crypto toolkits (not just NSS).
It depends on your definition of "help." I assume the goal is to encourage websites to migrate from 1024-bit signatures to RSA-2048-bit or ECDSA-P-256 signatures. If so, then including the intermediates in NSS so that all NSS-based applications can use them will be counterproductive to the goal, because when the system administrator is testing his server using those other NSS-based tools, he will not notice that he is depending on 1024-bit certificates (cross-signed or root) because everything will work fine. Similarly, as you note, many non-NSS-based tools copy the NSS certificate set into their own certificate databases. Thus, the effect of encouraging the continued dependency on 1024-bit signatures would have an even wider impact beyond NSS-based applications. I remember that we had a discussion about this a long time ago, but I think it might have been private. In the previous discussion, I noted that removing a 1024-bit root but still supporting a 1024-bit-to-2048-bit cross-signed intermediate results in no improvement in security, but it does have a negative performance impact because all the affected certificate chains grow by one certificate. That's why I've been against removing the 1024-bit roots while continuing to trust the 1024-bit-to-2048-bit cross-signing certificates. It is important to understand the cryptographic aspect of why 1024-bit signatures are bad. People feel like it is possible for some people to create valid signatures using a 1024-bit key even if they were not the original holders of the private key. The only way to protect against somebody with this capability is to reject ANY 1024-bit signature, whether it is in a cross-signing certificate or a root certificate or something else. If it is not reasonable to reject all 1024-bit signatures, then I'd suggest trying to find a different approach for gradually removing support for 1024-bit signatures. For example, Firefox could keep trusting 1024-bit signatures for most websites, but start rejecting them for HSTS sites and for key-pinned websites. This would provide a useful level of protection for those sites at least, even if it wouldn't afford any protection for other websites. That would be an improvement over the current change, which seems to hurt compatibility and/or performance without improving security for any websites. Cheers, Brian _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy