On 2016-08-31 20:13, Ryan Sleevi wrote:
Setting aside for a second whether or not distrusting is the right action,
let's think about what possible responses.
A) Remove the CA. Users may manually trust it if they re-add it, but it will
not be trusted by default.
B) Actively distrust the CA. Even if manually added (by user or enterprise
policy), it will not be trusted.
C) Remove the CA. Develop a whitelist of pre-existing certificates to be
trusted.
- What form should this whitelist take?
* Shipping it in the binary is unacceptably large.
* Downloading it in full on demand is unacceptably large/unreliable.
* Checking with a central server for serial number can lead to misleading
results (WoSign has shown they issue duplicate serials, and nothing would
prevent them from doing so in the future)
* Checking with a central server for certificate hash may have privacy
considerations.
* Conclusion: Something SafeBrowsing-like would have to be developed (
https://developers.google.com/safe-browsing/v4/ ), which could be months away.
D) Distrust any certificate without appropriate CT information. Whitelist certs
before 2016.
- See whitelist problems above
E) Distrust certs without appropriate CT information, wholesale.
- Note: It appears that WoSign is or has had similar issues to Symantec,
failing to log to a diverse-enough set of logs to ensure a robust CT
implementation. A quick and random sampling shows, for example, that
precertificates are only being logged to Google logs (such as for 8-30-16).
Thus, unless an implementation is willing to fully trust Google CT logs alone -
something Google themselves are unwilling to do - then this suggests that this
may be the same as wholesale distrusting.
An other option is to only trust certificates issued before a certain date.
We seem to have a problem trusting the date in the certificate, so this
might need to be in combination with an SCT from before that date. I
think the easiest way to do this is have the SCT in the OCSP response,
but it would require the server to do OCSP stapling. It would then be
up to the CA to make sure they are submitted to enough logs, that the
OCSP server returns them, and that they inform their clients to make
sure OCSP stapling is turned on.
Kurt
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy