Re: Incidents involving the CA WoSign

Thu, 01 Sep 2016 02:37:57 -0700 

On 2016-08-31 20:13, Ryan Sleevi wrote:

Setting aside for a second whether or not distrusting is the right action, 
let's think about what possible responses.

A) Remove the CA. Users may manually trust it if they re-add it, but it will 
not be trusted by default.
B) Actively distrust the CA. Even if manually added (by user or enterprise 
policy), it will not be trusted.
C) Remove the CA. Develop a whitelist of pre-existing certificates to be 
trusted.
  - What form should this whitelist take?
    * Shipping it in the binary is unacceptably large.
    * Downloading it in full on demand is unacceptably large/unreliable.
    * Checking with a central server for serial number can lead to misleading 
results (WoSign has shown they issue duplicate serials, and nothing would 
prevent them from doing so in the future)
    * Checking with a central server for certificate hash may have privacy 
considerations.
    * Conclusion: Something SafeBrowsing-like would have to be developed ( 
https://developers.google.com/safe-browsing/v4/ ), which could be months away.
D) Distrust any certificate without appropriate CT information. Whitelist certs 
before 2016.
  - See whitelist problems above
E) Distrust certs without appropriate CT information, wholesale.
  - Note: It appears that WoSign is or has had similar issues to Symantec, 
failing to log to a diverse-enough set of logs to ensure a robust CT 
implementation. A quick and random sampling shows, for example, that 
precertificates are only being logged to Google logs (such as for 8-30-16). 
Thus, unless an implementation is willing to fully trust Google CT logs alone - 
something Google themselves are unwilling to do - then this suggests that this 
may be the same as wholesale distrusting.


An other option is to only trust certificates issued before a certain date.
We seem to have a problem trusting the date in the certificate, so this might need to be in combination with an SCT from before that date. I think the easiest way to do this is have the SCT in the OCSP response, but it would require the server to do OCSP stapling. It would then be up to the CA to make sure they are submitted to enough logs, that the OCSP server returns them, and that they inform their clients to make sure OCSP stapling is turned on. 


Kurt

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to