Nelson Bolyard wrote:
Frank Hecker wrote:
* OCSP. My understanding is that the Microsec practice of having a
separate root for OCSP is very problematic, particularly given the
inclusion of AIA extensions with OCSP URLs in end entity certificates.
As I understand it, Microsec is removing AIA extensions with OCSP URLs
from end entity certificates and from intermediate CA certificates, and
this should address this problem going forward.
... after some period of time has elapsed. Certainly the day after they
begin to issue certs without the OCSP URL in the AIA extension, 99+% of the
existing certs will still have those AIA extensions. Over time that number
should decline.
Please refresh my memory here: As I understand it, the basic problem was
that if the Microsec root were included in Firefox (or other products)
and a user surfed to an SSL/TLS-enabled site with an end entity
certificate issued by Microsec (a cert with the AIA extension with the
OCSP URL), then this would cause an error in Firefox 3, because Firefox
3 does OCSP checking by default and it would get what it considered to
be a bad OCSP response. Do I have this right?
At what point does it become appropriate to consider the problem to have
abated enough to no longer be an issue? Is it when the number of remaining
outstanding valid certs that bear that AIA extension is 90%? 50%? 20%? 10%?
5%? 1%?
I think it is in Microsec's interest to revoke and reissue certificates
for sites that encounter problems with Firefox. I would consider this
problem to be effectively addressed after Microsec actively begins an
initiative to work with its affected customers to get them new
certificates. At that point if customers do not update their sites IMO
it is their problem, not Microsec's or Mozilla's.
If approved, the Microsec root would not go into Firefox 3 until late
this year or early next year. So I think there is plenty of time for
Microsec to put together a suitable plan for how to ease the transition
for its customers and minimize any errors that might be experienced by
Firefox users.
Although we haven't tested it with libPKIX, as far as I know, OCSP URLs
in root certs will not be a problem for NSS. NSS will never check a
self-issued cert for OCSP revocation.
Thanks for looking into this. My conclusion is therefore that there is
no need for Microsec to reissue its root certificate, at least as far as
Mozilla is concerned. However as Rob Stradling noted, I do suggest that
Microsec look at what GlobalSign did with its root refresh, in case
Microsec wants to do something similar in the future. (I should also
note that if Microsec's current root is approved for inclusion, I would
give expedited approval to any future refresh of the root, as long as
nothing had changed in terms of Microsec's operations and there were no
technical problems with the new root.)
One final question: Does anyone know what Thunderbird 3 will be doing in
terms of OCSP checks? Will this problem affect end entity certificates
issued by Microsec for S/MIME use?
Frank
--
Frank Hecker
[EMAIL PROTECTED]
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
