Re: Microsec CA inclusion request

Kaspar Brand Sat, 18 Oct 2008 00:18:51 -0700

Nelson B Bolyard wrote:
> Frank Hecker wrote, On 2008-10-17 06:57:
> 
>> Please refresh my memory here: As I understand it, the basic problem was 
>> that if the Microsec root were included in Firefox (or other products) 
>> and a user surfed to an SSL/TLS-enabled site with an end entity 
>> certificate issued by Microsec (a cert with the AIA extension with the 
>> OCSP URL), then this would cause an error in Firefox 3, because Firefox 
>> 3 does OCSP checking by default and it would get what it considered to 
>> be a bad OCSP response. Do I have this right?
> 
> Yes.  Bad response, ugly errors, no fun.

With the default settings in Firefox 3, it isn't that bad... remember
that it's the "graceful failure" mode which is selected by default:

> 1056   PRBool ocspRequired;
> 1057   pref->GetBoolPref("security.OCSP.require", &ocspRequired);
> 1058   if (ocspRequired) {
> 1059     CERT_SetOCSPFailureMode(ocspMode_FailureIsVerificationFailure);
> 1060   }
> 1061   else {
> 1062     CERT_SetOCSPFailureMode(ocspMode_FailureIsNotAVerificationFailure);
> 1063   }
> 1064 }
[http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/manager/ssl/src/nsNSSComponent.cpp&rev=1.167&mark=1056-1063#1056]

And in Firefox 2, OCSP is disabled by default anyway.

Frank Hecker wrote:
> What I'd like to see from Microsec is a plan to first address 
> fixing certificates for SSL/TLS web sites (to prevent problems with 
> Firefox 3)

After a closer look, I think that the "Microsec OCSP issue" isn't really
one, at least for the foreseeable future. Looking at the OCSP URIs in
the chain served by https://rca.e-szigno.hu e.g., we see this list:

                        Method: PKIX Online Certificate Status Protocol
                        Location:
                            URI: "https://srv.e-szigno.hu/ocsp";

                        Method: PKIX Online Certificate Status Protocol
                        Location:
                            URI: "https://arca.e-szigno.hu/aocsp";

                        Method: PKIX Online Certificate Status Protocol
                        Location:
                            URI: "https://rca.e-szigno.hu/ocsp";

I.e., unless bugs 205436 or 92923 are worked on soon, using https OCSP
URIs will quite effectively prevent Mozilla clients from connecting to
this responder :-) [1] István, maybe you can confirm that in all the
certs issued so far you've only used https OCSP URIs?

Kaspar

[1] for NSS, cf.
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/certhigh/ocsp.c&rev=1.55&mark=2741-2746#2741
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Microsec CA inclusion request

Reply via email to