(quick correction to my prior email: the certificates issued by the intermediate are valid for up to 15 months in that example, and the key is retired when it cannot sign anything with a validity less than 12 months.)
-Kyle H On Mon, Apr 28, 2014 at 4:10 PM, Kyle Hamilton <aerow...@gmail.com> wrote: On Fri, Apr 25, 2014 at 6:59 AM, Erwann Abalea <eaba...@gmail.com> wrote: > Le vendredi 25 avril 2014 13:46:51 UTC+2, Martin Paljak a écrit : >> On Thu, Apr 24, 2014 at 9:07 PM, Kathleen Wilson <kwil...@mozilla.com> wrote: >> > Also, we added a section to the wiki page to list some behavior changes >> > that >> > could cause a website certificate to no longer validate with Firefox 31. >> > https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing#Behavior_Changes >> >> What is the rationale for this: >> >> 4. Mozilla::pkix performs chaining based on issuer name alone, and >> does not require that issuer's subject key match the authority key >> info (AKI) extension in the certificate. Classic verification enforces >> the AKI restriction. > > AKI is only a helper for certificate path building. > It's mandatory for CAs to issue certificates with matching keyIdentifiers > (issued.AKI.keyIdentifier = issuer.SKI), but it's not mandatory for relying > parties to verify that the values match. Erwann (and all), AKI is necessary for multiple public keys used by the same Subject certifier. It's particularly useful for a "rolling chain" of public keys, each one used to sign certificates within a given period of months, but with overlapping validity periods. 0 3 6 9 12 15 18 21 24 27 |uuuuu|vvvvv|vvvvv|vvvvv|vvvvv|.....|.....|.....|.....| |.....|uuuuu|vvvvv|vvvvv|vvvvv|vvvvv|.....|.....|.....| |.....|.....|uuuuu|vvvvv|vvvvv|vvvvv|vvvvv|.....|.....| |.....|.....|.....|uuuuu|vvvvv|vvvvv|vvvvv|vvvvv|.....| |.....|.....|.....|.....|uuuuu|vvvvv|vvvvv|vvvvv|vvvvv| In this diagram, 'u' means "in use". 'v' means "valid". The numbers at the top refer to 'counted months'. So, in this case, the private keys are used for 3 months while their issued certificates are valid for up to 12 months. There are 5 potential keys, identifiable only through the use of the AKID extension. Yes, the certified entity is supposed to provide its verifiable chain, back to the root (but not including the root)... at least, according to TLS, and other IETF Security working-area client protocols. But, it's not mandatory per PKIX, and it's also not mandatory per X.509, either. I believe this to be a poor design decision on the part of Mozilla. -Kyle H Edited to add: (quick correction to my prior email: the certificates issued by the intermediate are valid for up to 15 months in that example, and the key is retired when it cannot sign anything with a validity less than 12 months.)<div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Apr 28, 2014 at 4:10 PM, Kyle Hamilton <span dir="ltr"><<a href="mailto:aerow...@gmail.com" target="_blank">aerow...@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><br><div><div><div><div class=""><div><span style="font-family:arial,helvetica,sans-serif">On Fri, Apr 25, 2014 at 6:59 AM, Erwann Abalea <eabalea@gm</span><a href="http://ail.com" target="_blank">ail.com</a>> wrote:<br>> Le vendredi 25 avril 2014 13:46:51 UTC+2, Martin Paljak a écrit :<br> >> On Thu, Apr 24, 2014 at 9:07 PM, Kathleen Wilson <<a href="mailto:kwil...@mozilla.com" target="_blank">kwil...@mozilla.com</a>> wrote:<br>>> > Also, we added a section to the wiki page to list some behavior changes that<br> >> > could cause a website certificate to no longer validate with Firefox 31.<br>>> > <a href="https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing#Behavior_Changes" target="_blank">https://wiki.mozilla.org/<wbr>SecurityEngineering/mozpkix-<wbr>testing#Behavior_Changes</a><br> >><br>>> What is the rationale for this:<br>>><br>>> 4. Mozilla::pkix performs chaining based on issuer name alone, and<br>>> does not require that issuer's subject key match the authority key<br> >> info (AKI) extension in the certificate. Classic verification enforces<br>>> the AKI restriction.<br>><br>> AKI is only a helper for certificate path building.<br>> It's mandatory for CAs to issue certificates with matching keyIdentifiers (issued.AKI.keyIdentifier = issuer.SKI), but it's not mandatory for relying parties to verify that the values match.<br> <br></div></div><div>Erwann (and all),<br></div><div><br><div><div><div><div><div><div><span style="font-family:courier new,monospace"><span style="font-family:arial,helvetica,sans-serif">AKI is necessary for multiple public keys used by the same Subject certifier. It's particularly useful for a "rolling chain" of public keys, each one used to sign certificates within a given period of months, but with overlapping validity periods.<br></span><br>0 3 6 9 12 15 18 21 24 27<br>|uuuuu|vvvvv|vvvvv|vvvvv|<wbr>vvvvv|.....|.....|.....|.....|<br></span></div><span style="font-family:courier new,monospace">|.....|uuuuu|vvvvv|vvvvv|<wbr>vvvvv|vvvvv|.....|.....|.....|<br> </span></div><span style="font-family:courier new,monospace">|.....|.....|uuuuu|vvvvv|<wbr>vvvvv|vvvvv|vvvvv|.....|.....|<br></span></div><span style="font-family:courier new,monospace">|.....|.....|.....|uuuuu|<wbr>vvvvv|vvvvv|vvvvv|vvvvv|.....|<br> </span></div><div><span style="font-family:courier new,monospace">|.....|.....|.....|.....|<wbr>uuuuu|vvvvv|vvvvv|vvvvv|vvvvv|<br></span></div><div><span style="font-family:courier new,monospace"><br></span></div><span style="font-family:arial,helvetica,sans-serif">In this diagram, 'u' means "in use". 'v' means "valid". The numbers at the top refer to 'counted months'. So, in this case, the private keys are used for 3 months while their issued certificates are valid for up to 12 months. There are 5 potential keys, identifiable only through the use of the AKID extension.<br><br></span></div><span style="font-family:arial,helvetica,sans-serif">Yes, the certified entity is supposed to provide its verifiable chain, back to the root (but not including the root)... at least, according to TLS, and other IETF Security working-area client protocols. But, it's not mandatory per PKIX, and it's also not mandatory per X.509, either.<br><br></span></div><span style="font-family:courier new,monospace"><span style="font-family:arial,helvetica,sans-serif">I believe this to be a poor design decision on the part of Mozilla.<br> </span></span><div><span style="font-family:arial,helvetica,sans-serif"><br></span></div><span style="font-family:arial,helvetica,sans-serif">-Kyle H<br></span><span style="font-family:arial,helvetica,sans-serif"><br></span></div> </div></div></div></div> </blockquote></div><br></div> -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto