Robert Relyea wrote:
* If we included only true root CA certificates, would it still be possible to install and use CRLs for lower-level CAs not in the CA database? This isn't an issue for typical users (since Mozilla doesn't install and use CRLs by default) but I'd still be interested in the answer. (I'm presuming the workaround for "power users" would be to import the lower-level CA's cert and then install the CRL.)
Julian would have to verify this, but I believe we have late evaluation of the CRL.
It is possible to import the CRL even if the corresponding CA isn't installed in the cert db, or present in the cache. Look at the PK11_ImportCRL and set the flag
CRL_IMPORT_BYPASS_CHECKS . The browser currently uses the deprecated function Sec_NewCrl which does the same thing (no checks).
The CRL only gets closely looked at when a validation happens, usually long after it has been imported to the database. Ie., it is a late evaluation.
I think the browser should try to check the CRL at import time if possible. Ie, it should try the import with checks first. If the import with check fails, some decision needs to be made somehow. One could bring a dialog to the user to prompt, but that probably wouldn't be very useful. The alternative would be to persist all the valid intermediate CAs around in the DB to ensure that this situation does not occur.
Another solution is if the CRL is stored on an SSL server which contains the CA . If that's the case, it would ensure that Mozilla has the CA available at the time of import, even if the CA doesn't get persisted. But obviously, we cannot dictate that anybody deploys CRLs this way. You can just as well ftp CRLs insecurely ...
The reasoning for doing the check is that you don't want to silently import a rogue CRL into the browser DB, which can happen if there are no checks on it at import time. If you import a rogue CRL, then obtain the legit CA later on (say, during an SSL handhshake) , all validations for certs issued by that CA will fail, because the CRL in the DB won't match the CA cert. This would be case of "poison CRL".
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
