Changes

Jump to: navigation, search

CA/Maintenance and Enforcement

102 bytes added, 17:18, 24 September 2018
minor updates
= Potential Problems, Prevention, Response=
While [[CA/Responding_To_An_Incident|CA incidents ]] have differing levels of severity, there are some components which every CA should be able to avoid which are red flags for Mozilla in terms of a continued trust relationship, and which would lead to an investigation. They are:
* Deliberate violation of Mozilla or other applicable policy
* Lying or deception
[https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla's Root Store Policy] describes the steps that Mozilla takes to evaluate and respond to security concerns related to certificate operation and issuance. The following list may be used as a guideline of what to expect when certain types of issues are found, but this list is non-binding because the necessary actions and responses will vary depending on the situation.
 
'''Problem:''' SHA-1 certificate(s) issued
* Prevention: Don't accept SHA-1 certs. {{bug|1339662}}, in Firefox 51.
 
'''Problem:''' Certificate(s) issued with weak RSA key
* Prevention: Don't accept certs signed with weak RSA keys. {{bug|360126}}, in Firefox 33.
 
'''Problem:''' Certificate(s) issued without enough key usage info
* Prevention: Enforce key usage restrictions better. {{bug|725351}}, needs to be implemented.
'''Problem:''' CA mis-issued a small number of SSL certificates that they can enumerate
* Immediate Minimum Response: Open a [https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificate%20Mis-Issuance CA compliance bug ] and request an [https://wiki.mozilla.org/CA/Responding_To_An_Incident#Incident_Report incident report].* Depending on the situation, also consider adding the certificates to [https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/ OneCRL].
'''Problem:''' CA mis-issued a small number of email certificates that they can enumerate
'''Problem:''' CA mis-issued a large number (e.g. hundreds) of end-entity certificates that they can enumerate
* Immediate Minimum Response: Open a [https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificate%20Mis-Issuance CA compliance bug ] and request an [https://wiki.mozilla.org/CA/Responding_To_An_Incident#Incident_Report incident report].* Depending on the situation, also consider adding the intermediate CA certificate(s) to [https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/ OneCRL], distrusting the root certificate that the mis-issued certificates chain up to, or all of the root certificates owned by that CA.
'''Problem:''' CA mis-issued an unknown number of un-enumerated end-entity certificates
'''Problem:''' CA failed to supply proper audit documentation, or audit report contains numerous and/or serious qualifications
* Immediate Minimum Response: File a [https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificate%20Mis-Issuance CA compliance] bug and , request that the CA respond with remediation plans, and request an [https://wiki.mozilla.org/CA/Responding_To_An_Incident#Incident_Report incident report]
* Depending on the situation, also consider requiring the CA to undergo new period-of-time audits as soon as the problems have been resolved. If the same problems are included on the new audit reports, they must state the dates on which the problems were resolved.
Kathleen Wilson
Confirm, administrator
5,526
edits
Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/1201469"

Navigation menu