Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Consider removal of mandatory requirement for CRLs for end entity certs #556

Closed
4 tasks done
lachellel opened this issue Nov 13, 2018 · 9 comments · Fixed by #567
Closed
4 tasks done

Consider removal of mandatory requirement for CRLs for end entity certs #556

lachellel opened this issue Nov 13, 2018 · 9 comments · Fixed by #567

Comments

@lachellel
Copy link
Contributor

lachellel commented Nov 13, 2018

During development / testing and comparison with the CP and certificate profiles, there is a request to consider removal of the requirement for Certificate Revocation Lists to be published and the associated URIs to included in the CDP extension for serverAuth certificates.

Impacts:

  • Section 2
  • Section 4
  • Other [TBD]

Requirements review:

  • Microsoft trusted root program requirements:

    • Reference Section 4, sub-section A, bullet 5: All end-entity server authentication certificates must contain an AIA extension with a valid OCSP URL. These certificates may also contain a CDP extension that contains a valid CRL URL. All other certificate types must contain either an AIA extension with an OCSP URL or a CDP extension with a valid CRL URL
  • Apple [TODO]

  • Mozilla [TODO]

  • Other [TODO]

@ryancdickson
Copy link
Contributor

ryancdickson commented Nov 14, 2018

Mozilla Root Store Policy:

  1. Revocation
    CAs MUST revoke Certificates that they have issued upon the occurrence of any event listed in the appropriate subsection of section 4.9.1 of the Baseline Requirements, according to the timeline defined therein.

CAs MUST maintain an online 24x7 repository mechanism whereby application software can automatically check online the current status of all unexpired certificates issued by the CA.

For end-entity certificates, CRLs MUST be updated and reissued at least every seven days, and the value of the nextUpdate field MUST NOT be more than ten days beyond the value of the thisUpdate field.

For end-entity certificates, if the CA provides revocation information via an Online Certificate Status Protocol (OCSP) service:

  • it MUST update that service at least every four days; and
  • responses MUST have a defined value in the nextUpdate field, and it MUST be no more than ten days after the thisUpdate field; and
  • the value in the nextUpdate field MUST be before or equal to the notAfter date of all certificates included within the BasicOCSPResponse.certs field or, if the certs field is omitted, before or equal to the notAfter date of the CA certificate which issued the certificate that the BasicOCSPResponse is for.

I interpret the above to suggest CRLs are required for end-entity certificates, but given inclusion of DST Root CA 3 (Let's Encrypt) in the Mozilla Store - I must be missing something.

@weirdscience
Copy link
Contributor

Apple does not have a specific requirement.

  • Certification Authority (CA) providers must complete a WebTrust Principles and Criteria for Certification Authorities audit or equivalent.
  • Transport Layer Security (TLS) CA providers must complete a WebTrust SSL Baseline Requirements Audit Criteria for Certification Authorities audit or equivalent and maintain compliance with the CA/Browser Forum Baseline Requirements Certificate Policy for the Issuance and Management of Publicly-Trusted Certificates.
    CA providers must strictly limit the number of roots per CA provider.
    A root certificate must provide broad value to Apple's users.
    CA providers must demonstrate equivalence if submitting a non-WebTrust audit.
    CA providers must notify Apple if they anticipate a change in control. Do not assume trust is transferable.

@weirdscience
Copy link
Contributor

For Mozilla, it looks like the only requirement is to maintain a 24x7 repo which can either be a CRL or OCSP. I would only read it as CRLs are required if it specifically stated it which it does not. CRLs must be..... not end entities must support CRL.

@debcooley
Copy link
Contributor

Mozilla: Frankly, this looks like an oversight, or a typo. They seem to be missing a phrase 'if the CA provides' at the front (like in the OCSP paragraph). Is it as simple as asking? Clearly Let's Encrypt is in the store... and presumably they don't issue CRLs....

[They also appear to have no requirements for sub CAs...., just end entities. I'd bet that is an oversight as well.]

@konklone
Copy link
Contributor

Yes, Let's Encrypt is OCSP-only, and does not publish CRLs.

Mozilla section 6 could be clarified to remove ambiguity, and we could always raise this on m.d.s.p to point this out if we wanted, but my understanding has always been that it's as @debcooley pointed out -- there's an implied "if CRLs are provided" to the CRL clause.

@lachellel
Copy link
Contributor Author

lachellel commented Dec 14, 2018

CRL shall statements impacted:

  • Server Auth Certificate Profile
    ../certificate-profile-server-authentication.md) - update the CDP
  • Section 1.3.6
  • Section 2.2
  • Section 2.3
  • Section 4.9.5
  • Section 4.9.7
  • Section 4.9.8
  • Section 4.10.2
  • Section 5.7.3
  • Section 5.8

@lachellel
Copy link
Contributor Author

Section 5.8 CA termination question:

  • Terminate a CA before all certificates have expired
  • Revoke all issued certificates that have not expired

The CA can't publish a long-term CRL if there is no CRL.

Is the requirement then: "CAs must operate OCSP services for the validity period of all issued certificates"?

[The scenario might be irrelevant to our CP and infrastructure.]

@weirdscience
Copy link
Contributor

or be more specific to the CA (root) that will issue CRLs.

@techliaison
Copy link

yes - if a CA only does OCSP & no CRL, then it must have a way to maintain the OCSP service until all issued certs have expired even if the CA "terminates"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

Successfully merging a pull request may close this issue.

6 participants