OCSP Checking for certificates without AIA URLs

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

OCSP Checking for certificates without AIA URLs

Dan Bryan
Hello,
In a PKI where there are multiple private CA's that do not publish revocation urls into the certificates AIA field, what options does Firefox provide for using a 3rd party revocation service who has been delegated as an OCSP authority for these CAs.
I would like to be able to say Private CA1-3 should query responder http://ocsp1.com and Private CA4-5 should query http://ocsp2.com. This flexibility has been offered in CAPI via group policy certificate properties since vista. But being that firefox doesn't depend on CAPI for certificate validation, is there anyway to configure NSS to support something like this?

Thanks,

--Dan
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OCSP Checking for certificates without AIA URLs

Richard Barnes
Hey Dan,

There is nothing in Firefox to support this use case.  The live OCSP
checking code [1] (vs. stapled) pulls the OCSP responder URL from AIA at
validation time; there is no other way to configure a responder URL.

--Richard

[1]
http://searchfox.org/mozilla-central/source/security/certverifier/NSSCertDBTrustDomain.cpp#518
http://searchfox.org/mozilla-central/source/security/certverifier/NSSCertDBTrustDomain.cpp#565

On Mon, Oct 17, 2016 at 12:10 PM, Dan Bryan <[hidden email]> wrote:

> Hello,
> In a PKI where there are multiple private CA's that do not publish
> revocation urls into the certificates AIA field, what options does Firefox
> provide for using a 3rd party revocation service who has been delegated as
> an OCSP authority for these CAs.
> I would like to be able to say Private CA1-3 should query responder
> http://ocsp1.com and Private CA4-5 should query http://ocsp2.com. This
> flexibility has been offered in CAPI via group policy certificate
> properties since vista. But being that firefox doesn't depend on CAPI for
> certificate validation, is there anyway to configure NSS to support
> something like this?
>
> Thanks,
>
> --Dan
> _______________________________________________
> dev-security mailing list
> [hidden email]
> https://lists.mozilla.org/listinfo/dev-security
>
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OCSP Checking for certificates without AIA URLs

Dan Bryan
In reply to this post by Dan Bryan
On Monday, October 17, 2016 at 2:02:27 PM UTC-4, Richard Barnes wrote:

> Hey Dan,
>
> There is nothing in Firefox to support this use case.  The live OCSP
> checking code [1] (vs. stapled) pulls the OCSP responder URL from AIA at
> validation time; there is no other way to configure a responder URL.
>
> --Richard
>
> [1]
> http://searchfox.org/mozilla-central/source/security/certverifier/NSSCertDBTrustDomain.cpp#518
> http://searchfox.org/mozilla-central/source/security/certverifier/NSSCertDBTrustDomain.cpp#565
>
> On Mon, Oct 17, 2016 at 12:10 PM, Dan Bryan <[hidden email]> wrote:
>
> > Hello,
> > In a PKI where there are multiple private CA's that do not publish
> > revocation urls into the certificates AIA field, what options does Firefox
> > provide for using a 3rd party revocation service who has been delegated as
> > an OCSP authority for these CAs.
> > I would like to be able to say Private CA1-3 should query responder
> > http://ocsp1.com and Private CA4-5 should query http://ocsp2.com. This
> > flexibility has been offered in CAPI via group policy certificate
> > properties since vista. But being that firefox doesn't depend on CAPI for
> > certificate validation, is there anyway to configure NSS to support
> > something like this?
> >
> > Thanks,
> >
> > --Dan
> > _______________________________________________
> > dev-security mailing list
> > [hidden email]
> > https://lists.mozilla.org/listinfo/dev-security
> >

Thanks for the detailed info. I imagine it might be possible if a 3rd party Firefox "Security device" were loaded and developed to handle this use case, right? Or maybe an extension could be developed to make firefox think an AIA is present in a certificate?
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OCSP Checking for certificates without AIA URLs

Dan Bryan
In reply to this post by Dan Bryan
On Monday, October 17, 2016 at 2:57:18 PM UTC-4, Dan Bryan wrote:

> On Monday, October 17, 2016 at 2:02:27 PM UTC-4, Richard Barnes wrote:
> > Hey Dan,
> >
> > There is nothing in Firefox to support this use case.  The live OCSP
> > checking code [1] (vs. stapled) pulls the OCSP responder URL from AIA at
> > validation time; there is no other way to configure a responder URL.
> >
> > --Richard
> >
> > [1]
> > http://searchfox.org/mozilla-central/source/security/certverifier/NSSCertDBTrustDomain.cpp#518
> > http://searchfox.org/mozilla-central/source/security/certverifier/NSSCertDBTrustDomain.cpp#565
> >
> > On Mon, Oct 17, 2016 at 12:10 PM, Dan Bryan <[hidden email]> wrote:
> >
> > > Hello,
> > > In a PKI where there are multiple private CA's that do not publish
> > > revocation urls into the certificates AIA field, what options does Firefox
> > > provide for using a 3rd party revocation service who has been delegated as
> > > an OCSP authority for these CAs.
> > > I would like to be able to say Private CA1-3 should query responder
> > > http://ocsp1.com and Private CA4-5 should query http://ocsp2.com. This
> > > flexibility has been offered in CAPI via group policy certificate
> > > properties since vista. But being that firefox doesn't depend on CAPI for
> > > certificate validation, is there anyway to configure NSS to support
> > > something like this?
> > >
> > > Thanks,
> > >
> > > --Dan
> > > _______________________________________________
> > > dev-security mailing list
> > > [hidden email]
> > > https://lists.mozilla.org/listinfo/dev-security
> > >
>
> Thanks for the detailed info. I imagine it might be possible if a 3rd party Firefox "Security device" were loaded and developed to handle this use case, right? Or maybe an extension could be developed to make firefox think an AIA is present in a certificate?

Richard,

According to: http://kb.mozillazine.org/About:config_entries
it looks like there are/were several options:
security. OCSP. enabled = 2
security. OCSP. URL = http://myresponder

I attempted to configure these in about:config of firefox 47.0.1 and no requests went to my responder. This supports what your saying. I am guessing this was a feature that was enabled in the past, and is no longer present?
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OCSP Checking for certificates without AIA URLs

Richard Barnes
Yep, that sounds right.  That pref no longer appears in the codebase.

http://searchfox.org/mozilla-central/search?q=security.OCSP.URL

As far as a new module: I'm afraid that won't help either.  Firefox does
certificate validation above the NSS layer, using the mozilla::pkix library
(as of a year or two ago).

On Mon, Oct 17, 2016 at 4:26 PM, Dan Bryan <[hidden email]> wrote:

> On Monday, October 17, 2016 at 2:57:18 PM UTC-4, Dan Bryan wrote:
> > On Monday, October 17, 2016 at 2:02:27 PM UTC-4, Richard Barnes wrote:
> > > Hey Dan,
> > >
> > > There is nothing in Firefox to support this use case.  The live OCSP
> > > checking code [1] (vs. stapled) pulls the OCSP responder URL from AIA
> at
> > > validation time; there is no other way to configure a responder URL.
> > >
> > > --Richard
> > >
> > > [1]
> > > http://searchfox.org/mozilla-central/source/security/certverifier/
> NSSCertDBTrustDomain.cpp#518
> > > http://searchfox.org/mozilla-central/source/security/certverifier/
> NSSCertDBTrustDomain.cpp#565
> > >
> > > On Mon, Oct 17, 2016 at 12:10 PM, Dan Bryan <[hidden email]>
> wrote:
> > >
> > > > Hello,
> > > > In a PKI where there are multiple private CA's that do not publish
> > > > revocation urls into the certificates AIA field, what options does
> Firefox
> > > > provide for using a 3rd party revocation service who has been
> delegated as
> > > > an OCSP authority for these CAs.
> > > > I would like to be able to say Private CA1-3 should query responder
> > > > http://ocsp1.com and Private CA4-5 should query http://ocsp2.com.
> This
> > > > flexibility has been offered in CAPI via group policy certificate
> > > > properties since vista. But being that firefox doesn't depend on
> CAPI for
> > > > certificate validation, is there anyway to configure NSS to support
> > > > something like this?
> > > >
> > > > Thanks,
> > > >
> > > > --Dan
> > > > _______________________________________________
> > > > dev-security mailing list
> > > > [hidden email]
> > > > https://lists.mozilla.org/listinfo/dev-security
> > > >
> >
> > Thanks for the detailed info. I imagine it might be possible if a 3rd
> party Firefox "Security device" were loaded and developed to handle this
> use case, right? Or maybe an extension could be developed to make firefox
> think an AIA is present in a certificate?
>
> Richard,
>
> According to: http://kb.mozillazine.org/About:config_entries
> it looks like there are/were several options:
> security. OCSP. enabled = 2
> security. OCSP. URL = http://myresponder
>
> I attempted to configure these in about:config of firefox 47.0.1 and no
> requests went to my responder. This supports what your saying. I am
> guessing this was a feature that was enabled in the past, and is no longer
> present?
> _______________________________________________
> dev-security mailing list
> [hidden email]
> https://lists.mozilla.org/listinfo/dev-security
>
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OCSP Checking for certificates without AIA URLs

Daniel Veditz-2
In reply to this post by Dan Bryan
On 10/17/16 1:26 PM, Dan Bryan wrote:
> According to: http://kb.mozillazine.org/About:config_entries
> it looks like there are/were several options:
> security. OCSP. enabled = 2
> security. OCSP. URL = http://myresponder

That never worked very well. When you turned that on then _all_ OCSP
requests would go to that url. If that responder couldn't return a
correctly-signed response then people couldn't load their sites. If it's
a corporate responder it won't actually be able to sign the OCSP
responses, so at best it could only work as a proxy to the real OCSP
responders.

Maybe it was useful to cache responses for a corporate network, so you
could set a policy of hard-fail and not worry as much about the CA's
responders being down. Or seemed useful in theory -- I don't recall any
fuss when we removed it.

-Dan Veditz

_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Loading...