Hi Gerv and Jacob,
Thanks for the assistance and recommendations.
Since I sent this initial email I found out we have a couple of CAs without EKUs that are issuing SHA-1 Client certificates, so I'm afraid the scope of the question has just expanded beyond just OCSP signing certificates. We've had SHA-2 replacement CAs in production for a while, but some customers need to renew their SHA-1 with SHA-1, so there continues to be some issuance. This will end in January 2018 when they will all be shut down.
The Mozilla requirement to have EKUs in all issuing CAs took us a bit by surprise and I apologize for not getting the internal coordination done as quickly as we should have.
Read more below.
> -----Original Message-----
> From: dev-security-policy [mailto:
dev-security-policy-
> bounces+doug.beattie=
globals...@lists.mozilla.org] On Behalf Of Jakob
> Bohm via dev-security-policy
> Sent: Thursday, October 5, 2017 12:49 PM
> To:
mozilla-dev-s...@lists.mozilla.org
> Subject: Re: Issuing and using SHA-1 OCSP signing certificates
>
> On 05/10/2017 00:38, Nick Lamb wrote:
> > On Wednesday, 4 October 2017 20:19:22 UTC+1, Gervase Markham wrote:
> >> Would it be an acceptable solution to add these intermediates to OneCRL?
> >
> > I can't think of any reason this isn't a good idea, the intermediate claims
> never to issue anything Firefox (the consumer of OneCRL) would want to
> trust.
> >
>
> Another question though, in the particular case of GlobalSign, isn't it the case
> that all SHA-1 certificates chain to the old GlobalSign root
> (04:00:00:00:00:01:15:4b:5a:c3:94), while all SHA-256 or higher chain to new
> GlobalSign R3 root (04:00:00:00:00:01:21:58:53:08:a2) or one of the other
> GlobalSign Rx roots (including the R2 root now owned by Google).
- All SHA-1 certificates chain to Root R1 (04:00:00:00:00:01:15:4b:5a:c3:94),
- Root R3 only has SHA-256 certificates under it.
- R1 has SHA-256 CAs under it (most of our current SSL CAs are under R1)
> If so, would the proposed SHA-1 OCSP certs chain only to the old root?
Yes, this is true, SHA-1 OCSP certs will chain only to Root R1
> Would that old root be completely unused by current NSS clients (Firefox,
> Thunderbird, Redhat, ...)?
As mentioned above, we have several active SSL SHA-256 CAs under R1, so that's not a good idea.
> Has GlobalSign successfully revoked the R3 to old cross certificate (that failed
> to be revoked due to that OCSP bug a while back).
The OCSP issue a while back was between R1 and R2 and the revocation was related to the sale of that root to google. Yes, those R1/R2 cross certs have all been revoked, but that was not really your question. We have some R1 to R3 cross certificates, but no R3 to R1 cross certificates
> If all 3 answers are Yes, couldn't that old root just be removed from the root
> store with a comment (for the benefit of "clone" root stores) that this root
> CA cert has exited the BR scope to become a dedicated
> SHA-1 only CA used for people needing backwards compatible certificates.
Unfortunately, we continue to use Root R1 for SSL so this would not work.
I keep coming back to the base requirement that a SHA-1 Subordinate CAs must have EKU in order to continue issuing certificates. I understand Mozilla wants to be sure that no SSL certificates are issued using SHA-1, but even if that happened they would not be trusted by any of the major browsers.
We could provide you with the non-SSL SHA-1 CAs and have them added to OneCRL as long as we're sure that would not impact their use for client authentication and secure email. Would that suffice?
> Of cause GlobalSign could continue telling SHA-256 customers to include the
> old-to-R3 cross certificates in chains supplied to clients that may have old
> root stores without R3 (such as Microsoft systems not subscribing to
> automatic CA updates), as those systems would only trust the old root and
> not distrust it over this. Again, this relies on the old root not being explicitly
> blocked in a way that would barf at its inclusion in an alternative certificate
> chain.
>
>
> Enjoy
>
> Jakob
> --
> Jakob Bohm, CIO, Partner, WiseMo A/S.
https://www.wisemo.com
> Transformervej 29, 2860 Søborg, Denmark. Direct
+45 31 13 16 10 This public
> discussion message is non-binding and may contain errors.
> WiseMo - Remote Service Management for PCs, Phones and Embedded
> _______________________________________________
> dev-security-policy mailing list
>
dev-secur...@lists.mozilla.org
>
https://lists.mozilla.org/listinfo/dev-security-policy