OCSP Checking for certificates without AIA URLs

[Dan Bryan]

Hello,
In a PKI where there are multiple private CA's that do not publish revocation urls into the certificates AIA field, what options does Firefox provide for using a 3rd party revocation service who has been delegated as an OCSP authority for these CAs.
I would like to be able to say Private CA1-3 should query responder http://ocsp1.com and Private CA4-5 should query http://ocsp2.com. This flexibility has been offered in CAPI via group policy certificate properties since vista. But being that firefox doesn't depend on CAPI for certificate validation, is there anyway to configure NSS to support something like this?

Thanks,

--Dan

[Richard Barnes]

Hey Dan,

There is nothing in Firefox to support this use case. The live OCSP
checking code [1] (vs. stapled) pulls the OCSP responder URL from AIA at
validation time; there is no other way to configure a responder URL.

--Richard

[1]
http://searchfox.org/mozilla-central/source/security/certverifier/NSSCertDBTrustDomain.cpp#518
http://searchfox.org/mozilla-central/source/security/certverifier/NSSCertDBTrustDomain.cpp#565

> _______________________________________________
> dev-security mailing list
> dev-se...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security
>

[Dan Bryan]

Thanks for the detailed info. I imagine it might be possible if a 3rd party Firefox "Security device" were loaded and developed to handle this use case, right? Or maybe an extension could be developed to make firefox think an AIA is present in a certificate?

[Dan Bryan]

Richard,

According to: http://kb.mozillazine.org/About:config_entries
it looks like there are/were several options:
security. OCSP. enabled = 2
security. OCSP. URL = http://myresponder

I attempted to configure these in about:config of firefox 47.0.1 and no requests went to my responder. This supports what your saying. I am guessing this was a feature that was enabled in the past, and is no longer present?

[Richard Barnes]

Yep, that sounds right. That pref no longer appears in the codebase.

http://searchfox.org/mozilla-central/search?q=security.OCSP.URL

As far as a new module: I'm afraid that won't help either. Firefox does
certificate validation above the NSS layer, using the mozilla::pkix library
(as of a year or two ago).

On Mon, Oct 17, 2016 at 4:26 PM, Dan Bryan <danbr...@gmail.com> wrote:

> On Monday, October 17, 2016 at 2:57:18 PM UTC-4, Dan Bryan wrote:

> Richard,
>
> According to: http://kb.mozillazine.org/About:config_entries
> it looks like there are/were several options:
> security. OCSP. enabled = 2
> security. OCSP. URL = http://myresponder
>
> I attempted to configure these in about:config of firefox 47.0.1 and no
> requests went to my responder. This supports what your saying. I am
> guessing this was a feature that was enabled in the past, and is no longer
> present?

[Daniel Veditz]

On 10/17/16 1:26 PM, Dan Bryan wrote:
> According to: http://kb.mozillazine.org/About:config_entries
> it looks like there are/were several options:
> security. OCSP. enabled = 2
> security. OCSP. URL = http://myresponder

That never worked very well. When you turned that on then _all_ OCSP
requests would go to that url. If that responder couldn't return a
correctly-signed response then people couldn't load their sites. If it's
a corporate responder it won't actually be able to sign the OCSP
responses, so at best it could only work as a proxy to the real OCSP
responders.

Maybe it was useful to cache responses for a corporate network, so you
could set a policy of hard-fail and not worry as much about the CA's
responders being down. Or seemed useful in theory -- I don't recall any
fuss when we removed it.

-Dan Veditz