info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Trust bits for client auth
39 views
Skip to first unread message
rick_a...@symantec.com
Feb 10, 2016, 12:30:23 PM2/10/16
to mozilla-de...@lists.mozilla.org
Does Firefox put any restriction on which roots are trusted to issue client auth certs? Does the root require a particular trust bit?
Richard Barnes
Feb 10, 2016, 12:57:58 PM2/10/16
to Rick Andrews, mozilla-de...@lists.mozilla.org
I happen to have been looking at this code today! It turns out (rather
surprisingly) that the root is required to have the email trust bit.
https://dxr.mozilla.org/mozilla-central/source/security/certverifier/CertVerifier.cpp?from=CertVerifier.cpp#248
(If someone wanted to file a bug to change that, I might be favorably
disposed.) Skimming through certdata.txt, it looks like most of the
included roots have this bit set.
On Wed, Feb 10, 2016 at 12:30 PM, <rick_a...@symantec.com> wrote:
> Does Firefox put any restriction on which roots are trusted to issue
> client auth certs? Does the root require a particular trust bit?
> _______________________________________________
> dev-security mailing list
> dev-se...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security
>
surprisingly) that the root is required to have the email trust bit.
https://dxr.mozilla.org/mozilla-central/source/security/certverifier/CertVerifier.cpp?from=CertVerifier.cpp#248
(If someone wanted to file a bug to change that, I might be favorably
disposed.) Skimming through certdata.txt, it looks like most of the
included roots have this bit set.
On Wed, Feb 10, 2016 at 12:30 PM, <rick_a...@symantec.com> wrote:
> Does Firefox put any restriction on which roots are trusted to issue
> client auth certs? Does the root require a particular trust bit?
> dev-security mailing list
> dev-se...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security
>
Richard Barnes
Feb 10, 2016, 1:05:53 PM2/10/16
to Rick Andrews, David Keeler, mozilla-de...@lists.mozilla.org
Actually, Keeler just reminded me that Firefox doesn't usually verify
client certs, since it's the server's opinion of validity that matters.
I'll let him chime in with more detail.
On Wed, Feb 10, 2016 at 12:57 PM, Richard Barnes <rba...@mozilla.com>
wrote:
client certs, since it's the server's opinion of validity that matters.
I'll let him chime in with more detail.
On Wed, Feb 10, 2016 at 12:57 PM, Richard Barnes <rba...@mozilla.com>
wrote:
David Keeler
Feb 10, 2016, 5:22:39 PM2/10/16
to mozilla-de...@lists.mozilla.org
Like Richard said, mozilla::pkix requires the trust anchor for a client
auth certificate to have the email trust bit set. However, if my
understanding is correct, the only time Firefox (or any gecko-based
product, I believe) asks mozilla::pkix to verify a client auth
certificate is in the certificate viewer, where the platform is trying
to answer the question, "What are all of the usages this certificate is
valid for?". So, that's really only for display purposes.
Indeed, (and again if my understanding is correct) it doesn't matter
what Firefox thinks of the trustworthiness of a client auth certificate.
It only matters what the server on the other end of the connection thinks.
That said, it would be a bit silly if Firefox offered to use a
certificate that it knew had no hope of being accepted by the server, so
there remains the question of how Firefox picks candidate certificates
that might be used as client auth certificates. For that, the platform
delegates to NSS, where as far as I can tell the trust bits are
irrelevant. That is, when the platform calls CERT_FindUserCertsByUsage
looking for certificates valid for the certUsageSSLClient usage, NSS
doesn't require a trust anchor.
Hope this helps,
David
> <mailto:dev-se...@lists.mozilla.org>
> https://lists.mozilla.org/listinfo/dev-security
>
>
>
auth certificate to have the email trust bit set. However, if my
understanding is correct, the only time Firefox (or any gecko-based
product, I believe) asks mozilla::pkix to verify a client auth
certificate is in the certificate viewer, where the platform is trying
to answer the question, "What are all of the usages this certificate is
valid for?". So, that's really only for display purposes.
Indeed, (and again if my understanding is correct) it doesn't matter
what Firefox thinks of the trustworthiness of a client auth certificate.
It only matters what the server on the other end of the connection thinks.
That said, it would be a bit silly if Firefox offered to use a
certificate that it knew had no hope of being accepted by the server, so
there remains the question of how Firefox picks candidate certificates
that might be used as client auth certificates. For that, the platform
delegates to NSS, where as far as I can tell the trust bits are
irrelevant. That is, when the platform calls CERT_FindUserCertsByUsage
looking for certificates valid for the certUsageSSLClient usage, NSS
doesn't require a trust anchor.
Hope this helps,
David
> https://lists.mozilla.org/listinfo/dev-security
>
>
>
0 new messages