Revocation Reason Codes for TLS End-Entity Certificates

1,266 views
Skip to first unread message

Kathleen Wilson

unread,
Nov 30, 2021, 4:43:50 PM11/30/21
to dev-secur...@mozilla.org
All,

Building on a previous discussion here in MDSP, Addressing Current Limitations of CRL Revocation Reason Codes, I would like to have a discussion about which CRL revocation reason codes are applicable to TLS. My goals for this discussion are:
  • Specify when certain revocation codes should or should not be used.
  • Determine when CAs should be required to put revocation codes into CRLs.
  • Begin drafting policy language about CRL revocation reason codes.

For reference, please see the “Revocation Reasons” section of the 2009 paper, “Troubleshooting Certificate Status and Revocation”, by Brian Komar and David B. Cross, Microsoft Corporation. For this discussion, I do not want to debate these meanings, but rather I would like to use those meanings as reference to help us determine which revocation reason codes should and should-not be used for TLS end-entity certificates.

I propose that the following revocation reason codes are NOT applicable to TLS server (end-entity) certificates, meaning that they MUST NOT be used in CRLs for TLS server certificates.
  • Unspecified (0)
  • cACompromise (2)
  • cessationOfOperation (5)
  • certificateHold (6)
  • value 7 is not used
  • removeFromCRL (8)
  • aACompromise (10)

I propose that only the following existing revocation reason codes ARE applicable to TLS server (end-entity) certificates, meaning that CRL entries for TLS server certificates must either have one of these reason codes or NO reason code.
  • keyCompromise (1)
  • affiliationChanged (3)
  • superseded (4)
  • privilegeWithdrawn (9)
==
Below is the beginning of potential policy text relating to these reason codes, and is only intended for TLS server (end-entity) certificate revocations.
Note that much of this text is copied from section 4.9.1.1 of the BRs.

keyCompromise (1)
The CRLReason keyCompromise (1) MUST be used when the CA obtains evidence that the Subscriber’s Private Key corresponding to the Public Key in the Certificate suffered a Key Compromise, or the CA is made aware of a demonstrated or proven method that can easily compute the Subscriber’s Private Key based on the Public Key in the Certificate (such as a Debian weak key, see https://wiki.debian.org/SSLkeys)

If someone other than the Subscriber requests revocation by providing verifiable evidence that the Subscriber's Private Key corresponding to the Public Key in the Certificate suffered a Key Compromise, then the CA MUST make the information regarding its intent to revoke available to the Subscriber before revoking the certificate, and the CA MUST use the keyCompromise (1) CRLReason.

The CRLReason keyCompromise (1) MAY be used when one or more of the following occurs:
  • The Subscriber requests that the CA revoke the Certificate for this reason code;
  • The Subscriber notifies the CA that the original certificate request was not authorized and does not retroactively grant authorization;
  • The CA obtains evidence that the validation of domain authorization or control for any Fully‐Qualified Domain Name or IP address in the Certificate should not be relied upon.
affiliationChanged (3)
The CRLReason affiliationChanged (3) MUST be used when the certificate subscriber has requested that their certificate be revoked for this reason, otherwise this CRLReason MUST NOT be used.

superseded (4)
The CRLReason superseded (4) MUST be used when the certificate subscriber has requested that their certificate be revoked for this reason, otherwise this CRLReason MUST NOT be used.

privilegeWithdrawn (9)
The CRLReason privilegeWithdrawn (9)  SHOULD be used if one or more of the following occurs, and the CA MUST make the information regarding its intent to revoke available to the Subscriber before revoking the certificate. Otherwise this CRLReason MUST NOT be used.
  • The CA obtains evidence that the Certificate was misused;
  • The CA is made aware that a Subscriber has violated one or more of its material obligations under the Subscriber Agreement or Terms of Use;
  • The CA is made aware of any circumstance indicating that use of a Fully‐Qualified Domain Name or IP address in the Certificate is no longer legally permitted (e.g. a court or arbitrator has revoked a Domain Name Registrant’s right to use the Domain Name, a relevant licensing or services agreement between the Domain Name Registrant and the Applicant has terminated, or the Domain Name Registrant has failed to renew the Domain Name);
  • The CA is made aware that a Wildcard Certificate has been used to authenticate a fraudulently misleading subordinate Fully‐Qualified Domain Name;
  • The CA is made aware of a material change in the information contained in the Certificate;
  • The CA determines or is made aware that any of the information appearing in the Certificate is inaccurate; or
  • The CA is made aware of a demonstrated or proven method that exposes the Subscriber’s Private Key to compromise or if there is clear evidence that the specific method used to generate the Private Key was flawed.

==

I will greatly appreciate your thoughtful and constructive feedback on these proposals.

Thanks,
Kathleen

Ryan Hurst

unread,
Nov 30, 2021, 7:06:24 PM11/30/21
to Kathleen Wilson, dev-secur...@mozilla.org
Kathleen,

I am curious about the decision to include superseded and affiliation change without a firm definition beyond the subscriber asked for these values to be set.

It seems that without a definition even if it was a subscriber-specified reason you would never be able to reason about what the reason itself means as a relying party.

This is in contrast to, say privilege withdrawn and key compromise which signals a severity of the revocation to a relying party.

Ryan


--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/9085ddee-5bea-4dec-9c08-08d70e3cfae9n%40mozilla.org.

Corey Bonnell

unread,
Dec 1, 2021, 9:48:14 AM12/1/21
to Kathleen Wilson, dev-secur...@mozilla.org

Hi Kathleen,

Comments inline.

 

> I propose that the following revocation reason codes are NOT applicable to TLS server (end-entity) certificates, meaning that they MUST NOT be used in CRLs for TLS server certificates.

•             Unspecified (0)

 

SC31 (Browser Alignment ballot) already introduced this prohibition for “unspecified”, so I don’t believe anything needs to be changed from a Mozilla policy standpoint for this reason code.

 

> the CA MUST make the information regarding its intent to revoke available to the Subscriber before revoking the certificate…

 

I believe that BR 4.9.5 already makes it clear that the CA SHALL notify (“work with”) the Subscriber prior to revocation, so I’m not sure what is different about this proposal and the existing requirement. Can you clarify how this proposal is different from the current BR language?

 

> affiliationChanged (3)
The CRLReason affiliationChanged (3) MUST be used when the certificate subscriber has requested that their certificate be revoked for this reason, otherwise this CRLReason MUST NOT be used.

> superseded (4)
The CRLReason superseded (4) MUST be used when the certificate subscriber has requested that their certificate be revoked for this reason, otherwise this CRLReason MUST NOT be used.

 

I agree with Ryan H. that absent any guidance from Mozilla under which circumstances these reason codes should be used, it’s impossible for Relying Parties to meaningfully interpret these values. Additionally, CAs will similarly be unable to provide documentation to Subscribers on the meaning of these reason codes so Subscribers can make an informed decision in selecting the most appropriate reason code.

 

Thanks,

Corey

--

Jeremy Rowley

unread,
Dec 1, 2021, 2:44:57 PM12/1/21
to dev-secur...@mozilla.org

Hi Kathleen,

 

Does it make sense to make privilegeWithdrawn a catchall for all CA revocations due to compliance issues except those related to keyCompromise?  There’s some revocations not covered by the other categories, for example where there was an audit issue and the CA is revoking the certs under that SubCA.  

 

Jeremy

Kathleen Wilson

unread,
Dec 1, 2021, 8:16:05 PM12/1/21
to dev-secur...@mozilla.org
Thank you to those of you who have already replied. I have incorporated your feedback into the draft policy text here:

https://docs.google.com/document/d/1ESakR4MiwyENyuLefyH2wG8rYbtnmG1xeSYvDNpS-EI/edit?usp=sharing

Below are specific responses to your feedback so far.

I agree that we need to define the circumstances under which the affiliationChanged (3) and superseded (4) reason codes may be used, so here is an initial attempt.

affiliationChanged (3)
The CRLReason affiliationChanged (3) MUST be used when the subscriber has requested that their certificate be revoked for this reason, or the CA has verifiable evidence that the subscriber no longer owns the domain names in the certificate and there is no evidence of a private key compromise. Otherwise this CRLReason MUST NOT be used. The affiliationChanged (3) CRLReason is intended to be used to indicate that the subscriber will no longer be using the certificate, or the subscriber has terminated their relationship with the organization indicated in the Distinguished Name attribute of the certificate and the organization's security policy requires that a new certificate be issued.

superseded (4)
The CRLReason superseded (4) MUST be used when the certificate subscriber has requested that their certificate be revoked for this reason or the CA has replaced the certificate due to compliance issues other than those related to keyCompromise (1) and privilegeWithdrawn (9). Otherwise this CRLReason MUST NOT be used. The superseded (4) CRLReason is intended to be used to indicate when either the subscriber or the CA has needed to replace the certificate for reasons other than certificate expiration, keyCompromise (1), privilegeWithdrawn (9), and affiliationChanged (3).

~~

> Does it make sense to make privilegeWithdrawn a catchall for all CA revocations due to compliance issues except those related to keyCompromise?  There’s some revocations not covered by the other categories, for example where there was an audit issue and the CA is revoking the certs under that SubCA.

I prefer to add this situation to superseded (4). Please let me know if you have feedback on the text above to make it more clear in regards to this type of situation.

~~

>>  NOT applicable to TLS server (end-entity) certificates … Unspecified (0)

> SC31 (Browser Alignment ballot) already introduced this prohibition for “unspecified”, so I don’t believe anything needs to be changed from a Mozilla policy standpoint for this reason code.

Agreed. I’m thinking that the policy text will focus on the reason codes that ARE allowed for TLS server certs, and just state that any other reason code is not allowed to be used...

When a CRL entry is for an end-entity SSL certificate the reasonCode extension MUST either not be provided or MUST contain one of the following CRLReason codes.

~~


>> the CA MUST make the information regarding its intent to revoke available to the Subscriber before revoking the certificate…
> I believe that BR 4.9.5 already makes it clear that the CA SHALL notify (“work with”) the Subscriber prior to revocation, so I’m not sure what is different about this proposal and the existing requirement. Can you clarify how this proposal is different from the current BR language?

Ooops. I temporarily forgot the original intent of this part of the proposal… The original intent was that the Subscriber should not experience a sudden DOS due to the CA revoking their certificate without any advance notice.

So I will pull this out of the keyCompromise (1) and privilegeWithdrawn (9) reasons, and have it stand on its own for all revocations of TLS server certs. How about the following text at the top of the new section?

The CA MUST make the information regarding its intent to revoke an end-entity SSL certificate available to the certificate subscriber before revoking the certificate. When the revocation is the result of a Certificate Problem Report as defined in the CA/Browser Forum Baseline Requirements, the CA must communicate with the subscriber as described in section 4.9.5 of the CA/Browser Forum Baseline Requirements.

Thanks,
Kathleen

Aaron Gable

unread,
Dec 2, 2021, 1:18:04 PM12/2/21
to Kathleen Wilson, dev-secur...@mozilla.org
Comments inline:

On Wed, Dec 1, 2021 at 5:16 PM Kathleen Wilson <kwi...@mozilla.com> wrote:
affiliationChanged (3)
The CRLReason affiliationChanged (3) MUST be used when the subscriber has requested that their certificate be revoked for this reason, or the CA has verifiable evidence that the subscriber no longer owns the domain names in the certificate and there is no evidence of a private key compromise. Otherwise this CRLReason MUST NOT be used. The affiliationChanged (3) CRLReason is intended to be used to indicate that the subscriber will no longer be using the certificate, or the subscriber has terminated their relationship with the organization indicated in the Distinguished Name attribute of the certificate and the organization's security policy requires that a new certificate be issued.

Is the intent here that, if the CA receives verifiable evidence that the subscriber no longer owns the identifiers in the certificate, then they must revoke with `affiliationChanged`? Or is the intent that, if the CA is asked to revoke, and they also have verifiable evidence that the subscriber no longer owns the identifiers, then they must use the `affiliationChanged` reason code?

The latter makes complete sense to me. But the former sounds to me like it would require CAs to set up systems similar to how they handle key compromise certificate problem reports. The standard for "demonstration of key compromise" is pretty easy -- either show the private key itself, or something you signed with the private key -- but it's not clear to me what "verifiable evidence" would constitute for this case, and how / how quickly a CA would be expected to respond when receiving such information unsolicited (aside from the normal 24-hour requirement if it is the subscriber requesting revocation themself).
 
superseded (4)
The CRLReason superseded (4) MUST be used when the certificate subscriber has requested that their certificate be revoked for this reason or the CA has replaced the certificate due to compliance issues other than those related to keyCompromise (1) and privilegeWithdrawn (9). Otherwise this CRLReason MUST NOT be used. The superseded (4) CRLReason is intended to be used to indicate when either the subscriber or the CA has needed to replace the certificate for reasons other than certificate expiration, keyCompromise (1), privilegeWithdrawn (9), and affiliationChanged (3).

nit: the paragraph above for `affiliationChanged` has a comma in "...revoked for this reason, or the CA has..."; this one does not.
 

The CA MUST make the information regarding its intent to revoke an end-entity SSL certificate available to the certificate subscriber before revoking the certificate. When the revocation is the result of a Certificate Problem Report as defined in the CA/Browser Forum Baseline Requirements, the CA must communicate with the subscriber as described in section 4.9.5 of the CA/Browser Forum Baseline Requirements.


I think that there is a meaningful difference between this text and the current text of the BRs, and that is slightly concerning to me. The BRs currently say (section 4.9.5) "the CA SHALL work with the Subscriber and any entity reporting the Certificate Problem Report or other revocation-related notice to establish whether or not the certificate will be revoked, and if so, a date which the CA will revoke the certificate." The phrase "work with" is supremely vague, but it does not (to me) mean the same thing as "make the information regarding its intent to revoke... available to the certificate subscriber". For example, when a Subscriber uses the ACME API to request the revocation of their own certificate, that feels like it satisfies the "work with" requirement -- the subscriber and the entity reporting the revocation-related notice are the same, and they have requested immediate revocation, and the ACME CA complies. However, there is no room in the protocol for the ACME CA to notify the subscriber of its intent to revoke: by the time the API call has completed, the cert has already been revoked. As another example, the ACME protocol marks the "contact" field on subscriber accounts as optional, meaning that some subscribers cannot be notified prior to revocation if (e.g.) their key is demonstrated to be compromised.

I'm not sure what the right solution here is (and I'm not really a fan of the vague "work with" language either) but this proposed notification requirement feels like a meaningful change, not just a rephrasing or clarification.

Thanks,
Aaron

Matt Palmer

unread,
Dec 6, 2021, 1:13:18 PM12/6/21
to dev-secur...@mozilla.org
Hi Kathleen,

On Tue, Nov 30, 2021 at 01:43:50PM -0800, Kathleen Wilson wrote:
> If someone other than the Subscriber requests revocation by providing
> verifiable evidence that the Subscriber's Private Key corresponding to the
> Public Key in the Certificate suffered a Key Compromise, then the CA MUST
> make the information regarding its intent to revoke available to the
> Subscriber before revoking the certificate,

I'm curious about the background that caused this particular requirement to
end up in here. It doesn't seem relevant to the specification of revocation
reason codes.

As an aside, I'm also not in favour of it in general, for a couple of
reasons. Firstly, the wording is vague, both in the means by which the
action may be executed, as well as the timeframe. Posting a list of certs
to be revoked at an obscure URL five seconds before publishing the CRL would
seem to fit the strict interpretation of this requirement, but it doesn't
seem to serve any practical purpose.

While tightening up the language is of course possible, it would still
remain the case that there are a number of circumstances in which a CA may
not have a reliable means of communication with the subscriber. For
example, Let's Encrypt does not require subscribers to provide any contact
details in order to register an account.

- Matt

Corey Bonnell

unread,
Dec 6, 2021, 1:30:56 PM12/6/21
to Matt Palmer, dev-secur...@mozilla.org
> While tightening up the language is of course possible, it would still remain the case that there are a number of circumstances in which a CA may not have a reliable means of communication with the subscriber. For example, Let's Encrypt does not require subscribers to provide any contact details in order to register an account.

For those CAs which do not collect any information for Subscribers, I would be interested to learn how BR 9.6.3 (7) is fulfilled:

"7. Responsiveness: An obligation to respond to the CA’s instructions concerning Key
Compromise or Certificate misuse within a specified time period."

Thanks,
Corey
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20211201094658.GA930%40hezmatt.org.

Matt Palmer

unread,
Dec 6, 2021, 8:21:15 PM12/6/21
to dev-secur...@mozilla.org
On Mon, Dec 06, 2021 at 06:30:50PM +0000, Corey Bonnell wrote:
> > While tightening up the language is of course possible, it would still remain the case that there are a number of circumstances in which a CA may not have a reliable means of communication with the subscriber. For example, Let's Encrypt does not require subscribers to provide any contact details in order to register an account.
>
> For those CAs which do not collect any information for Subscribers, I would be interested to learn how BR 9.6.3 (7) is fulfilled:
>
> "7. Responsiveness: An obligation to respond to the CA’s instructions concerning Key
> Compromise or Certificate misuse within a specified time period."

My reading of that specific requirement is that the subscriber agreement
must contain that stipulation, and *if* a subscriber receives an instruction
and fails to respond to it, they are in breach of the agreement. I don't
read it as requiring the CA to issue instructions in any particular
circumstance.

Could you expand on how and why your understanding differs?

- Matt

Corey Bonnell

unread,
Dec 7, 2021, 2:56:51 PM12/7/21
to Matt Palmer, dev-secur...@mozilla.org
Hi Matt,

> My reading of that specific requirement is that the subscriber agreement must contain that stipulation, and *if* a subscriber receives an instruction and fails to respond to it, they are in breach of the agreement. I don't read it as requiring the CA to issue instructions in any particular circumstance.

BR section 4.9.5 has specific obligations for the CA to notify the Subscriber of pending revocations due to Key Compromise, etc. BR 9.6.3 (7) provides assurance that the Subscriber will respond to such communications to ensure timely replacement of certificates. However, if the CA does not collect any Subscriber contact information, then the CA cannot execute on its obligations to notify the Subscriber. In turn, if such communication from the CA cannot be sent to the Subscriber due to lack of contact information, then it follows that the Subscriber will not be able to fulfill their obligation for 9.6.3 (7). This is especially problematic in the case of mass revocations where certificates cannot be revoked in time because the CA is unable to contact all affected Subscribers.

Therefore, I believe it is incumbent that CAs collect information for at least one method of contact so that both the CA-to-Subscriber notification obligation and the Subscriber's obligation to respond to the CA can be fulfilled.

Thanks,
Corey

-----Original Message-----
From: dev-secur...@mozilla.org <dev-secur...@mozilla.org> On Behalf Of Matt Palmer
Sent: Monday, December 6, 2021 6:26 PM
To: dev-secur...@mozilla.org
Subject: Re: Revocation Reason Codes for TLS End-Entity Certificates

--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20211206232548.GD930%40hezmatt.org.

Matt Palmer

unread,
Dec 7, 2021, 8:02:55 PM12/7/21
to dev-secur...@mozilla.org
On Tue, Dec 07, 2021 at 07:56:46PM +0000, Corey Bonnell wrote:
> Hi Matt,
>
> > My reading of that specific requirement is that the subscriber agreement
> > must contain that stipulation, and *if* a subscriber receives an
> > instruction and fails to respond to it, they are in breach of the
> > agreement. I don't read it as requiring the CA to issue instructions in
> > any particular circumstance.
>
> BR section 4.9.5 has specific obligations for the CA to notify the
> Subscriber of pending revocations due to Key Compromise, etc.

I think you can reasonably read 4.9.5 even broader than that, since it
requires communication with the subscriber *any* time a Certificate Problem
Report is received.

> BR 9.6.3 (7) provides assurance that the Subscriber will respond to such
> communications to ensure timely replacement of certificates.

Hmm, I don't think 9.6.3(7) is *quite* that specific (as it merely says that
subscriber must "respond to the CA's instructions", rather than talking
about timely replacement of certificates specifically) but it's not germane
to the point at hand, so I don't see a need to debate the point extensively.

> However, if the CA does not collect any Subscriber contact information,
> then the CA cannot execute on its obligations to notify the Subscriber.

Agreed.

> In turn, if
> such communication from the CA cannot be sent to the Subscriber due to
> lack of contact information, then it follows that the Subscriber will not
> be able to fulfill their obligation for 9.6.3 (7).

This is where I'm still getting stuck. I can't see how a subscriber's
obligation to respond is relevant until they've received instructions from
the CA. If we agree that I have to give you $20 cash each time we see each
other, and I then go hide in a cave where you can't find me, I don't ever
need to have $20 in my pocket.

> Therefore, I believe it is incumbent that CAs collect information for at
> least one method of contact so that both the CA-to-Subscriber notification
> obligation and the Subscriber's obligation to respond to the CA can be
> fulfilled.

I agree that 4.9.5 requires a CA to collect and maintain contact information
for subscribers so they can fulfill their obligations. I'm still not seeing
how 9.6.3 (7) requires the CA to do same, though -- it's too much of a
stretch for my ageing joints.

- Matt

Aaron Gable

unread,
Dec 8, 2021, 4:28:12 PM12/8/21
to dev-secur...@mozilla.org, Matt Palmer
The language being used in this discussion so far does not seem to reflect the actual text of the BRs. A CA is currently under no obligation to "notify" the subscriber prior to revocation. Rather, a CA is under obligation to "work with the Subscriber... to establish whether or not the certificate will be revoked".

In many cases, no back and forth is required to satisfy that requirement. For example, if a Subscriber uses the ACME API to request revocation of their own certificate, then that request can reasonably be seen to satisfy all obligations to "work with" the Subscriber and the certificate can be revoked immediately. As another example, if a Subscriber Agreement says something to the effect of "The Subscriber acknowledges and accepts that, if any party notifies the CA that your certificate is invalid or compromised, the CA will determine at its sole discretion whether to revoke your certificate", then when a key compromise is demonstrated, the CA has already satisfied its "work with" obligation and may revoke the certificate immediately.

Thus any reading of "work with" as being equivalent to "notify ahead of time" is a meaningful (and ahistorical) semantic change in the reading of that requirement, and collection of contact information is not necessary to satisfy the current requirement.

Aaron

Matt Palmer

unread,
Dec 9, 2021, 12:42:46 AM12/9/21
to dev-secur...@mozilla.org
On Wed, Dec 08, 2021 at 01:28:12PM -0800, Aaron Gable wrote:
> The language being used in this discussion so far does not seem to reflect
> the actual text of the BRs. A CA is currently under no obligation to
> "notify" the subscriber prior to revocation. Rather, a CA is under
> obligation to "work with the Subscriber... to establish whether or not the
> certificate will be revoked".

I agree that "work with" does not absolutely require prior communication
with the subscriber, if the subscriber agreement allows the CA to revoke.
However, the first sentence of 4.9.5 remains problematic. It says that "the
CA SHALL investigate the [...] Certificate Problem Report and provide a
preliminary report on its findings to [...] the Subscriber".

I haven't been able to come up with an interpretation of that sentence which
allows the CA to avoid collecting reliable contact information for all
subscribers, short of some *really* tortured interpretations of the word
"provide". Torturing that word would probably have some unfortunate
consequences, too, because it's used elsewhere in the BRs.

- Matt

Aaron Gable

unread,
Dec 9, 2021, 1:05:26 PM12/9/21
to Matt Palmer, dev-secur...@mozilla.org
I don't follow your argument about torturing the meaning of "provide". The other analogous instances of the word "provide" in the BRs are:
- The CA SHALL provide a process for Subscribers to request revocation of their own Certificates.
- The CA SHALL provide Subscribers... with clear instructions for reporting suspected Private Key Compromise...
- the CA SHALL update the information provided via an Online Certificate Status Protocol...
- the CA SHALL provide a Random Value...

All of these are items that a CA provides either a) statically, in the case of processes and instructions, or b) reactively to a query by the subscriber or relying party, in the case of OCSP and random values. None of these have the meaning "proactively place in the inbox of the party to whom information is provided". In an automated environment such as ACME, where the "preliminary report" and the final revocation decision are identical, an updated OCSP response is all that is necessary to satisfy the obligation to provide a report on the CA's findings.

Aaron

--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20211209054239.GG930%40hezmatt.org.

Kathleen Wilson

unread,
Dec 29, 2021, 5:11:41 PM12/29/21
to dev-secur...@mozilla.org, aa...@letsencrypt.org, dev-secur...@mozilla.org, Matt Palmer
Thank you to those of you who have provided more feedback. I have updated the draft policy text here:


I highlighted the changes in the document, and below is a summary of the changes.

1) The first sentence of the second paragraph has been changed to make my intent more clear, and I added a comment that we will need to determine an effective-date because this means code changes (e.g. ACME).

"When a certificate revocation is not initiated by the certificate subscriber, the CA MUST notify the certificate subscriber about its intent to revoke the end-entity SSL certificate at least 24 hours before revoking the certificate."

I am open for feedback on wording and the time frame (e.g. 24 hours), and I will also appreciate thoughts about the effective-date for this new policy. I intend to require that CAs notify certificate subscribers before revoking their certificates, because when certificate revocation is enforced by the browser the CA can essentially cause DOS for websites.

2) Per the feedback from Wendy (here) I replaced "affiliationChanged (3)" with "cessationOfOperation (5)" in the proposed text, because despite the previously referenced document about revocation reasons, I agree with Wendy that cessationOfOperation makes more sense in regards to a TLS certificate no longer being needed because the website it was used in has been taken down or the certificate subscriber no longer owns the domain name(s) in the certificate. Whereas affiliationChanged seems to be about how a person is associated with an organization.

So the "affiliationChanged (3)" paragraph has been replaced by the following.

"cessationOfOperation (5)

The CRLReason cessationOfOperation (5) MUST be used when the subscriber has requested that their certificate be revoked for this reason, or the CA has received verifiable evidence that the subscriber no longer owns the domain names in the certificate and there is no evidence of a private key compromise. Otherwise this CRLReason MUST NOT be used. The CRLReason cessationOfOperation (5) is intended to be used to indicate that the subscriber no longer owns the domain names in the certificate or will no longer be using the certificate. For example, this revocation reason should be used if the website with the certificate is shut down prior to the expiration of the certificate."


I will continue to appreciate your input on this draft proposal.

Thanks,
Kathleen


Aaron Gable

unread,
Dec 29, 2021, 6:08:30 PM12/29/21
to Sam H, dev-secur...@mozilla.org, kwi...@mozilla.com, Matt Palmer
Kathleen and Sam, comments inline:

On Wed, Dec 29, 2021 at 2:11 PM Kathleen Wilson <kwi...@mozilla.com> wrote:
1) The first sentence of the second paragraph has been changed to make my intent more clear, and I added a comment that we will need to determine an effective-date because this means code changes (e.g. ACME).

"When a certificate revocation is not initiated by the certificate subscriber, the CA MUST notify the certificate subscriber about its intent to revoke the end-entity SSL certificate at least 24 hours before revoking the certificate."

I am open for feedback on wording and the time frame (e.g. 24 hours), and I will also appreciate thoughts about the effective-date for this new policy. I intend to require that CAs notify certificate subscribers before revoking their certificates, because when certificate revocation is enforced by the browser the CA can essentially cause DOS for websites.

To the best of my knowledge, this requirement phrased as-is is impossible to comply with. BRs Section 4.9.1.1 says "The CA SHALL revoke a certificate within 24 hours if... [t]he CA obtains evidence that the Subscriber's Private Key... suffered a Key Compromise". This has uniformly been interpreted to mean "within 24 hours of the key compromise report being filed", not "within 24 hours of receiving the report" let alone "within 24 hours of deciding that the report is legitimate". Since there must necessarily be some amount of time between receiving the report and deciding to revoke -- even on the order of milliseconds for an automated ACME revocation, but still -- a CA cannot notify the subscriber more than 24 hours before the revocation and revoke the certificate less than 24 hours after receiving the report. At the very least, this notification period must be reduced in order for a CA to comply both with it and with the existing BRs.

On a broader basis, though, I'm curious what the purpose of this proposed requirement is, and whether there is a better way to satisfy that goal.

In particular, updating an ACME CA to abide by the spirit of the proposed requirement (i.e. send an email, not provide notification via some other mechanism) means not just updating ACME Server software to send notifications: it means every ACME Subscriber updating their client configuration to provide an email address. An ACME CA could update to reject account registrations that don't include email addresses, and could even deactivate all existing accounts that don't have notification addresses, but this would result in those ACME Clients continually failing issuance until their configuration is manually updated to include an address... or until the client itself is updated to provide a fake/meaningless/blackhole address (and as Sam comments, many subscribers do not want to provide an address at all). Neither of those seems like a win for the ecosystem, to me.

So is there another way to think about the purpose of this proposed requirement, what situations it is meant to prevent, and whether those can be more precisely targeted?

On Wed, Dec 29, 2021 at 2:54 PM Sam H <samuel.l....@gmail.com> wrote:
As a subscriber, I would prefer not to be required to provide an email to get a certificate. As such, would it be acceptable to allow polling an endpoint to get the revocation status? I already monitor OCSP for my domains, so I am already notified of revocations without the need for an inbox.

One downside of the "poll an endpoint" approach is that, as you note... well, it's kinda like OCSP. And if a CA publishes "hey, I'm going to revoke this cert in the next 24 hours", why should anyone trust that cert during that 24 hours either? This is why I'm trying to examine the intended purpose of the requirement overall, not just the details of one particular implementation of it.

Aaron

Sam H

unread,
Dec 29, 2021, 6:15:52 PM12/29/21
to dev-secur...@mozilla.org, kwi...@mozilla.com, aa...@letsencrypt.org, dev-secur...@mozilla.org, Matt Palmer
Hi Kathleen,

Re 1:

As a subscriber, I would prefer not to be required to provide an email to get a certificate. As such, would it be acceptable to allow polling an endpoint to get the revocation status? I already monitor OCSP for my domains, so I am already notified of revocations without the need for an inbox.

Thanks,
Sam Harrington

Sam H

unread,
Dec 29, 2021, 8:44:44 PM12/29/21
to dev-secur...@mozilla.org, aa...@letsencrypt.org, dev-secur...@mozilla.org, kwi...@mozilla.com, Matt Palmer, Sam H
To expand on my position:

If the concern is letting the subscriber (me) know about the revocation so I can mitigate the issue, then sending me an email is useless. I'm sometimes entirely offline for weeks at a time, so any recovery needs to be fully automated, or it won't happen. Adding a contact email address would therefore be busywork, as any emails wouldn't reach me in time to anything about the issue anyway.

I already have automated recovery if OCSP informs me of revocation (integrated with OCSP stapling to avoid most downtime), and the ACME Renewal Information (ARI) draft seems promising to avoid potential downtime entirely.

As such, I'd prefer it if I didn't have to do the busywork of providing an email address or other contact info, and I'm hoping something like ARI could serve as an acceptable means of notification.

Thanks,
Sam

Adriano Santoni

unread,
Dec 30, 2021, 2:47:43 AM12/30/21
to dev-secur...@mozilla.org

I fully concur with Aaron. This requirement, as is, conflicts with Section 4.9.1.1 of the BRs.

Adriano

Rob Stradling

unread,
Dec 30, 2021, 11:09:51 AM12/30/21
to Kathleen Wilson, dev-secur...@mozilla.org, aa...@letsencrypt.org, Matt Palmer
Hi Kathleen.

The aspect of this proposal that most concerns me is the idea that after receiving proof of key compromise a CA MUST wait at least 24 hours before revoking the corresponding certificate(s).  Whilst this delay would certainly benefit an attacker who has a copy of the compromised private key (because their window of opportunity is enlarged), ISTM that this delay is most certainly not the best outcome for either the server operator or the relying parties.  IMHO, DOS'ing the website is better than enabling a false sense of security.

By way of analogy (albeit a fairly extreme analogy), imagine if it had just been discovered that the Golden Gate Bridge had become structurally unsound and was likely to collapse at any moment.  To avoid inconveniencing commuters that didn't receive prior warning to make alternative travel plans, should we wait 24 hours before closing the bridge?  Or should we close the bridge immediately, to ensure no loss of life?

If a Subscriber has failed to protect their private key, then they've probably failed to uphold the terms of the Subscriber Agreement.  Why shouldn't the CA be permitted to revoke immediately?


Subject: Re: Revocation Reason Codes for TLS End-Entity Certificates
 

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.

Rob Stradling

unread,
Dec 30, 2021, 11:37:07 AM12/30/21
to Kathleen Wilson, dev-secur...@mozilla.org, aa...@letsencrypt.org, Matt Palmer
I can understand why the keyCompromise and cACompromise reason codes are of interest, but I'm struggling to see why Mozilla might be interested in differentiating between privilegeWithdrawn, cessationOfOperation, and superseded.  Why are any of these 3 reason codes more useful than having no reason code at all?  What use cases would be enabled if CAs were to use these 3 reason codes as you propose?

FWIW, at the moment my counter-proposal would be roughly along these lines (for leaf certificate revocations):
  - CAs MUST use keyCompromise for (and only for) proven or suspected key compromise.
  - CAs MUST revoke immediately in the case of proven key compromise.
  - CAs SHOULD NOT use other reason codes.
  - Beyond that, follow the BRs.

From: Rob Stradling <r...@sectigo.com>
Sent: 30 December 2021 16:09
To: Kathleen Wilson <kwi...@mozilla.com>; dev-secur...@mozilla.org <dev-secur...@mozilla.org>
Cc: aa...@letsencrypt.org <aa...@letsencrypt.org>; Matt Palmer <mpa...@hezmatt.org>

Kathleen Wilson

unread,
Dec 30, 2021, 12:44:06 PM12/30/21
to dev-secur...@mozilla.org
Many thanks to all of you for your continued input.

I have updated the first sentence of the second paragraph of the draft to the following, and will continue to appreciate your help with the wording. My intent is to provide some protection to the website operator so that a CA cannot revoke their certificate for non-critical reasons without letting them know and take action first. The responsibility may be on the website operator to have automation to check for that information, as opposed to sending notifications via email. So I will continue to appreciate your help with the wording.

"When a certificate revocation is not due to key compromise and is not initiated by the certificate subscriber, the CA MUST make the information regarding its intent to revoke an end-entity SSL certificate available to the certificate subscriber at least 24 hours before revoking the certificate."


I am particularly interested in having more discussion about the following from Rob:

On Thursday, December 30, 2021 at 8:37:07 AM UTC-8 r...@sectigo.com wrote:
I can understand why the keyCompromise and cACompromise reason codes are of interest, but I'm struggling to see why Mozilla might be interested in differentiating between privilegeWithdrawn, cessationOfOperation, and superseded.  Why are any of these 3 reason codes more useful than having no reason code at all?  What use cases would be enabled if CAs were to use these 3 reason codes as you propose?

FWIW, at the moment my counter-proposal would be roughly along these lines (for leaf certificate revocations):
  - CAs MUST use keyCompromise for (and only for) proven or suspected key compromise.
  - CAs MUST revoke immediately in the case of proven key compromise.
  - CAs SHOULD NOT use other reason codes.
  - Beyond that, follow the BRs.


How do you all think that browsers should enforce end-entity TLS certificate revocations?
e.g.
Should ALL end-entity TLS certificate revocations be enforced via non-over-rideable errors?
Or should the user be able to continue past the error to the website when the revocation is for something other than key compromise?
Should a non-over-rideable error be presented for end-entity TLS certificates that are revoked for privilegeWithdrawn?
Should a non-over-rideable error be presented for end-entity TLS certificates that are revoked for cessationOfOperation?
Should a non-over-rideable error be presented for end-entity TLS certificates that are revoked for superseded?

We all know that if user gets a non-over-rideable error in one browser they will try again with another browser, so enforcing any revocations in only one browser will not be very effective in protecting the user. So I am looking for a solution that may be more broad than Firefox, with the hopes that other browsers will be able to eventually use the revocation reasons for end-entity TLS certificates too. I am under the impression that other browsers will not enforce ALL end-entity TLS certificate revocations with hard fail, and that the rules about the use of certain revocation codes must be in place and in use before they will consider automatically enforcing via hard fail any end-entity TLS certificate revocations.

Thanks,
Kathleen



 

Rob Stradling

unread,
Dec 30, 2021, 1:08:49 PM12/30/21
to Kathleen Wilson, dev-secur...@mozilla.org
> "When a certificate revocation is not due to key compromise and is not initiated by the certificate subscriber, the CA MUST make the information regarding its intent to revoke an end-entity SSL certificate available to the certificate subscriber at least 24 hours before revoking the certificate."

What if the certificate revocation is due to the CA becoming aware that validation (particularly DCV) was not performed correctly?  In such cases, it's possible (perhaps even likely) that the private key is controlled only by an attacker; and since that private key hasn't been obtained by parties that the subscriber (i.e., the attacker) has not authorized, the key is not compromised.

As with key compromise, waiting 24 hours in this scenario only helps the attacker.

Sent: 30 December 2021 17:44
To: dev-secur...@mozilla.org <dev-secur...@mozilla.org>

Subject: Re: Revocation Reason Codes for TLS End-Entity Certificates

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.

Kathleen Wilson

unread,
Dec 30, 2021, 1:13:57 PM12/30/21
to dev-secur...@mozilla.org, r...@sectigo.com, Kathleen Wilson
On Thursday, December 30, 2021 at 10:08:49 AM UTC-8 r...@sectigo.com wrote:
> "When a certificate revocation is not due to key compromise and is not initiated by the certificate subscriber, the CA MUST make the information regarding its intent to revoke an end-entity SSL certificate available to the certificate subscriber at least 24 hours before revoking the certificate."

What if the certificate revocation is due to the CA becoming aware that validation (particularly DCV) was not performed correctly?  In such cases, it's possible (perhaps even likely) that the private key is controlled only by an attacker; and since that private key hasn't been obtained by parties that the subscriber (i.e., the attacker) has not authorized, the key is not compromised.

As with key compromise, waiting 24 hours in this scenario only helps the attacker.



Updated to:
"When a certificate revocation reason is not keyCompromise (1) as described below and the revocation is not initiated by the certificate subscriber, the CA MUST make the information regarding its intent to revoke an end-entity SSL certificate available to the certificate subscriber at least 24 hours before revoking the certificate."

Thanks,
Kathleen

Jeremy Rowley

unread,
Dec 30, 2021, 1:24:23 PM12/30/21
to Rob Stradling, Kathleen Wilson, dev-secur...@mozilla.org

In that case, couldn’t you just include that you revoked the certificate before notice as part of the incident report you are already required to file for failing to properly do validation? In this scenario, you’re already filing an incident report so combining the two misses on a report doesn’t seem burdensome. Plus, if you’re filing incident reports promptly, then the browsers can provide guidance on their expectations to revoke before the 24-hour notice or not.  Then, the decision on when to revoke is partly a community-driven decision rather than something the CA is unilaterally deciding.

passerby184

unread,
Dec 30, 2021, 10:35:06 PM12/30/21
to dev-secur...@mozilla.org, Jeremy Rowley, r...@sectigo.com, kwi...@mozilla.com
Updated to:
"When a certificate revocation reason is not keyCompromise (1) as described below and the revocation is not initiated by the certificate subscriber, the CA MUST make the information regarding its intent to revoke an end-entity SSL certificate available to the certificate subscriber at least 24 hours before revoking the certificate."



not sure adding a rule with expectation of it will be broken regularly is good idea. why not just exempt pre-notice when required by BR 4.9.1.1 as it will surely collide?
2021년 12월 31일 금요일 오전 3시 24분 23초 UTC+9에 Jeremy Rowley님이 작성:

Rob Stradling

unread,
Dec 31, 2021, 6:54:39 AM12/31/21
to Jeremy Rowley, Kathleen Wilson, dev-secur...@mozilla.org
Hi Jeremy.  I think it's unreasonable to expect the browser representatives and the community to always be ready to respond to incident reports within 24 hours.  I also think that it would be a very sad state of affairs for the BRs and Mozilla policy to have mutually exclusive requirements.  And I also think that it makes no sense to prevent CAs from responding promptly to confirmed "security incidents" (e.g., proven key compromise, evidence from a reputable third party that a misissued certificate's private key is controlled by an attacker, etc).

In all other cases, where the CA is not able to confirm a "security incident", I think I could be persuaded that it's not unreasonable to require a >=24hr subscriber notification period prior to revocation.

From: Jeremy Rowley <jeremy...@digicert.com>
Sent: 30 December 2021 18:24
To: Rob Stradling <r...@sectigo.com>; Kathleen Wilson <kwi...@mozilla.com>; dev-secur...@mozilla.org <dev-secur...@mozilla.org>
Subject: RE: Revocation Reason Codes for TLS End-Entity Certificates
 

Rob Stradling

unread,
Dec 31, 2021, 7:04:01 AM12/31/21
to passerby184, kwi...@mozilla.com, Jeremy Rowley, dev-secur...@mozilla.org
> why not just exempt pre-notice when required by BR 4.9.1.1

I think this is an excellent idea.

Kathleen, here's a suggested re-wording:
"Unless revocation within 24 hours is required in order to comply with section 4.9.1.1 of the CA/Browser Forum Baseline Requirements, the CA MUST make the information regarding its intent to revoke an end-entity SSL certificate available to the certificate subscriber at least 24 hours before revoking the certificate."

Ryan Sleevi

unread,
Dec 31, 2021, 11:48:02 AM12/31/21
to Rob Stradling, Jeremy Rowley, dev-secur...@mozilla.org, kwi...@mozilla.com, passerby184
Why limit it to only those reasons requiring 24 hours?

It certainly addresses the immediate incompatibility, and so I’m very supportive of that approach, but my worry is that we’ll still CAs getting confused about the requirements. In particular, imagine the scenario where an incident report comes in for those in the 5 day scenario, and the CA requires time to investigate. The 24 hour notice requirement creates a similar catch-22 for CAs, as it reduces their available time to respond to 4 days. That’s because either they need to give 24 hours notice (to comply with Moz policy), or need to ensure they revoke within 5 days (to comply with the BRs). The only way to meet both requirements is for all of the 5-day reasons in 4.9.1.1 to effectively be treated as 4 days.

Of course, exempting all of 4.9.1.1 alone may not be appropriate, at least for the abuses imagined by “inappropriate” revocation, because it currently contains several areas left up entirely to CA whim and fancy. For example, “misuse” is something entirely defined by the CA, so any CA that wanted to be exempted from a notification requirement could liberally define misuse to whatever they wish. Similarly, the Subscriber Agreement/Terms of Use clause can contain any reason imaginable (e.g. “the CA will revoke for any reason it sees fit”), and that can similarly cause issues that notification may be trying to mitigate or ameliorate.

So I recognize my suggestion has flaws that would need to be worked through, but so do the current proposals here, both by Kathleen and by passerby184.

I definitely agree with Rob that it’s worth exploring the reasons/goals for this change. I’m skeptical that the proposed notice requirement will do anything to help other browsers get to a hard-fail situation, so if that’s the primary goal, it may be worth stepping back, both to examine if that is a worthwhile goal in itself, and look at possible ways to achieve that.

One serious shortcoming of the revocation methods, in general, is that they are CA mediated. Both new and long-standing participants on this list are undoubtedly familiar with just how many CA incidents we regularly see, and in violations of things that are surprising, if not outright unconscionable, in the CAs’ explanations for them. That’s not to say any disagreement or misunderstanding of requirements is an indelible black mark on CAs, or even that they’re all unreasonable, but there certainly have been some events, even in the past year, that are egregious in their misunderstanding that borderline on “willful noncompliance”.

CA revocation simply exacerbates this asymmetry, in which the goals of the user agent are misinterpreted, or misimplemented, by CAs that (understandably and reasonably) have their own motivations and priorities. We see some CAs callously and knowingly violating the BRs, because they want to advantage their customers (site operators) at the risk of users, and revocation is a natural extension of that misalignment. That is, some CAs want to avoid revocation for mistakes they make, because it annoys their customers and (rightfully) harms their reputation, but want to promote revocation for areas where it advantages them (e.g. revoking certs for a customer if that customer gets any cert from another CA, or if the customer fails to pay additional balloon fees based on volume, or monthly “rentals”, etc).

If the goal of revocation is to protect users, particularly in scenarios where the site operator is actively interested and supportive of that, such as key compromise, while discouraging abuse by others, such as CAs, doesn’t it make sense to have the user agent be the means of accomplishing that? Equally, when considering government compulsion for revocation, which may not respect the rule of law or the rights of site operators, doesn’t it make sense for the user agent to be able to both advocate for and defend the rights of server operators, such as ensuring such demands are legitimate and respect the rights of users and site operators? Similarly too, what about the risk of (other) root stores using contractual obligations to compel revocation by CAs in their program, which has a knock-on effect of effectively propagating that policy to all (other) root stores?

Concretely, one way to accomplish this would be that, rather than defining the set of reasons that a CA may use, and trying to filter or special case that, what if the user agent provided a means (e.g. through some integration with, or system maintained similarly to, CCADB), which would allow for site operators to request revocation be propagated through to browsers, with the logic being that the browser first checks if the CA has done the revocation. Effectively, a two-phase commit system to allow both the CA, and the UA, to validate the legitimacy of the revocation request.

There are undoubtably shortcomings here as well - for example, if a third-party demonstrated key compromise to the CA, the site operator may not be interested in having revocation propagated, so it’s by no means a fully fleshed out proposal, although one can easily imagine possible solutions, like the CA delivering that proof to this hypothetical system. But for the scenarios of CA-forced revocation, or things like “someone sent a government-like looking letter for which the CA has no time, skill, or interest in actually validating”, this would allow the user agent to act on their behalf.

Conceptually, just as CT functions as a form of counter-signing, in which CAs aren’t trusted to issue certificates unless they have been witnessed by public logs, thus legitimizing the issuance, this functions as a form of counter-signing for revocation. Unlike past (somewhat misguided) proposals for “revocation transparency”, which largely seek to simply make a commitment to revocation without being able to distinguish, or validate, the decision making, this tries to add a counter-party (or counter-parties) to make sure the revocation itself is legitimate and aligned with the needs and goals for the UA.

This is, however, further separate from the question of soft-fail vs hard-fail for revocation. I realize during the earlier discussion of revocation, as it applies to Mozilla, the technical role of revocation as it works for Web technologies was explicitly excluded, and I do want to respect that. However, I do believe that a meaningful discussion of soft-fail vs hard-fail, for any reason (including key compromise), would necessarily have to include that, since it may be another area of philosophical differences that are key to understanding the present situation.

Kathleen Wilson

unread,
Dec 31, 2021, 1:34:22 PM12/31/21
to dev-secur...@mozilla.org

I definitely agree with Rob that it’s worth exploring the reasons/goals for this change. I’m skeptical that the proposed notice requirement will do anything to help other browsers get to a hard-fail situation,


I see now... If Firefox and other browsers decide to only hard-fail for keyCompromise after the rules for its use are defined, then if a CA decides to revoke a certificate for any other reason it will not cause a DOS for the website, so pre-notification to the website operator is not really necessary.

I have deleted the following paragraph from the draft policy. The first sentence does not help, and the second sentence is redundant.

DELETED: "When a certificate revocation reason is not keyCompromise (1) as described below and the revocation is not initiated by the certificate subscriber, the CA MUST make the information regarding its intent to revoke an end-entity SSL certificate available to the certificate subscriber at least 24 hours before revoking the certificate. When the revocation is the result of a Certificate Problem Report as defined in the CA/Browser Forum Baseline Requirements, the CA must communicate with the subscriber as described in section 4.9.5 of the CA/Browser Forum Baseline Requirements."

 
 it may be worth stepping back, both to examine if that is a worthwhile goal in itself, and look at possible ways to achieve that.

One serious shortcoming of the revocation methods, in general, is that they are CA mediated. Both new and long-standing participants on this list are undoubtedly familiar with just how many CA incidents we regularly see, and in violations of things that are surprising, if not outright unconscionable, in the CAs’ explanations for them. That’s not to say any disagreement or misunderstanding of requirements is an indelible black mark on CAs, or even that they’re all unreasonable, but there certainly have been some events, even in the past year, that are egregious in their misunderstanding that borderline on “willful noncompliance”.

CA revocation simply exacerbates this asymmetry, in which the goals of the user agent are misinterpreted, or misimplemented, by CAs that (understandably and reasonably) have their own motivations and priorities. We see some CAs callously and knowingly violating the BRs, because they want to advantage their customers (site operators) at the risk of users, and revocation is a natural extension of that misalignment. That is, some CAs want to avoid revocation for mistakes they make, because it annoys their customers and (rightfully) harms their reputation, but want to promote revocation for areas where it advantages them (e.g. revoking certs for a customer if that customer gets any cert from another CA, or if the customer fails to pay additional balloon fees based on volume, or monthly “rentals”, etc).

If the goal of revocation is to protect users, particularly in scenarios where the site operator is actively interested and supportive of that, such as key compromise, while discouraging abuse by others, such as CAs, doesn’t it make sense to have the user agent be the means of accomplishing that? Equally, when considering government compulsion for revocation, which may not respect the rule of law or the rights of site operators, doesn’t it make sense for the user agent to be able to both advocate for and defend the rights of server operators, such as ensuring such demands are legitimate and respect the rights of users and site operators? Similarly too, what about the risk of (other) root stores using contractual obligations to compel revocation by CAs in their program, which has a knock-on effect of effectively propagating that policy to all (other) root stores?

Concretely, one way to accomplish this would be that, rather than defining the set of reasons that a CA may use, and trying to filter or special case that, what if the user agent provided a means (e.g. through some integration with, or system maintained similarly to, CCADB), which would allow for site operators to request revocation be propagated through to browsers, with the logic being that the browser first checks if the CA has done the revocation. Effectively, a two-phase commit system to allow both the CA, and the UA, to validate the legitimacy of the revocation request.

There are undoubtably shortcomings here as well - for example, if a third-party demonstrated key compromise to the CA, the site operator may not be interested in having revocation propagated, so it’s by no means a fully fleshed out proposal, although one can easily imagine possible solutions, like the CA delivering that proof to this hypothetical system. But for the scenarios of CA-forced revocation, or things like “someone sent a government-like looking letter for which the CA has no time, skill, or interest in actually validating”, this would allow the user agent to act on their behalf.

Conceptually, just as CT functions as a form of counter-signing, in which CAs aren’t trusted to issue certificates unless they have been witnessed by public logs, thus legitimizing the issuance, this functions as a form of counter-signing for revocation. Unlike past (somewhat misguided) proposals for “revocation transparency”, which largely seek to simply make a commitment to revocation without being able to distinguish, or validate, the decision making, this tries to add a counter-party (or counter-parties) to make sure the revocation itself is legitimate and aligned with the needs and goals for the UA.

This is, however, further separate from the question of soft-fail vs hard-fail for revocation. I realize during the earlier discussion of revocation, as it applies to Mozilla, the technical role of revocation as it works for Web technologies was explicitly excluded, and I do want to respect that. However, I do believe that a meaningful discussion of soft-fail vs hard-fail, for any reason (including key compromise), would necessarily have to include that, since it may be another area of philosophical differences that are key to understanding the present situation.


I appreciate this philosophical discussion, and we (Mozilla) have considered this and alternative solutions.

It would be reasonable to extend the CCADB to provide a mechanism for website operators to specify when they would like browsers to hard-fail for revocations of certificates that they own. However, that in itself would not solve all of the concerns. For example, the website operator may be negligent about their certificate or may not even be aware that their certificate has been compromised.
Therefore, a two-pronged approach will most likely be needed long term:
1) Specify the rules for CAs to follow when using certain revocation reasons such as keyCompromise. (This is something that we can tackle now.)
and
2) Provide a way for website operators to indicate when their cert's revocations should be hard-fail. CCADB is a reasonable backend for this type of service. (Others may be able to implement this before I will be able to get resources to implement it.)

Thanks,
Kathleen

Kathleen Wilson

unread,
Jan 4, 2022, 6:12:34 PM1/4/22
to dev-secur...@mozilla.org
All,

I have updated the draft policy to get it ready for incorporation into Mozilla's Root Store Policy, and to address comments that people provided in the document. I will greatly appreciate it if you will carefully re-review the document and provide feedback on it.

Additionally, I would like to begin discussing what sort of policy should be added in regards to making the revocation reasons available to certificate subscribers by the CA’s tools and documentation. Here's a rough draft to get this discussion started:
~~
The CA's subscriber agreement for SSL end-entity certificates MUST inform certificate subscribers about the following revocation reason options and provide explanation about when to choose each option. Tools that the CA provides to the certificate subscriber MUST allow for these options to be easily specified when the certificate subscriber requests revocation of their certificate, with the default value being that no revocation reason is provided.
- keyCompromise
- superseded
- cessationOfOperation
- privilegeWithdrawn
~~

Thanks,
Kathleen

Corey Bonnell

unread,
Jan 5, 2022, 12:31:07 PM1/5/22
to Kathleen Wilson, dev-secur...@mozilla.org

Hi Kathleen,

 

I have a question regarding the following language:

 

When a CRL entry is for an end-entity SSL certificate and the CRLReason code is one of the following as described below, then the reasonCode extension MUST be provided. When the CRLReason code is not one of the following, then the reasonCode extension MUST NOT be provided.”

 

Is the intention that historic revocations (i.e., revocation entries that first appeared on a CRL prior to the policy effective date) must be reviewed and updated, or is this requirement applicable only to those revocations performed after the new policy becomes effective? It would be good to have clarity here, as there was confusion when Microsoft announced their requirement for CA revocations to have a reason code in ARLs and it was unclear whether it was applicable to historic revocations or only to new revocations moving forward.

 

Thanks,

Corey

 

From: dev-secur...@mozilla.org <dev-secur...@mozilla.org> On Behalf Of Kathleen Wilson
Sent: Tuesday, January 4, 2022 6:13 PM
To: dev-secur...@mozilla.org
Subject: Re: Revocation Reason Codes for TLS End-Entity Certificates

 

All,

--

You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.

Kathleen Wilson

unread,
Jan 5, 2022, 12:59:23 PM1/5/22
to dev-secur...@mozilla.org, corey....@digicert.com, Kathleen Wilson

Is the intention that historic revocations (i.e., revocation entries that first appeared on a CRL prior to the policy effective date) must be reviewed and updated, or is this requirement applicable only to those revocations performed after the new policy becomes effective?

I have added a new first paragraph to the draft policy, which says:

"This section applies to revocations that are performed after <effective date TBD>. Revocation entries that appeared on a CRL prior to <effective date TBD> do NOT need to be changed as a result of this section."

Thanks,
Kathleen


 

Kathleen Wilson

unread,
Jan 5, 2022, 1:04:33 PM1/5/22
to dev-secur...@mozilla.org
I also added the new paragraph about subscriber agreement and tools directly to the draft policy.
(3rd paragraph, currently highlighted)

Thanks,
Kathleen

Kathleen Wilson

unread,
Jan 18, 2022, 7:16:54 PM1/18/22
to dev-secur...@mozilla.org
All,

I have made 4 additional changes (highlighted in green) to the draft policy, that I will appreciate your feedback on.

1) Proposed effective date of September 1, 2022.

2) Updated the first sentence of the second paragraph to make it more clear:
"When an end-entity TLS certificate is revoked for one of the reasons below, the specified CRLReason MUST be included in the reasonCode extension of the CRL entry corresponding to the end-entity TLS certificate."

3) Moved the following bullet point from the keyCompromise section to the privilegeWithdrawn section:
 - the certificate subscriber notifies the CA that the original certificate request was not authorized and does not retroactively grant authorization;

4) Added text to a bullet point in the keyCompromise section in order to ensure that the certificate subscriber can only declare keyCompromise for certificates for which they control the private key.
- the certificate subscriber provides proof of control over the private key and requests that the CA revoke the certificate for this reason code;

Thanks,
Kathleen


Kathleen Wilson

unread,
Jan 18, 2022, 7:18:42 PM1/18/22
to dev-secur...@mozilla.org
Reminder: The draft policy about revocation reason codes for TLS end-entity certificates is here:

Watson Ladd

unread,
Jan 18, 2022, 8:56:21 PM1/18/22
to Kathleen Wilson, dev-secur...@mozilla.org


On Tue, Jan 18, 2022, 7:16 PM Kathleen Wilson <kwi...@mozilla.com> wrote:

4) Added text to a bullet point in the keyCompromise section in order to ensure that the certificate subscriber can only declare keyCompromise for certificates for which they control the private key.
- the certificate subscriber provides proof of control over the private key and requests that the CA revoke the certificate for this reason code;

Suppose that the subscriber suffers a ransomware attack, decides that it is better policy to say we never pay the dane geld, and this loses access to the private key and knows that the key was compromised.

This arguably could fall under the first possible bullet but if so I have trouble understanding why we need the fourth bullet. Isn't the subscriber's statement proof of compromise?

Sincerely,
Watson

Brown, Wendy (10421)

unread,
Jan 20, 2022, 7:48:38 AM1/20/22
to dev-secur...@mozilla.org

Kathleen –

I’m sorry if I missed an earlier  explanation about why this is important, but could you explain why the emphasis on different reason codes for revocation and the requirement to not include a reason code if the revocation doesn’t fall into one of the stated reasons.

 

Are you trying to get CAs to eventually use CRLs segmented by the different reason codes? Do you expect RP applications to treat certificate validation differently based on the reason code?  Do you expect RP applications to potentially make the reason code available to end user so they can choose to continue trusting a revoked certificate if they don’t care about the reason?  Is it just for trust store programs to gather statistics about why certificates get revoked?

 

I would expect the RP application to treat all revoked certificates the same regardless of the reason for the revocation, so I don’t fully understand why this new policy is being developed.

 

Thanks,

   wendy

 

NOTICE: Protiviti is a global consulting and internal audit firm composed of experts specializing in risk and advisory services. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. This electronic mail message is intended exclusively for the individual or entity to which it is addressed. This message, together with any attachment, may contain confidential and privileged information. Any views, opinions or conclusions expressed in this message are those of the individual sender and do not necessarily reflect the views of Protiviti Inc. or its affiliates. Any unauthorized review, use, printing, copying, retention, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email message to the sender and delete all copies of this message. Thank you.

Kathleen Wilson

unread,
Jan 20, 2022, 5:46:49 PM1/20/22
to dev-secur...@mozilla.org, wendy...@protiviti.com
On Thursday, January 20, 2022 at 4:48:38 AM UTC-8 wendy...@protiviti.com wrote:

Kathleen –

I’m sorry if I missed an earlier  explanation about why this is important, but could you explain why the emphasis on different reason codes for revocation and the requirement to not include a reason code if the revocation doesn’t fall into one of the stated reasons.


Please see:
Assuming that most website operators correctly protect the private keys for their TLS certificates for the duration of the time that they own the domain name, limiting the TLS certificate validity period and validation of domain names to one year reduces the risk of potential exposure of the private key of each TLS certificate that is revoked, replaced, or no longer needed by the original certificate subscriber. However, we still need to take into account situations in which the private key of a TLS certificate is obtained by an attacker or otherwise compromised. This can happen at any time during the certificate’s validity period if the website’s servers become compromised.
 

 

Are you trying to get CAs to eventually use CRLs segmented by the different reason codes?


That's not my intention, but that is an interesting idea.
 

Do you expect RP applications to treat certificate validation differently based on the reason code? 


I do not have expectations for other RPs, but RPs may want to treat certificate validation differently based on reason code. For example, an RP may choose to enforce all revocations for which a reason code is provided, and not enforce revocations for which a reason code is not provided. Or an RP may choose to hard-fail on keyCompromise, but allow the user to click-through the error message and proceed to the website for other revocation reasons.
 

Do you expect RP applications to potentially make the reason code available to end user so they can choose to continue trusting a revoked certificate if they don’t care about the reason? 


I do not have expectations for other RPs. I am not aware of any current plans for Firefox to do that.

 

Is it just for trust store programs to gather statistics about why certificates get revoked?


That's not my intention. My intention is to protect end users, but there are challenges for browsers to enforce revocation of end-entity TLS certificates.

 

 

I would expect the RP application to treat all revoked certificates the same regardless of the reason for the revocation, so I don’t fully understand why this new policy is being developed.



Browsers cannot hard-fail when they are dependent on OCSP or CRL endpoints that are subject to service outages and network errors. So they need to pre-package the data about revoked certificates to distribute to their clients. However, end-entity TLS CRL data is huge, which is why Mozilla has been working on an implementation of CRLite that uses complex algorithms to compress revocation data from more than 300 megabytes to on the order of 1 megabyte. However, there are drawbacks to this, so we are in parallel working towards reducing the amount of revocation data that needs to be stored and distributed to clients -- by identifying the revocation reason codes that really need to be enforced by browsers, and putting policy into place so that those reason codes only get used when they are supposed to be used (e.g. currently there is nothing to prevent a CA from using the keyCompromise revocation reason for all of their revocations). Assuming that most website operators correctly protect the private keys for their TLS certificates for the duration of the time that they own the domain name, then revocations for keyCompromise are the most urgent to enforce.

Thanks,
Kathleen

Kathleen Wilson

unread,
Jan 20, 2022, 6:11:26 PM1/20/22
to dev-secur...@mozilla.org, watso...@gmail.com, dev-secur...@mozilla.org, Kathleen Wilson
This is a good question.

""
The CRLReason keyCompromise (1) MUST be used when one or more of the following occurs:

bullet point #1) the CA obtains verifiable evidence that the certificate subscriber’s private key corresponding to the public key in the certificate suffered a key compromise;

bullet point #5) the certificate subscriber provides proof of control over the private key and requests that the CA revoke the certificate for this reason code; 
""

Is bullet point #5 sufficiently covered in bullet point #1?

Or is bullet point #5 needed in addition to bullet point #1?

I will appreciate opinions on this.

Thanks,
Kathleen


 

Seo Suchan

unread,
Jan 20, 2022, 6:16:09 PM1/20/22
to dev-secur...@mozilla.org

not sure it's safe to let one revoke with reason key compromise without control of key: IIRC wasn't it ruled that CA doesn't need to verify subscriber controls private key it requests for TLS cert? (https://groups.google.com/g/mozilla.dev.security.policy/c/x_DeTDKBwWI/m/ogSKLpx8CgAJ)

22. 1. 21. 08:11에 Kathleen Wilson 이(가) 쓴 글:
--
You received this message because you are subscribed to a topic in the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this topic, visit https://groups.google.com/a/mozilla.org/d/topic/dev-security-policy/RVFnJJRuUag/unsubscribe.
To unsubscribe from this group and all its topics, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/ed11d7d4-7368-468d-93b3-f0733cea8711n%40mozilla.org.

Ryan Sleevi

unread,
Jan 20, 2022, 8:20:29 PM1/20/22
to Kathleen Wilson, dev-secur...@mozilla.org, watso...@gmail.com
Hi Kathleen,

I think the question is whether you want to allow subscribers to request revocation for keyCompromise even if they're not able to provide evidence. I think to Watson's point, what happens if someone compromises a server, but then also deletes the key? If that was the only copy the server operator had - which is a desirable situation - then they wouldn't be able to demonstrate the compromise under #5. However, it's a question of whether or not the evidence the Subscriber provides to the CA is sufficient to demonstrate #1.

I would suggest these are different use cases: Bullet #1 is trying to handle external parties (not the Subscriber) flagging risks that the Subscriber may not wish to have public, but which is relevant to end users. Bullet #5, on the other hand, seems like it restricts the capabilities of the Subscriber - by putting them through more work, which they may not be able to accomplish?

If the goal is to ensure that key compromise is only used if:
A) The Subscriber wants it (i.e. not by the CA as part of a contract dispute or part of some other policy or business practice detrimental to end users)
B) The key was compromised (even if the Subscriber doesn't want it revoked)

then it seems like changing bullet #5 to simply being that the Subscriber requests the revocation with keyCompromise should be sufficient?

If the concern is that the Subscriber may maliciously request a cert be revoked for keyCompromise, e.g. to spam/flood systems like OneCRL, they could do the same by posting the private keys. So it seems fine to just let the customer self-declare, while understandably restricting the CA's the ability to unilaterally declare unless they've met the burden of proof/evidence. This keeps Subscribers in control, while balancing the needs of end users.

This also raises a separate question - why is bullet #6 (domain validation change) part of keyCompromise and not part of privilegeWithdrawn (which includes improper domain validation)

Ryan Sleevi

unread,
Jan 21, 2022, 3:01:50 PM1/21/22
to Ryan Sleevi, Kathleen Wilson, dev-secur...@mozilla.org, watso...@gmail.com
On Thu, Jan 20, 2022 at 8:19 PM Ryan Sleevi <ry...@sleevi.com> wrote:
If the goal is to ensure that key compromise is only used if:
A) The Subscriber wants it (i.e. not by the CA as part of a contract dispute or part of some other policy or business practice detrimental to end users)
B) The key was compromised (even if the Subscriber doesn't want it revoked)

then it seems like changing bullet #5 to simply being that the Subscriber requests the revocation with keyCompromise should be sufficient?

One thing that was pointed out to me off-list is the fact that TLS issuance doesn't require a demonstration of key control to go from Applicant -> Subscriber (e.g. CSR validation is not required). That's because for TLS, we're obtaining evidence that the domain holder _authorized_ the key, not necessarily that the domain holder _holds_ the key. Yes, I'm aware, there are plenty of debates to be had about this point, but at least this reflects the long-standing practices, expectations, and assurances, so hopefully we can agree that it's at least how the system works today.

Thus, under today's scenario, this introduces an interesting possibility.
  • Alice creates a CSR for good.example, using Key 1
  • Alice applies at CA Foo with their CSR, becoming an Applicant. After demonstrating control over good.example, Alice becomes a Subscriber
  • The CSR for Alice is by no means a secret, or toxic, asset - it's merely a statement of the request. Alice happens to leave their CSRs on GitHub, because why not?
  • Eve is up to no good, and wants to start making trouble in the neighborhood. Eve obtains a copy of Alice's CSR, and applies to CA Foo, but this time, for evil.example
  • Because the CA does not check / use the attributes from the CSR, but instead uses their (API || Web Form), the CSR is not really bound to any request. After all, it's not a proof of possession instrument, just a way of conveying an authorized key.
  • Eve is able to complete any necessary challenges for evil.example, authorizing Key 1 to be used with Eve's domain.
    • Yes, this means Alice "could" MITM Eve, but recall, Eve is up to shenanananigans
  • Eve, as Subscriber, requests that CA Foo revoke evil.example{Key 1} for Key Compromise
  • CA Foo, on receiving the request, revokes the certificate for evil.example.
  • CA Foo then examines their systems, and sees that Key 1 is also used by Alice's good.example certificate - and revokes that as well
  • Eve has now managed to deny service to Alice, by using the policy for abuse
The proposed language from Kathleen in the present form is basically performing a proof of key possession at revocation request time, since it's not guaranteed to have been performed at issuance time.

Watson's observation, and my critique, was that at the time revocation is needed, this may not be possible, and that just raises barriers for Subscribers at that point.

I think it's fair to observe that, in order to have the cascading effect, there's a good argument for wanting to have some proof of possession of the key being held, at some point, in order to do such a cascading revocation. Whether that's at issuance time (e.g. the CA uses the CSR or, like some CAs, ACME, to do a PoP/authorization check), or at revocation time (as the policy current proposes), there are only a few mitigations for Eve's abuse.

An alternative approach would be to scope the degree of cascade for a key compromise revocation - where Eve's certificate is revoked (based on Eve's self-attestation), but Alice's is left unharmed unless/until Eve, or any other party, can actually demonstrate the proof of compromise. This scopes the harm, but does open up interesting subtleties around ensuring that CAs are actually performing the correct cascades.

Those are the four mitigations I could figure out, namely:
  • Check POP at issuance time
  • Check POP at revocation time
  • Scope keyCompromise revocations without POPs to the requesting Subscriber
  • Use a separate POP for keyCompromise revocation (e.g. account key / revocation keys, as with ACME)
But perhaps there are more worth considering that I've overlooked?

The current language adopts the "at revocation time", but I'd be worried that sets up the "surprise tax" that when it's time for revocation, you don't realize you can no longer do the thing you should have done sooner. Based on CA delayed revocations due to subscriber surprises, I'd be worried about exacerbating the server-operator-surprise factor, and so "it'd be nice" to have it done at issuance time. But that's also a rather significant ecosystem change to accomplish, because it involves not just CAs, but every Applicant making a change, and potentially changes to issuance protocols/practices, and it's a fairly extensive "tax" on productivity if the only benefit/need is for revocation.

Kathleen Wilson

unread,
Jan 26, 2022, 7:19:19 PM1/26/22
to dev-secur...@mozilla.org
Thank you Ryan, for clearly articulating the concern.

I have updated the draft policy document to the following -- changes are in italics below, and highlighted in green in the document.
==

keyCompromise (1)

The CRLReason keyCompromise (1) MUST be used when one or more of the following occurs:

  • the CA obtains verifiable evidence that the certificate subscriber’s private key corresponding to the public key in the certificate suffered a key compromise;

  • the CA is made aware of a demonstrated or proven method that exposes the certificate subscriber’s private key to compromise;

  • there is clear evidence that the specific method used to generate the private key was flawed;

  • the CA is made aware of a demonstrated or proven method that can easily compute the certificate subscriber’s private key based on the public key in the certificate (such as a Debian weak key, see https://wiki.debian.org/TLSkeys); or

  • the certificate subscriber, who has provided proof of possession of the private key**, requests that the CA revoke the certificate for this reason.


** If the certificate subscriber has not previously provided and can no longer provide proof of possession of the private key, they may still request revocation due to keyCompromise, and that revocation SHOULD be limited in scope to only the certificate issued to that certificate subscriber, even if the key in the CSR is used by other certificates.


The CRLReason keyCompromise (1) MAY be used when the CA obtains verifiable evidence that the certificate was issued to a subscriber who does not own or control all of the domain names listed in the certificate. For example;

  • the certificate subscriber notifies the CA that the original certificate request was not authorized and does not retroactively grant authorization; or

  • the CA obtains reasonable evidence that the validation of domain authorization or control for any fully‐qualified domain name or IP address in the certificate should not be relied upon.


Otherwise this CRLReason MUST NOT be used.

==

I am having difficulty with this part and will continue to appreciate suggestions on how to improve this.

Thanks,
Kathleen



Dimitris Zacharopoulos

unread,
Jan 27, 2022, 10:34:26 AM1/27/22
to dev-secur...@mozilla.org


On 30/12/2021 12:11 π.μ., Kathleen Wilson wrote:
2) Per the feedback from Wendy (here) I replaced "affiliationChanged (3)" with "cessationOfOperation (5)" in the proposed text, because despite the previously referenced document about revocation reasons, I agree with Wendy that cessationOfOperation makes more sense in regards to a TLS certificate no longer being needed because the website it was used in has been taken down or the certificate subscriber no longer owns the domain name(s) in the certificate. Whereas affiliationChanged seems to be about how a person is associated with an organization.

I am not so sure that "affiliationChanged (3)" is not applicable for TLS certificates. According to the X.509 section 9.5.3.1 language:
  • affiliationChanged indicates that the subject's name or other information in the public-key certificate has been modified but there is no cause to suspect that the private key has been compromised.
  • superseded indicates that the public-key certificate has been superseded but there is no cause to suspect that the private key has been compromised.

So, if a company is changing name and there are OV/EV Certificates with the official legal name included, these certificates need to be changed and include the new legal name. In that case, affiliationChanged makes sense to me.

If the current proposal is adopted, because of "If the certificate is revoked for a reason not listed below, then the reasonCode extension MUST NOT be provided in the CRL.", many CAs using the affiliationChanged reason in their practices will be out of compliance.

Dimitris.

Kathleen Wilson

unread,
Jan 27, 2022, 6:49:49 PM1/27/22
to dev-secur...@mozilla.org
It seems reasonable to allow for affiliationChanged (3) as Dimitris explained, so I have added the following description which is highlighted in blue in the document. I will appreciate feedback on this.
==

affiliationChanged (3)

The CRLReason affiliationChanged (3) MUST be used when the certificate subscriber has requested that their certificate be revoked for this reason, or the CA has replaced the certificate due to changes in the certificate’s public-key and the CA has not replaced the certificate for the other reasons: keyCompromise (1), superseded (4), cessationOfOperation (5), and privilegeWithdrawn (9). Otherwise this CRLReason MUST NOT be used. The CRLReason affiliationChanged (3) is intended to be used to indicate that the subject's name or other information in the public-key certificate has been modified but there is no cause to suspect that the private key has been compromised.

==

Thanks,

Kathleen



Alex Cohn

unread,
Jan 27, 2022, 8:52:38 PM1/27/22
to Kathleen Wilson, dev-secur...@mozilla.org
On Wed, Jan 26, 2022 at 6:19 PM Kathleen Wilson <kwi...@mozilla.com> wrote:

The CRLReason keyCompromise (1) MUST be used when one or more of the following occurs:

  • the CA obtains verifiable evidence that the certificate subscriber’s private key corresponding to the public key in the certificate suffered a key compromise;

  • the CA is made aware of a demonstrated or proven method that exposes the certificate subscriber’s private key to compromise;

  • there is clear evidence that the specific method used to generate the private key was flawed;

  • the CA is made aware of a demonstrated or proven method that can easily compute the certificate subscriber’s private key based on the public key in the certificate (such as a Debian weak key, see https://wiki.debian.org/TLSkeys); or

  • the certificate subscriber, who has provided proof of possession of the private key**, requests that the CA revoke the certificate for this reason.

Maybe I'm misreading this, but adding the requirement to prove possession of the private key seems to me to make the last line entirely redundant: providing proof of possession of a certificate's private key, combined with a request for revocation for key compromise, would seem to me to qualify as "verifiable evidence that the certificate subscriber’s private key corresponding to the public key in the certificate suffered a key compromise."

Alex

Ryan Sleevi

unread,
Jan 28, 2022, 8:09:08 AM1/28/22
to Alex Cohn, Kathleen Wilson, dev-secur...@mozilla.org
On Thu, Jan 27, 2022 at 8:52 PM 'Alex Cohn' via dev-secur...@mozilla.org <dev-secur...@mozilla.org> wrote:

  • the certificate subscriber, who has provided proof of possession of the private key**, requests that the CA revoke the certificate for this reason.

Maybe I'm misreading this, but adding the requirement to prove possession of the private key seems to me to make the last line entirely redundant: providing proof of possession of a certificate's private key, combined with a request for revocation for key compromise, would seem to me to qualify as "verifiable evidence that the certificate subscriber’s private key corresponding to the public key in the certificate suffered a key compromise."

I think the current language was trying to capture what I raised in my previous reply: that the proof of possession wouldn’t necessarily accompany the request for revocation, but may have been completed previously (e.g. during issuance, via a CSR)

Doug Beattie

unread,
Jan 28, 2022, 9:46:55 AM1/28/22
to ry...@sleevi.com, Kathleen Wilson, dev-secur...@mozilla.org

Hi Ryan and Kathleen

 

I read Ryan’s email (below) and also the Mozilla draft policy located here

https://docs.google.com/document/d/1ESakR4MiwyENyuLefyH2wG8rYbtnmG1xeSYvDNpS-EI/edit#heading=h.nyvo79h06g28

 

and I think there is an inconsistency being introduced in this latest Mozilla policy draft statement:

 

** If the certificate subscriber has not previously provided and can no longer provide proof of possession of the private key, they may still request revocation due to keyCompromise, and that revocation SHOULD be limited in scope to only the certificate issued to that certificate subscriber, even if the key in the CSR is used by other certificates.

 

The Mozilla policy permits revocation for key compromise even if the applicant has not and cannot demonstrate proof of possession, but Ryan’s comments requires proof of possession (when requesting or when revoking).

 

Do we need to tighten up the Mozilla policy to align with the requirement to demonstrate proof of possession?

 

Doug

 

 

 

 

From: dev-secur...@mozilla.org <dev-secur...@mozilla.org> On Behalf Of Ryan Sleevi
Sent: Friday, January 21, 2022 3:02 PM
To: Ryan Sleevi <ry...@sleevi.com>
Cc: Kathleen Wilson <kwi...@mozilla.com>; dev-secur...@mozilla.org; watso...@gmail.com <watso...@gmail.com>
Subject: Re: Revocation Reason Codes for TLS End-Entity Certificates

 

 

 

On Thu, Jan 20, 2022 at 8:19 PM Ryan Sleevi <ry...@sleevi.com> wrote:

--

You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.

Ryan Sleevi

unread,
Jan 28, 2022, 12:10:33 PM1/28/22
to Doug Beattie, Kathleen Wilson, dev-secur...@mozilla.org, ry...@sleevi.com
Hi Doug,

I wasn’t trying to require POP, just limiting the the capabilities without POP. I definitely believe subscribers should be able to request for their certificates without any POP.

Doug Beattie

unread,
Jan 28, 2022, 12:29:59 PM1/28/22
to ry...@sleevi.com, Kathleen Wilson, dev-secur...@mozilla.org

Hi Ryan,

 

Is that true for revocation reason code of Key Compromise also?  The snip from the Mozilla policy below is within the context of revocation for key compromise unless I’m misreading the “**” link.

Ryan Sleevi

unread,
Jan 28, 2022, 3:52:59 PM1/28/22
to Doug Beattie, Kathleen Wilson, dev-secur...@mozilla.org, ry...@sleevi.com
Hi Doug,

I’m not sure I follow your question? There’s a discussion of key compromise, and the “**” describes what to do for customers who haven’t proved possession.

Maybe I’m not understanding your concern correctly?

That is, I read the proposed policy as fully consistent with my recommendations, but it sounds like you see there being a disconnect. It might be that my recommendation wasn’t clear, and you think I was advocating to always require a POP, but I think, based on your message, that we’re in agreement that Mozilla Policy doesn’t exclusively require a POP?

Basically:
- No POP: SHOULD limit to only that Subscriber, to reduce knock-on effects of malicious key authorization (Eve causing Alice to get revoked)
- Any POP for that Subscriber, or by 3P (past or present): MUST revoke for all instances of that key across all subscribers (Alice causing Bob and Carol to get revoked)

Kathleen Wilson

unread,
Feb 1, 2022, 1:04:14 PM2/1/22
to dev-secur...@mozilla.org, Ryan Sleevi, Doug Beattie
I have re-written the bright green text in the draft policy to separate out the scope of revocation from the requirement to use the keyCompromise reason.

So the proposed text is as follows:
==
The CRLReason keyCompromise (1) MUST be used when one or more of the following occurs:
- the CA obtains verifiable evidence that the certificate subscriber’s private key corresponding to the public key in the certificate suffered a key compromise;
- the CA is made aware of a demonstrated or proven method that exposes the certificate subscriber’s private key to compromise;
- there is clear evidence that the specific method used to generate the private key was flawed;
- the CA is made aware of a demonstrated or proven method that can easily compute the certificate subscriber’s private key based on the public key in - the certificate (such as a Debian weak key, see https://wiki.debian.org/TLSkeys); or
- the certificate subscriber requests that the CA revoke the certificate for this reason.

The scope of revocation depends on whether the certificate subscriber has proven possession of the private key of the certificate.
- If the certificate subscriber has previously demonstrated or can currently demonstrate possession of the private key of the certificate, then the CA MUST revoke all instances of that key across all subscribers.
- Otherwise, the CA SHOULD limit revocation to only the instance of that key that the certificate subscriber had submitted the Certificate Signing Request (CSR) for.
==

I will continue to appreciate your feedback on this, and especially your input on how to make this more accurate.

Thanks,
Kathleen


Doug Beattie

unread,
Feb 1, 2022, 3:22:04 PM2/1/22
to Kathleen Wilson, dev-secur...@mozilla.org, Ryan Sleevi

Hi Kathleen,

 

I still have a hard time with 2 types of key compromise processing. It seems like if the key is compromised it should always be processed the same way.  Would you consider moving this bullet to a different reason code?

- Otherwise, the CA SHOULD limit revocation to only the instance of that key that the certificate subscriber had submitted the Certificate Signing Request (CSR) for

 

Basically this last bullet

  • the certificate subscriber requests that the CA revoke the certificate for this reason.

could read:

  • the certificate subscriber requests that the CA revoke the certificate for this reason with proof of possession demonstrated at cert issuance time or at the time of the revocation request..

 

Doug

 

 

From: Kathleen Wilson <kwi...@mozilla.com>
Sent: Tuesday, February 1, 2022 1:04 PM
To: dev-secur...@mozilla.org
Cc: Ryan Sleevi <ry...@sleevi.com>; Doug Beattie <doug.b...@globalsign.com>
Subject: Re: Revocation Reason Codes for TLS End-Entity Certificates

 

I have re-written the bright green text in the draft policy to separate out the scope of revocation from the requirement to use the keyCompromise reason.

Ryan Sleevi

unread,
Feb 1, 2022, 5:12:30 PM2/1/22
to Doug Beattie, Kathleen Wilson, dev-secur...@mozilla.org, Ryan Sleevi
On Tue, Feb 1, 2022 at 3:22 PM Doug Beattie <doug.b...@globalsign.com> wrote:

Hi Kathleen,

 

I still have a hard time with 2 types of key compromise processing. It seems like if the key is compromised it should always be processed the same way.  Would you consider moving this bullet to a different reason code?

- Otherwise, the CA SHOULD limit revocation to only the instance of that key that the certificate subscriber had submitted the Certificate Signing Request (CSR) for

 

Basically this last bullet

  • the certificate subscriber requests that the CA revoke the certificate for this reason.

could read:

  • the certificate subscriber requests that the CA revoke the certificate for this reason with proof of possession demonstrated at cert issuance time or at the time of the revocation request..
Doug,

That significantly changes the meaning here, and that's what Watson and I were raising concerns about. I'm not sure if you're disagreeing with those concerns, which is fine, or if there's perhaps a misunderstanding that can be clarified with improved text.

Do you think the following proposal would be clearer?

==
The CRLReason keyCompromise (1) MUST be used when one or more of the following occurs:
- the CA obtains verifiable evidence that the certificate subscriber’s private key corresponding to the public key in the certificate suffered a key compromise;
- the CA is made aware of a demonstrated or proven method that exposes the certificate subscriber’s private key to compromise;
- there is clear evidence that the specific method used to generate the private key was flawed;
- the CA is made aware of a demonstrated or proven method that can easily compute the certificate subscriber’s private key based on the public key in - the certificate (such as a Debian weak key, see https://wiki.debian.org/TLSkeys); or
- the certificate subscriber requests that the CA revoke the certificate for this reason.

The scope of revocation depends on whether the certificate subscriber has proven possession of the private key of the certificate.
- If the certificate subscriber requests that the CA revoke the certificate for this reason, and has not previously demonstrated and cannot currently demonstrate possession of the associated private key of that certificate, the CA SHOULD limit revocation to only certificates that are associated with that Subscriber and which contain that public key.
- For all other reasons, including previous or current proof of possession, the CA MUST revoke all instances of the key, across all certificates for all subscribers.
==

TL;DR: If you can't prove the key, and haven't proved the key, you CAN request for keyCompromise, but only for your certs. If you have proved the key possession, or _anyone else_ proves the key is compromised (all the previous bullets), it affects all certificates, for all subscribers.

Kathleen Wilson

unread,
Feb 1, 2022, 6:04:56 PM2/1/22
to dev-secur...@mozilla.org, Ryan Sleevi, Doug Beattie
OK, how about the following text?
==
The scope of revocation depends on whether the certificate subscriber has proven possession of the private key of the certificate.
- If the certificate subscriber requests that the CA revoke the certificate for keyCompromise, and has not previously demonstrated and cannot currently demonstrate possession of the associated private key of that certificate, the CA SHOULD limit revocation to only certificates that are associated with that subscriber and which contain that public key.
- If anyone requesting revocation has previously demonstrated or can currently demonstrate possession of the private key of the certificate, then the CA MUST revoke all instances of that key across all subscribers.
==

Thanks for your patience on this -- it's a tricky one for me.

Kathleen


Dimitris Zacharopoulos

unread,
Feb 2, 2022, 1:24:03 AM2/2/22
to dev-secur...@mozilla.org
I believe the phrase "previously demonstrated" may be misinterpreted to mean the initial CSR submission, as Wilson and Ryan described.

There needs to be some sort of "fresh" or new demonstration of controlling the compromised key so that other Subscribers can be safe from the DoS scenario. Hope this sounds reasonable.


Dimitris.

Doug Beattie

unread,
Feb 2, 2022, 7:25:27 AM2/2/22
to Kathleen Wilson, dev-secur...@mozilla.org, Ryan Sleevi

Hi Ryan and Kathleen

 

What’s being proposed are 2 different sets of CA actions upon receipt of a relocation request for key compromise:

 

  1. If PoP was demonstrated, then the CA must revoke all certificates with that key
  2. If PoP was not demonstrated, then revoke just that one certificate (so one subscriber can’t cause DoS to another one )

 

In both cases, section 6.1.1.3 of the BRs applies, and specifically item 4:

The CA SHALL reject a certificate request if one or more of the following conditions are met:

4. The CA has previously been made aware that the Applicant’s Private Key has suffered a Key Compromise, such as through the provisions of Section 4.9.1.1;

 

Will the CA block further issuance when the request for revocation does not include PoP which could DoS them for renewal using the same key pair?   To me, if the subscriber can’t provide PoP of the private key the unspecified reason code would be more accurate.  What’s the value to the subscriber, CA and ecosystem to treat that case as key compromise vs. unspecified?

 

I’m probably just not understanding the background and value for the second rule around processing requests for revocation with key compromise without PoP.

 

Doug

 

 

From: Kathleen Wilson <kwi...@mozilla.com>
Sent: Tuesday, February 1, 2022 6:05 PM
To: dev-secur...@mozilla.org
Cc: Ryan Sleevi <ry...@sleevi.com>; Doug Beattie <doug.b...@globalsign.com>
Subject: Re: Revocation Reason Codes for TLS End-Entity Certificates

 

OK, how about the following text?

Jesper Kristensen

unread,
Feb 2, 2022, 11:41:07 AM2/2/22
to dev-secur...@mozilla.org, Kathleen Wilson
It seems that some of the criteria in the draft policy are subjective to some degree. At the same time the policy leaves zero margin for error (If X then you MUST use this code, otherwise you MUST NOT). The combination of these two seems to ensure that mistakes will happen, and we will see a continuous stream of incident reports where a CA and a community member disagrees about a subjective aspect of these criteria. Could the policy be updated to give the CA freedom to choose in gray areas?

There have already been several posts in this thread discussing if a CSR can be considered proof of possession of a private key. I don't think a CSR is secret and therefore cannot automatically be considered proof of possession, and I think the policy should state that explicitly.

The policy says revocations before the effective date does not need to be changed. What about revocations after the effective date? What if a certificate was revoked as superseded and later the CA receives evidence of key compromise? Must the reason code then be changed?


--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/24a3a885-dfd3-45f1-a5aa-9928c89fe6c1n%40mozilla.org.

Doug Beattie

unread,
Feb 2, 2022, 12:02:45 PM2/2/22
to Jesper Kristensen, dev-secur...@mozilla.org, Kathleen Wilson

Hi Jesper,

 

Here’s my opinion on your 3 questions below, marked with “Doug:”

 

From: dev-secur...@mozilla.org <dev-secur...@mozilla.org> On Behalf Of Jesper Kristensen
Sent: Wednesday, February 2, 2022 11:41 AM
To: dev-secur...@mozilla.org
Cc: Kathleen Wilson <kwi...@mozilla.com>
Subject: Re: Revocation Reason Codes for TLS End-Entity Certificates

 

You don't often get email from jespe...@gmail.com. Learn why this is important

It seems that some of the criteria in the draft policy are subjective to some degree. At the same time the policy leaves zero margin for error (If X then you MUST use this code, otherwise you MUST NOT). The combination of these two seems to ensure that mistakes will happen, and we will see a continuous stream of incident reports where a CA and a community member disagrees about a subjective aspect of these criteria. Could the policy be updated to give the CA freedom to choose in gray areas?

 

Doug: I don’t have an opinion on that one because I don’t tally understand which subjective statement you’re referring to.

 

 

There have already been several posts in this thread discussing if a CSR can be considered proof of possession of a private key. I don't think a CSR is secret and therefore cannot automatically be considered proof of possession, and I think the policy should state that explicitly.

 

Doug: If the CSR contains all SAN values in the issued certificate (and the certificate has the same public key as that CSR), then that binds the key to the domains and I believe this is sufficient POP.  If this is not the case when the CSR is provided prior to issuance, a CA could ask the subscriber for a new CSR with all of the SANs (and same public key) as PoP during a request for revocation.  I’d be interested to know if others agree with this.

 

 

 

The policy says revocations before the effective date does not need to be changed. What about revocations after the effective date? What if a certificate was revoked as superseded and later the CA receives evidence of key compromise? Must the reason code then be changed?

 

Doug: It’s my understanding that once a certificate is revoked and put on a CRL, you can never change the reason code..

 

 

 

Den tir. 1. feb. 2022 kl. 19.04 skrev Kathleen Wilson <kwi...@mozilla.com>:

I have re-written the bright green text in the draft policy to separate out the scope of revocation from the requirement to use the keyCompromise reason.

 

So the proposed text is as follows:

==

The CRLReason keyCompromise (1) MUST be used when one or more of the following occurs:
- the CA obtains verifiable evidence that the certificate subscriber’s private key corresponding to the public key in the certificate suffered a key compromise;
- the CA is made aware of a demonstrated or proven method that exposes the certificate subscriber’s private key to compromise;
- there is clear evidence that the specific method used to generate the private key was flawed;
- the CA is made aware of a demonstrated or proven method that can easily compute the certificate subscriber’s private key based on the public key in - the certificate (such as a Debian weak key, see https://wiki.debian.org/TLSkeys); or
- the certificate subscriber requests that the CA revoke the certificate for this reason.


The scope of revocation depends on whether the certificate subscriber has proven possession of the private key of the certificate.
- If the certificate subscriber has previously demonstrated or can currently demonstrate possession of the private key of the certificate, then the CA MUST revoke all instances of that key across all subscribers.
- Otherwise, the CA SHOULD limit revocation to only the instance of that key that the certificate subscriber had submitted the Certificate Signing Request (CSR) for.

==

 

I will continue to appreciate your feedback on this, and especially your input on how to make this more accurate.

 

Thanks,

Kathleen

 

 

--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/24a3a885-dfd3-45f1-a5aa-9928c89fe6c1n%40mozilla.org.

--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.

Aaron Gable

unread,
Feb 2, 2022, 1:45:24 PM2/2/22
to dev-secur...@mozilla.org, Kathleen Wilson
I appreciate the effort to balance the concerns of
1) How do we let a subscriber revoke for keyCompromise even if their key has been stolen and deleted?; and
2) How do we prevent a third party who has never held the key from revoking for keyCompromise?

I think that the currently-proposed text does a reasonably good job of striking that balance, but I fear that it is too complex. In particular, I think that the different "cascading revocation" scenarios, particularly combined with the no-future-issuance requirement raised by Doug, are complex enough that they would be likely to be implemented incorrectly.

I would propose the following slightly different attempt to strike the balance:

```
keyCompromise (1)

The CRLReason keyCompromise (1) MUST be used when one or more of the following occurs:
- the CA obtains verifiable evidence that the certificate subscriber’s private key corresponding to the public key in the certificate suffered a key compromise;
- the CA is made aware of a demonstrated or proven method that exposes the certificate subscriber’s private key to compromise;
- there is clear evidence that the specific method used to generate the private key was flawed;
- the CA is made aware of a demonstrated or proven method that can easily compute the certificate subscriber’s private key based on the public key in the certificate (such as a Debian weak key, see https://wiki.debian.org/TLSkeys); or
- the certificate subscriber has proved possession of their private key and requests that the CA revoke the certificate for this reason.

<the bit about "MAY be used" goes here>

Otherwise this CRLReason MUST NOT be used.
``` 

This proof of possession could happen at issuance time, at revocation time, or at any other time prior to revocation. Subscribers who want to be able to revoke for reason keyCompromise even if their key is stolen and deleted can prove possession at issuance time. CAs that want all of their subscribers to be able to do so can require proof of possession for issuance.

I believe this is essentially the same thing that Doug Beattie is proposing. I recognize that it is different from what Ryan Sleevi is proposing. Yes, this prevents someone who has never proved possession of their own key from requesting a keyCompromise revocation if they have lost their key. But it also provides an avenue for that proof of possession to have happened ahead of time, and prevents someone who has never held the key from DOSing legitimate subscribers.

Aaron

To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/PUZPR03MB61291B7C47429DB6E6726857F0279%40PUZPR03MB6129.apcprd03.prod.outlook.com.

Ryan Sleevi

unread,
Feb 2, 2022, 5:27:19 PM2/2/22
to Aaron Gable, dev-secur...@mozilla.org, Kathleen Wilson
On Wed, Feb 2, 2022 at 1:45 PM 'Aaron Gable' via dev-secur...@mozilla.org <dev-secur...@mozilla.org> wrote:
I appreciate the effort to balance the concerns of
1) How do we let a subscriber revoke for keyCompromise even if their key has been stolen and deleted?; and
2) How do we prevent a third party who has never held the key from revoking for keyCompromise?

I think that the currently-proposed text does a reasonably good job of striking that balance, but I fear that it is too complex. In particular, I think that the different "cascading revocation" scenarios, particularly combined with the no-future-issuance requirement raised by Doug, are complex enough that they would be likely to be implemented incorrectly.

I would propose the following slightly different attempt to strike the balance:

```
keyCompromise (1)
The CRLReason keyCompromise (1) MUST be used when one or more of the following occurs:
- the CA obtains verifiable evidence that the certificate subscriber’s private key corresponding to the public key in the certificate suffered a key compromise;
- the CA is made aware of a demonstrated or proven method that exposes the certificate subscriber’s private key to compromise;
- there is clear evidence that the specific method used to generate the private key was flawed;
- the CA is made aware of a demonstrated or proven method that can easily compute the certificate subscriber’s private key based on the public key in the certificate (such as a Debian weak key, see https://wiki.debian.org/TLSkeys); or
- the certificate subscriber has proved possession of their private key and requests that the CA revoke the certificate for this reason.

<the bit about "MAY be used" goes here>

Otherwise this CRLReason MUST NOT be used.
``` 

This proof of possession could happen at issuance time, at revocation time, or at any other time prior to revocation. Subscribers who want to be able to revoke for reason keyCompromise even if their key is stolen and deleted can prove possession at issuance time. CAs that want all of their subscribers to be able to do so can require proof of possession for issuance.

I believe this is essentially the same thing that Doug Beattie is proposing. I recognize that it is different from what Ryan Sleevi is proposing. Yes, this prevents someone who has never proved possession of their own key from requesting a keyCompromise revocation if they have lost their key. But it also provides an avenue for that proof of possession to have happened ahead of time, and prevents someone who has never held the key from DOSing legitimate subscribers.

Yes, I appreciate the attempt to strike a balance here, but I'm not sure whose interests it's balancing versus the harm?

That is, the proposal here, which similar to Doug, basically forbids Subscribers from requesting revocation for keyCompromise unless they did something in the past, or do extra work now. Why is that good? Why is that necessary to shift the complexity to billions of Subscribers, versus trying to find a clearer way for CAs?

That's perhaps why I find it somewhat unsatisfying - we're saying to Subscribers "You should have known better", rather than trying to make sure their wishes are respected, and users are protected.

Am I overlooking part of the balancing equation? Is it just, as Jesper highlighted, that we're worried that CAs won't understand their obligations? 

Ryan Sleevi

unread,
Feb 2, 2022, 5:35:20 PM2/2/22
to Doug Beattie, Kathleen Wilson, dev-secur...@mozilla.org, Ryan Sleevi
On Wed, Feb 2, 2022 at 7:25 AM Doug Beattie <doug.b...@globalsign.com> wrote:

Will the CA block further issuance when the request for revocation does not include PoP which could DoS them for renewal using the same key pair?   To me, if the subscriber can’t provide PoP of the private key the unspecified reason code would be more accurate.  What’s the value to the subscriber, CA and ecosystem to treat that case as key compromise vs. unspecified?

 

I’m probably just not understanding the background and value for the second rule around processing requests for revocation with key compromise without PoP.


As hopefully my reply to Aaron captured a little, it's about where the burden rests.

Today, for most TLS issuance, no POP is required. That's because TLS itself doesn't need a POP, because it's an online protocol - the POP is delivered in-band, and it's not an identity-attestation system based on a directory (e.g. compared to S/MIME, where a sender needs to look up your public key ahead of time to encrypt something to you)

So the functional change of requiring the POP is that very few people, today, could request keyCompromise without doing more work. That's not ideal.
Further, however, is that for situations that are not uncommon, such as malicious deletion or ransomware, there is zero guarantee the victim would be able to prove keyCompromise at that time.

This is very similar to the discussions in the past of how many hoops a CA can place to request revocation (i.e. "You can only request revocation on the fifth Tuesday of every February under the full moon"). For Subscribers, and users, this matters.

However, an additional consideration is that keyCompromise revocations are likely more valuable than other forms of revocations, both in terms of efficient and timely delivery and in user risk. A policy that restricts when and how Subscribers can request this revocation is thus one that limits the value of that, by making it harder, which harms end users more. The more barriers placed for Subscribers, the harder it is to get this information in a timely fashion.

So, to end users, it's ideal where Subscribers can request any revocation reason that they want (... within reason), and for imposing obligations on CAs, to use particular revocation reasons when they're made aware, either internally or by externally reports. That protects users the most.

However, because there's no POP, that does offer _some_ abuse scenarios from malicious entities wishing to abuse the policies, and so some safeguards are needed. The question posed to this group is, seemingly, do we want to throw the baby out with the bathwater? Namely, should Subscribers have flexibility to (as easily as possible) request the method of their choice, or is the risk of abuse too great to trust them?

I'd like to find a solution where we can empower Subscribers as much as possible, because that can help protect Users the greatest. I think you're right that we want to figure out how to narrowly scope the abuse scenarios, so definitely, thanks for raising 6.1.1.3. We should try to find a way to best balance things, don't you agree?

Seo Suchan

unread,
Feb 2, 2022, 6:19:13 PM2/2/22
to dev-secur...@mozilla.org

I'm not really sure about weaking the meaning of keycompromise. Currently if I saw a cert revoked it by keycompomised then one can throw its public key into 'leaked keys' bin and propargate key-purging between CA by pointing other CAs revoke this certifiate with same key as compromised- like multiple smime certificates from different CAs as there is no CT and first one who revoked key may not know that second cert with same key exsit.

although right thing to do such case would be notify the original holder in first revocation and let subscriber call the key with other CA they signed or have some kind of central leaked-publickey-here repository.

sent again, to the list this time

2022-02-03 오전 7:35에 Ryan Sleevi 이(가) 쓴 글:
--
You received this message because you are subscribed to a topic in the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this topic, visit https://groups.google.com/a/mozilla.org/d/topic/dev-security-policy/RVFnJJRuUag/unsubscribe.
To unsubscribe from this group and all its topics, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAErg%3DHEaptK1R7PMBFNYvp6_hHcMD4FRL7C3b4OP1yK2YaJFzQ%40mail.gmail.com.

Ryan Sleevi

unread,
Feb 2, 2022, 6:42:12 PM2/2/22
to Seo Suchan, dev-secur...@mozilla.org
I don’t think you can currently do that, though, not without having the exact issue we’re discussing.

That is, TLS doesn’t require a POP, there are no rules that require CAs require a POP (and, as discussed, good reason for that), so if you see another CA has revoked a cert, you cannot safely revoke certs within your database.

There’s been some discussion about this in the past, where CAs aren’t expected to comb other CA’s CRLs, and from a “Delegated Third Party” perspective, reasonable to not do that.

So if CAs are doing it today, they’re already in a bad spot - and this would help correct it?

You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/fc5dcfda-d14f-a868-364a-d96341df7563%40gmail.com.

Kathleen Wilson

unread,
Feb 2, 2022, 8:16:58 PM2/2/22
to dev-secur...@mozilla.org
All,

I have updated the bright green text in the draft policy again...
==
The CRLReason keyCompromise (1) MUST be used when one or more of the following occurs:
- the CA obtains verifiable evidence that the certificate subscriber’s private key corresponding to the public key in the certificate suffered a key compromise;
- the CA is made aware of a demonstrated or proven method that exposes the certificate subscriber’s private key to compromise;
- there is clear evidence that the specific method used to generate the private key was flawed;
- the CA is made aware of a demonstrated or proven method that can easily compute the certificate subscriber’s private key based on the public key in the certificate (such as a Debian weak key, see https://wiki.debian.org/TLSkeys); or
- the certificate subscriber requests that the CA revoke the certificate for this reason.

The scope of revocation depends on whether the certificate subscriber has proven possession of the private key of the certificate.
- If anyone requesting revocation has previously demonstrated or can currently demonstrate possession of the private key of the certificate, then the CA MUST revoke all instances of that key across all subscribers.
- If the certificate subscriber requests that the CA revoke the certificate for keyCompromise, and has not previously demonstrated and cannot currently demonstrate possession of the associated private key of that certificate, the CA SHOULD limit revocation to only certificates that are associated with that subscriber and which contain that public key.
==

Thanks again to all of you for your patience and continued effort to help find a reasonable balance and make this more clear.

Thanks,
Kathleen

 

Doug Beattie

unread,
Feb 3, 2022, 7:24:31 AM2/3/22
to ry...@sleevi.com, Kathleen Wilson, dev-secur...@mozilla.org

Ryan,

 

The intent of my recommendation was not  to increase the burden or limit the ability of subscribers to revoke keys, it’s setting the proper/consistent revocation reason codes.  In Kathleen’s proposal, if you want to revoke for key compromise but can’t demonstrate pop, then you can do that, but it results in just that one cert being revoked (same as unspecified).  If the CA and CRL show revoked for key compromise (when POP is confirmed), then there are other actions to be performed (revoke other certs with the key across all subscribers, block further issuance across all subscribers).  If we’re not doing that all the time then how is the relying party to know if this was really a key compromise or not?  If we set the reason to unspecified (no reason code in CRLs) when POP is not verified everyone will have the same understanding of what key compromise means – it was confirmed to be compromised and there should not be any active certificates issued from that CA with that key (something 3rd parties will surely want to watch for)

 

You mentioned this below:

However, an additional consideration is that keyCompromise revocations are likely more valuable than other forms of revocations, both in terms of efficient and timely delivery and in user risk. A policy that restricts when and how Subscribers can request this revocation is thus one that limits the value of that, by making it harder, which harms end users more. The more barriers placed for Subscribers, the harder it is to get this information in a timely fashion.

 

Maybe this is where I’m missing an important point.  Why is the key compromise reason more valuable and why will it happen more efficiently and timely than other reasons in the case where the CA cannot validate POP?  Both can happen “immediately” and the end result is that (just) the requested certificate is revoked, so does the reason code matter?

 

If we don’t tighten up the processing of key compromise revocations, then we have 2 different paths to go down when a subscriber requests revocation for key compromise, and we provide a false sense of “security” to those that are looking at the CRL (this key is marked as key compromised, but it’s OK for it to be in other past and future certificates).   If it’s compromised, it should be confirmed to be compromised and if we can’t confirm that, then it should be revoked with another reason.

 

Doug

 

From: Ryan Sleevi <ry...@sleevi.com>
Sent: Wednesday, February 2, 2022 5:35 PM
To: Doug Beattie <doug.b...@globalsign.com>

Cc: Kathleen Wilson <kwi...@mozilla.com>; dev-secur...@mozilla.org; Ryan Sleevi <ry...@sleevi.com>
Subject: Re: Revocation Reason Codes for TLS End-Entity Certificates

 

 

 

On Wed, Feb 2, 2022 at 7:25 AM Doug Beattie <doug.b...@globalsign.com> wrote:

Rob Stradling

unread,
Feb 3, 2022, 8:25:24 AM2/3/22
to Seo Suchan, ry...@sleevi.com, dev-secur...@mozilla.org
Ryan wrote:
> That is, TLS doesn’t require a POP, there are no rules that require CAs require a POP (and, as discussed, good reason for that),

+1.  I think it's worth reviewing X.509's description of the keyCompromise reason code (emphasis mine):
"keyCompromise is used in revoking an end-entity certificate; it indicates that it is known or suspected
that the subject's private key, or other aspects of the subject validated in the certificate, have been
compromised;"
(this is from X.509 11/2008; I haven't paid for a newer version)

In other words, both with-POP (known) and without-POP (suspected) are intended to be in scope for the keyCompromise reason code.

so if you see another CA has revoked a cert, you cannot safely revoke certs within your database.

+1.  You can suspect that the key is compromised though, and this suspicion might lead you to add that cert's key to your key blocklist, to prevent future issuance.

From: dev-secur...@mozilla.org <dev-secur...@mozilla.org> on behalf of Ryan Sleevi <ry...@sleevi.com>
Sent: 02 February 2022 23:41
To: Seo Suchan <tjt...@gmail.com>
Cc: dev-secur...@mozilla.org <dev-secur...@mozilla.org>

Subject: Re: Revocation Reason Codes for TLS End-Entity Certificates
 

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

Corey Bonnell

unread,
Feb 3, 2022, 8:50:37 AM2/3/22
to Doug Beattie, dev-secur...@mozilla.org, Kathleen Wilson

> Maybe this is where I’m missing an important point.  Why is the key compromise reason more valuable and why will it happen more efficiently and timely than other reasons in the case where the CA cannot validate POP?  Both can happen “immediately” and the end result is that (just) the requested certificate is revoked, so does the reason code matter?

 

I’m also very interested in learning the rationale for why keyCompromise revocations are seemingly treated as higher priority, especially if Subscribers can self-attest to such compromise without any verification by the CA. Any RP software that selectively ignores certain revocations based on Subscriber-attested reasonCode has a security flaw in that an attacker who can fraudulently issue a certificate can similarly request revocation for that certificate specifying a reasonCode that RP software doesn’t prioritize. The net result in that scenario is that the certificate lifecycle is completed, but the risk to users of such RP software is still very much present as the certificate may be treated as valid.

 

Thanks,

Corey

--

You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.

Ryan Sleevi

unread,
Feb 3, 2022, 9:43:31 AM2/3/22
to Corey Bonnell, Doug Beattie, dev-secur...@mozilla.org, Kathleen Wilson
On Thu, Feb 3, 2022 at 8:50 AM 'Corey Bonnell' via dev-secur...@mozilla.org <dev-secur...@mozilla.org> wrote:

> Maybe this is where I’m missing an important point.  Why is the key compromise reason more valuable and why will it happen more efficiently and timely than other reasons in the case where the CA cannot validate POP?  Both can happen “immediately” and the end result is that (just) the requested certificate is revoked, so does the reason code matter?

 

I’m also very interested in learning the rationale for why keyCompromise revocations are seemingly treated as higher priority, especially if Subscribers can self-attest to such compromise without any verification by the CA. Any RP software that selectively ignores certain revocations based on Subscriber-attested reasonCode has a security flaw in that an attacker who can fraudulently issue a certificate can similarly request revocation for that certificate specifying a reasonCode that RP software doesn’t prioritize. The net result in that scenario is that the certificate lifecycle is completed, but the risk to users of such RP software is still very much present as the certificate may be treated as valid.


Corey,

Perhaps you could expand on this threat model? It sounds like your model is that rather than the attacker evading revocation, they revoke themselves, and that is somehow opening up a new vector?

I think that part of this may be resting on a certain statement "that the certificate lifecycle is completed", and I'm hoping you can expand more. The certificate lifecycle for a certificate does not necessarily end at revocation, at least in X.509, and to Doug's earlier question, you can indeed change reasons (or revocation dates) post-revocation. In the S/MIME case, for example, you can revoke a certificate with revocation date of Y, and then, upon later information, change Y to X (an earlier period), indicating that it had actually been compromised longer.

If I understand your attack, although I'm hoping you can more precisely explain it, it sounds like the assumption is that if the attacker self-immolates their cert, then it's impossible to change to keyCompromise later (e.g. as a result of the victim demonstration). Is that the implicit assumption? 

Ryan Sleevi

unread,
Feb 3, 2022, 9:52:31 AM2/3/22
to Doug Beattie, ry...@sleevi.com, Kathleen Wilson, dev-secur...@mozilla.org
On Thu, Feb 3, 2022 at 7:24 AM Doug Beattie <doug.b...@globalsign.com> wrote:

Ryan,

 

The intent of my recommendation was not  to increase the burden or limit the ability of subscribers to revoke keys, it’s setting the proper/consistent revocation reason codes.  In Kathleen’s proposal, if you want to revoke for key compromise but can’t demonstrate pop, then you can do that, but it results in just that one cert being revoked (same as unspecified).  If the CA and CRL show revoked for key compromise (when POP is confirmed), then there are other actions to be performed (revoke other certs with the key across all subscribers, block further issuance across all subscribers). 


Correct.
 

If we’re not doing that all the time then how is the relying party to know if this was really a key compromise or not?  If we set the reason to unspecified (no reason code in CRLs) when POP is not verified everyone will have the same understanding of what key compromise means – it was confirmed to be compromised and there should not be any active certificates issued from that CA with that key (something 3rd parties will surely want to watch for)


I'm not sure I follow this concern at all? It sounds like your goal is "KeyCompromise should only mean revocations with proof of possession" - but if so, I think we disagree on that goal. Is that the case?

As to why that goal may be seen as useful, this sounds like the case of believing that CA X should be able to watch CA Y's revocations, but I'm not sure that's necessarily good or positive, because it's an assumption that CA Y performed all steps correctly. Just like we don't allow CA X to issue a cert to a Subscriber with {Key 1, Domain} just because CA Y issued a cert to a Subscriber with {Key 1, Domain}, we shouldn't trust the revocation information either
 

 

You mentioned this below:

However, an additional consideration is that keyCompromise revocations are likely more valuable than other forms of revocations, both in terms of efficient and timely delivery and in user risk. A policy that restricts when and how Subscribers can request this revocation is thus one that limits the value of that, by making it harder, which harms end users more. The more barriers placed for Subscribers, the harder it is to get this information in a timely fashion.

 

Maybe this is where I’m missing an important point.  Why is the key compromise reason more valuable and why will it happen more efficiently and timely than other reasons in the case where the CA cannot validate POP?  Both can happen “immediately” and the end result is that (just) the requested certificate is revoked, so does the reason code matter?

 

If we don’t tighten up the processing of key compromise revocations, then we have 2 different paths to go down when a subscriber requests revocation for key compromise, and we provide a false sense of “security” to those that are looking at the CRL (this key is marked as key compromised, but it’s OK for it to be in other past and future certificates).   If it’s compromised, it should be confirmed to be compromised and if we can’t confirm that, then it should be revoked with another reason.


Hopefully Rob successfully showed why this conclusion is flawed. "It should be confirmed to be compromised" is wholly unnecessary for relying parties, and does not grant a false sense of security. Revocation is first and foremost about a certificate, not about a key; while it's nice to be able to more affirmatively express something about a key, that's not how the system works, nor designed, nor needs to.

As to the other part of your questions, didn't Kathleen already address this with https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/SIqvgTmKnno/m/UPsTMDGAAwAJ ? "Why will it happen more efficiently and timely" is precisely because there are bounds to how effectively one can deliver information to browsers in an efficient, privacy preserving, data-respecting way. The whole effort of harmonizing reason codes is to provide consistent expectations that would allow user agents to prioritize multiple methods of delivery, based on the semantic meanings of the codes, reflecting the relative importance and need.

Maybe you can elaborate on how you've been thinking about how this information is delivered. Have you been thinking solely in terms of OCSP and CRLs? That may explain the disconnect, given that those are not widely used directly by end clients.

Aaron Gable

unread,
Feb 3, 2022, 1:25:50 PM2/3/22
to ry...@sleevi.com, Doug Beattie, Kathleen Wilson, dev-secur...@mozilla.org
I think there's been one additional piece of confusion here that I'd like cleared up.

Kathleen's proposed text says:
> - If the certificate subscriber requests that the CA revoke the certificate for keyCompromise, and has not previously demonstrated and cannot currently demonstrate possession of the associated private key of that certificate, the CA SHOULD limit revocation to only certificates that are associated with that subscriber and which contain that public key.

In response to this, Doug Beattie said:
> In Kathleen’s proposal, if you want to revoke for key compromise but can’t demonstrate pop, then you can do that, but it results in just that one cert being revoked (same as unspecified).

To which Ryan Sleevi replied:
> Correct.

I originally interpreted that sentence of Kathleen's proposal not to mean "only the single requested cert gets revoked", but rather "all certs associated with that key and that subscriber get revoked". But on further close reading, I think the phrasing of that sentence is confusing and it should either be rephrased or left out entirely.

In particular, the sentence causes confusion with regards to the existing phrasing in 4.9.1.1 of the BRs:
> The CA SHALL revoke a Certificate within 24 hours if... The CA obtains evidence that the Subscriber's Private Key corresponding to the Public Key in the Certificate suffered a Key Compromise;

If the CA is not revoking all certs associated with that keypair, then clearly they do not have "evidence" that the private key has suffered a key compromise. If they had such evidence, then they would be revoking all such certs, regardless of subscriber. But if a CA does not have evidence of a key compromise, rather they only have a request for revocation of a single certificate with subscriber-attested reason keyCompromise, then why are they revoking any additional certificates at all?

The same issue arises with regards to BRs 6.1.1.3:
> The CA SHALL reject a certificate request if... The CA has previously been made aware that the Applicant's Private Key has suffered a Key Compromise, such as through the provisions of Section 4.9.1.1;

Does a subscriber-attested revocation of a single certificate count as "being made aware"? Or does the reference to Section 4.9.1.1 mean that it takes "evidence" to be "made aware", and that a CA should not block issuance for a key that has only had subscriber-attested key compromise with no proof of possession?

I suspect that this is where Rob Stradling's point comes into play: the CA doesn't have "evidence" of key compromise, but they do "suspect" that the key may have been compromised, so they SHOULD revoke other certificates with that key issued to the same subscriber. If that is the desired interpretation, I would like that chain of reasoning to be made explicit in the new requirements. Otherwise I think the risk of confusion between the new requirements and the existing BRs is too high.

I think that the phrasing of the current proposal in terms of "limit[ing] revocation" is the crux of the confusion, so I propose the following alternative phrasing:
```
- If the certificate subscriber requests that the CA revoke the certificate for keyCompromise, and has not previously demonstrated and cannot currently demonstrate possession of the associated private key of that certificate, the CA SHOULD revoke all certificates associated with that subscriber and which contain that public key, but is not considered to necessarily have evidence of private key compromise for the purposes of revoking certificates associated with other subscribers or blocking issuance of future certificates with that key.
```

Aaron

--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAErg%3DHGxZM9cULfqw0HYOvK57JR7YnJPQ0-ruLPqb%3DF2Y%2B_DLw%40mail.gmail.com.

Ben Wilson

unread,
Feb 3, 2022, 2:20:34 PM2/3/22
to Aaron Gable, Ryan Sleevi, Doug Beattie, Kathleen Wilson, dev-secur...@mozilla.org
I might say instead, "... the CA SHOULD revoke all certificates associated with that subscriber that contain that public key. The CA SHOULD NOT assume that it has evidence of private key compromise for the purposes of: revoking the certificates of other subscribers or blocking issuance of future certificates with that key."

To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEmnErfVAO-H1LdpJ50ZgrxEPnXGXUiBt5QKY-N1XiPBCcbuJw%40mail.gmail.com.

Kathleen Wilson

unread,
Feb 3, 2022, 2:47:21 PM2/3/22
to dev-secur...@mozilla.org, Ben Wilson, Ryan Sleevi, Doug Beattie, dev-secur...@mozilla.org, aa...@letsencrypt.org
These concrete suggestions of alternative text are very helpful.

I have updated the  bright green text in the draft policy document per your recommendations:
===
The scope of revocation depends on whether the certificate subscriber has proven possession of the private key of the certificate.
- If anyone requesting revocation has previously demonstrated or can currently demonstrate possession of the private key of the certificate, then the CA MUST revoke all instances of that key across all subscribers.
- If the certificate subscriber requests that the CA revoke the certificate for keyCompromise, and has not previously demonstrated and cannot currently demonstrate possession of the associated private key of that certificate, the CA SHOULD revoke all certificates associated with that subscriber that contain that public key. The CA SHOULD NOT assume that it has evidence of private key compromise for the purposes of revoking the certificates of other subscribers or blocking issuance of future certificates with that key.
===

I will continue to appreciate recommendations on how to improve the draft policy.

Thanks,
Kathleen

PS: I would like to especially thank Ryan Sleevi for his help here -- Another CA had brought the initial concern to my attention and I  asked Ryan to help explain it here in MDSP, and thankfully he has continued to help with this discussion. Thanks, Ryan!




Ryan Sleevi

unread,
Feb 3, 2022, 3:08:00 PM2/3/22
to Kathleen Wilson, dev-secur...@mozilla.org, Ben Wilson, Ryan Sleevi, Doug Beattie, aa...@letsencrypt.org
On Thu, Feb 3, 2022 at 2:47 PM Kathleen Wilson <kwi...@mozilla.com> wrote:
These concrete suggestions of alternative text are very helpful.

I have updated the  bright green text in the draft policy document per your recommendations:
===
The scope of revocation depends on whether the certificate subscriber has proven possession of the private key of the certificate.
- If anyone requesting revocation has previously demonstrated or can currently demonstrate possession of the private key of the certificate, then the CA MUST revoke all instances of that key across all subscribers.
- If the certificate subscriber requests that the CA revoke the certificate for keyCompromise, and has not previously demonstrated and cannot currently demonstrate possession of the associated private key of that certificate, the CA SHOULD revoke all certificates associated with that subscriber that contain that public key. The CA SHOULD NOT assume that it has evidence of private key compromise for the purposes of revoking the certificates of other subscribers or blocking issuance of future certificates with that key.
===

I think that works! Thanks for highlighting the concerns with the language, Aaron, and thanks for the improvements, Kathleen. 

Doug Beattie

unread,
Feb 3, 2022, 4:24:17 PM2/3/22
to ry...@sleevi.com, Kathleen Wilson, dev-secur...@mozilla.org, Ben Wilson, aa...@letsencrypt.org

One minor question, but generally I agree with this approach also!

 

Should this be changed to MUST NOT?

  • …The CA SHOULD NOT assume that it has evidence of private key compromise for the purposes of revoking the certificates of other subscribers or blocking issuance of future certificates with that key.

 

 

From: dev-secur...@mozilla.org <dev-secur...@mozilla.org> On Behalf Of Ryan Sleevi

Sent: Thursday, February 3, 2022 3:08 PM
To: Kathleen Wilson <kwi...@mozilla.com>
Cc: dev-secur...@mozilla.org; Ben Wilson <bwi...@mozilla.com>; Ryan Sleevi <ry...@sleevi.com>; Doug Beattie <doug.b...@globalsign.com>; aa...@letsencrypt.org <aa...@letsencrypt.org>
Subject: Re: Revocation Reason Codes for TLS End-Entity Certificates

 

 

 

On Thu, Feb 3, 2022 at 2:47 PM Kathleen Wilson <kwi...@mozilla.com> wrote:

--

You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.

Rob Stradling

unread,
Feb 3, 2022, 5:18:37 PM2/3/22
to ry...@sleevi.com, Kathleen Wilson, Doug Beattie, dev-secur...@mozilla.org, Ben Wilson, aa...@letsencrypt.org
As I implied in my last message, I really think "or blocking issuance of future certificates with that key" should be changed to "but MAY block issuance of future certificates with that key".

Suspected key compromise might be a weak signal, but requiring a subscriber to use a different key is a relatively minor inconvenience (compared to revocation of an existing cert).  My guess is that a not insignificant portion of keys that are suspected of compromise really are compromised, so why shouldn't CAs be permitted to be cautious about future issuance?

From: 'Doug Beattie' via dev-secur...@mozilla.org
Sent: Thursday, February 03, 2022 21:24
To: ry...@sleevi.com; Kathleen Wilson
Cc: dev-secur...@mozilla.org; Ben Wilson; aa...@letsencrypt.org
Subject: RE: Revocation Reason Codes for TLS End-Entity Certificates

Kathleen Wilson

unread,
Feb 3, 2022, 7:18:37 PM2/3/22
to dev-secur...@mozilla.org, r...@sectigo.com, aa...@letsencrypt.org, Ryan Sleevi, Doug Beattie
I have made the recommended changes to the draft policy.
==
The scope of revocation depends on whether the certificate subscriber has proven possession of the private key of the certificate.
- If anyone requesting revocation has previously demonstrated or can currently demonstrate possession of the private key of the certificate, then the CA MUST revoke all instances of that key across all subscribers.
- If the certificate subscriber requests that the CA revoke the certificate for keyCompromise, and has not previously demonstrated and cannot currently demonstrate possession of the associated private key of that certificate, the CA SHOULD revoke all certificates associated with that subscriber that contain that public key. The CA MUST NOT assume that it has evidence of private key compromise for the purposes of revoking the certificates of other subscribers, but MAY block issuance of future certificates with that key.
==

Thanks!
Kathleen


Rob Stradling

unread,
Feb 3, 2022, 7:20:23 PM2/3/22
to Jesper Kristensen, dev-secur...@mozilla.org, Doug Beattie, Kathleen Wilson
tl;dr A CSR is not sufficient proof of possession; but even if it was, it's not sufficient proof of intent.


Jesper wrote:
> There have already been several posts in this thread discussing if a CSR can be considered proof of possession of a private key. I don't think a CSR is secret and therefore cannot automatically be considered proof of possession, and I think the policy should state that explicitly.

+1

A CSR's self-signature proves only that the corresponding private key was in the possession of whoever generated that CSR.  It doesn't prove that it was the Subscriber who generated that CSR, and I would say that "suspicion of CSR generation" is a weak signal.  😉

I think it's also important to look carefully at what a CSR is intended for.  It's a Certificate Signing Request, not a Certificate Revocation Request.  In general, whoever generated a CSR did not, at the time it was generated, intend that CSR to be used as proof of key compromise; and since CSRs are immutable and are sometimes made public (i.e., "CSR compromise" is not a thing), it would be dangerous to later treat a vanilla CSR as proof of key compromise.

I think that to actually prove key compromise to the CA, a Subscriber or third party would need to do one of the following:
  1. Self-sign some sort of "Key Compromise Request" (KCR) that a CA can unambiguously treat as a declaration of key compromise by a holder of that key.  Ideally a KCR would be a new type of object that can't be parsed as a CSR (e.g., see https://secure.sectigo.com/products/RevocationPortalDetails?action=2a); or, as some folks have done, a KCR could be a CSR that contains some sort of textual indication of intent such as "subject:CN=This CSR is intended to prove key compromise".
  2. Send the private key to the CA.

Doug wrote:
> If the CSR contains all SAN values in the issued certificate (and the certificate has the same public key as that CSR), then that binds the key to the domains and I believe this is sufficient POP.  If this is not the case when the CSR is provided prior to issuance, a CA could ask the subscriber for a new CSR with all of the SANs (and same public key) as PoP during a request for revocation.  I’d be interested to know if others agree with this.

-1

If a CSR "contains all SAN values", it just means that whoever generated that CSR wanted to Request the Signing of one or more Certificates containing those SAN values.

From: 'Doug Beattie' via dev-secur...@mozilla.org
Sent: Wednesday, February 02, 2022 17:02
To: Jesper Kristensen; dev-secur...@mozilla.org
Cc: Kathleen Wilson

Subject: RE: Revocation Reason Codes for TLS End-Entity Certificates

Hi Jesper,

 

Here’s my opinion on your 3 questions below, marked with “Doug:”

 

From: dev-secur...@mozilla.org <dev-secur...@mozilla.org> On Behalf Of Jesper Kristensen
Sent: Wednesday, February 2, 2022 11:41 AM
To: dev-secur...@mozilla.org
Cc: Kathleen Wilson <kwi...@mozilla.com>

Subject: Re: Revocation Reason Codes for TLS End-Entity Certificates

 

You don't often get email from jespe...@gmail.com. Learn why this is important

It seems that some of the criteria in the draft policy are subjective to some degree. At the same time the policy leaves zero margin for error (If X then you MUST use this code, otherwise you MUST NOT). The combination of these two seems to ensure that mistakes will happen, and we will see a continuous stream of incident reports where a CA and a community member disagrees about a subjective aspect of these criteria. Could the policy be updated to give the CA freedom to choose in gray areas?

 

Doug: I don’t have an opinion on that one because I don’t tally understand which subjective statement you’re referring to.

 

 

There have already been several posts in this thread discussing if a CSR can be considered proof of possession of a private key. I don't think a CSR is secret and therefore cannot automatically be considered proof of possession, and I think the policy should state that explicitly.

 

Doug: If the CSR contains all SAN values in the issued certificate (and the certificate has the same public key as that CSR), then that binds the key to the domains and I believe this is sufficient POP.  If this is not the case when the CSR is provided prior to issuance, a CA could ask the subscriber for a new CSR with all of the SANs (and same public key) as PoP during a request for revocation.  I’d be interested to know if others agree with this.

 

 

 

The policy says revocations before the effective date does not need to be changed. What about revocations after the effective date? What if a certificate was revoked as superseded and later the CA receives evidence of key compromise? Must the reason code then be changed?

 

Doug: It’s my understanding that once a certificate is revoked and put on a CRL, you can never change the reason code..

 

 

 

Den tir. 1. feb. 2022 kl. 19.04 skrev Kathleen Wilson <kwi...@mozilla.com>:

I have re-written the bright green text in the draft policy to separate out the scope of revocation from the requirement to use the keyCompromise reason.

 

So the proposed text is as follows:

==

The CRLReason keyCompromise (1) MUST be used when one or more of the following occurs:
- the CA obtains verifiable evidence that the certificate subscriber’s private key corresponding to the public key in the certificate suffered a key compromise;
- the CA is made aware of a demonstrated or proven method that exposes the certificate subscriber’s private key to compromise;
- there is clear evidence that the specific method used to generate the private key was flawed;

- the CA is made aware of a demonstrated or proven method that can easily compute the certificate subscriber’s private key based on the public key in - the certificate (such as a Debian weak key, see https://wiki.debian.org/TLSkeys); or
- the certificate subscriber requests that the CA revoke the certificate for this reason.


The scope of revocation depends on whether the certificate subscriber has proven possession of the private key of the certificate.

- If the certificate subscriber has previously demonstrated or can currently demonstrate possession of the private key of the certificate, then the CA MUST revoke all instances of that key across all subscribers.
- Otherwise, the CA SHOULD limit revocation to only the instance of that key that the certificate subscriber had submitted the Certificate Signing Request (CSR) for.

==

 

I will continue to appreciate your feedback on this, and especially your input on how to make this more accurate.

 

Thanks,

Kathleen

 

 

--

You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.

--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.

--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.

Matt Palmer

unread,
Feb 3, 2022, 7:21:06 PM2/3/22
to dev-secur...@mozilla.org
Can you explain your reasoning here? If a subscriber proved possession at
time of issuance, what scenario is there where that same subscriber saying
"this key is compromised" could cause a DoS on another legitimate
subscriber?

Note that by "proved possession" I'm not referring to CAs who just use the
CSR as a convenient way of receiving the public key. I understand that
if a CA doesn't validate that the details in the CSR matches the details in
the issued certificate, that doesn't prevent the DoS scenario, but I also
don't consider that to provide proof of possession.

- Matt

Rob Stradling

unread,
Feb 3, 2022, 7:31:26 PM2/3/22
to Doug Beattie, ry...@sleevi.com, Kathleen Wilson, dev-secur...@mozilla.org
Ryan wrote:
> However, an additional consideration is that keyCompromise revocations are likely more valuable than other forms of revocations, both in terms of efficient and timely delivery and in user risk.

I would still like to know what use cases (if any) the consumers of revocation information have for differentiating between the "other forms of revocation".  If consumers of revocation information are, at most, going to create two buckets - one containing keyCompromise revocations, the other containing everything else - then ISTM that there is no value in mandating the use of affiliationChanged, superseded, cessationOfOperation, and privilegeWithdrawn; and if so, then I think CAs should be permitted to omit reasonCodes for non-key-compromise revocations.

Sent: 02 February 2022 22:35
To: Doug Beattie <doug.b...@globalsign.com>
Cc: Kathleen Wilson <kwi...@mozilla.com>; dev-secur...@mozilla.org <dev-secur...@mozilla.org>; Ryan Sleevi <ry...@sleevi.com>

Subject: Re: Revocation Reason Codes for TLS End-Entity Certificates
 

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.


--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.

Rob Stradling

unread,
Feb 3, 2022, 7:32:45 PM2/3/22
to Corey Bonnell, ry...@sleevi.com, Doug Beattie, dev-secur...@mozilla.org, Kathleen Wilson
Ryan wrote:
> I think that part of this may be resting on a certain statement "that the certificate lifecycle is completed", and I'm hoping you can expand more. The certificate lifecycle for a certificate does not necessarily end at revocation, at least in X.509, and to Doug's earlier question, you can indeed change reasons (or revocation dates) post-revocation. In the S/MIME case, for example, you can revoke a certificate with revocation date of Y, and then, upon later information, change Y to X (an earlier period), indicating that it had actually been compromised longer.

+1

Sent: 03 February 2022 14:43
To: Corey Bonnell <Corey....@digicert.com>
Cc: Doug Beattie <doug.b...@globalsign.com>; dev-secur...@mozilla.org <dev-secur...@mozilla.org>; Kathleen Wilson <kwi...@mozilla.com>

Subject: Re: Revocation Reason Codes for TLS End-Entity Certificates
 

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.

Ryan Sleevi

unread,
Feb 3, 2022, 7:50:52 PM2/3/22
to Rob Stradling, Doug Beattie, Jesper Kristensen, Kathleen Wilson, dev-secur...@mozilla.org
Rob,

Can you help me understand the threat model a bit more?

If Alice signs a CSR for good.example, doesn’t that demonstrate some degree of binding between good.example and that key?

If Alice becomes a Subscriber with that CSR, she has demonstrated a POP in the context of good.example.

Let’s say Eve obtains that CSR. Unless Eve can demonstrate control of good.example, then she, as a Subscriber, hasn’t demonstrated a POP in the context of good.example, has she?

That is, I _think_ what you’re hinting at is something similar to what Doug was touching on, but a little bit different. Namely,

- If Eve can use the CSR (that asserts good.example) for evil.example, then Eve shouldn’t be assumed to have demonstrated control
- If the CSR lacks any such binding to a domain, and lacks any CA challenge string (ala the Onion approach), then neither Eve nor Alice should be assumed to have demonstrated control

However, I’m not sure why a CSR, signed for good.example, and used by the Subscriber with whom a good.example certificate was issued to, wouldn’t be sufficient for POP.

Am I missing something obvious?

Matt Palmer

unread,
Feb 3, 2022, 11:53:34 PM2/3/22
to dev-secur...@mozilla.org
On Fri, Feb 04, 2022 at 12:20:16AM +0000, Rob Stradling wrote:
> 1. Self-sign some sort of "Key Compromise Request" (KCR) that a CA can
> unambiguously treat as a declaration of key compromise by a holder of that
> key. Ideally a KCR would be a new type of object that can't be parsed as
> a CSR (e.g., see
> https://secure.sectigo.com/products/RevocationPortalDetails?action=2a);

That's not a Key Compromise Request, because it requires an issued
certificate. It's impossible to generate such a Key Compromise Request
without an already-issued certificate.

> or, as some folks have done, a KCR could be a CSR that contains some sort
> of textual indication of intent such as "subject:CN=This CSR is intended
> to prove key compromise".

Such as https://github.com/pwnedkeys/key-compromise-attestation-rfc.

- Matt

Corey Bonnell

unread,
Feb 4, 2022, 8:33:04 AM2/4/22
to ry...@sleevi.com, Doug Beattie, dev-secur...@mozilla.org, Kathleen Wilson

Hi Ryan,

> I think that part of this may be resting on a certain statement "that the certificate lifecycle is completed", and I'm hoping you can expand more. The certificate lifecycle for a certificate does not necessarily end at revocation, at least in X.509, and to Doug's earlier question, you can indeed change reasons (or revocation dates) post-revocation. In the S/MIME case, for example, you can revoke a certificate with revocation date of Y, and then, upon later information, change Y to X (an earlier period), indicating that it had actually been compromised longer.

 

Fully agreed that X.509/PKIX provides the tools to update revocation information after the initial revocation is published via CRL or OCSP. However, from a TLS BR and Mozilla Policy standpoint, there is no requirement for CAs to update reasonCodes, invalidityDates, etc. after initial publication of the revocation. While some CAs may do this, it is not reasonable to assume that all CAs currently do so today. So, in terms of the current written requirements today, the ecosystem baseline is that revocation completes the certificate lifecycle.

 

Relevant to this discussion are some recent changes to the Code Signing Baseline Requirements [1], which do clarify expectations for CAs regarding setting revocationDates and invalidityDates, as well as clarifying that updating the revocationDate for a CRL entry and OCSP response is encouraged, taking in consideration any new information that the CA may become aware of post initial revocation of the Code Signing certificate. If Root Programs are expecting that CAs update revocation information after the initial publication, then that expectation should be made more explicit with a treatment similar to the Code Signing BRs.

 

> If I understand your attack, although I'm hoping you can more precisely explain it, it sounds like the assumption is that if the attacker self-immolates their cert, then it's impossible to change to keyCompromise later (e.g. as a result of the victim demonstration). Is that the implicit assumption? 

 

I think you understood the attack: the attacker gets a certificate issued, then summarily revokes it with reasonCode that is ignored by a user agent. Since revocation is complete, the CA is relieved of any obligation to update this information after the initial publication. And users of that user agent are still exposed to the risk.

 

Thanks,

Corey

 

[1] https://lists.cabforum.org/pipermail/cscwg-public/2021-October/000616.html

 

From: Ryan Sleevi <ry...@sleevi.com>
Sent: Thursday, February 3, 2022 9:43 AM
To: Corey Bonnell <Corey....@digicert.com>

Cc: Doug Beattie <doug.b...@globalsign.com>; dev-secur...@mozilla.org; Kathleen Wilson <kwi...@mozilla.com>
Subject: Re: Revocation Reason Codes for TLS End-Entity Certificates

 

 

On Thu, Feb 3, 2022 at 8:50 AM 'Corey Bonnell' via dev-secur...@mozilla.org <dev-secur...@mozilla.org> wrote:

Corey Bonnell

unread,
Feb 4, 2022, 9:38:32 AM2/4/22
to ry...@sleevi.com, Rob Stradling, Doug Beattie, Jesper Kristensen, Kathleen Wilson, dev-secur...@mozilla.org

Hi Ryan,

I agree with Rob that a CSR contains all the SANs of a certificate request is not necessarily sufficient PoP. A bit of PKI fan fiction to illustrate:

 

Assume that a Subscriber, a company named Foobarbaz, Ltd., has a TLS certificate for foobarbaz.com. A marketing director for Foobarbaz catches wind of a hot deal on gTLD domain registrations and instructs IT to purchase registrations for 100 or so domains and setup mirrors of their corporate website on each of those domains. In preparation, IT creates 100 CSRs with the same key pair as the original corporate website’s certificate (because a single 100 SAN cert is “too big”); each CSR has a single SAN dNSName corresponding to the new domain name to be purchased. Right before IT goes to purchase the domains, the marketing director also learns that the hot deal isn’t so great as the renewal fee for those domains “will bankrupt the @!$%^ company!” (their words, not mine). So, IT never follows through on purchasing the domains.

 

Fast forward a few months later, the IT person gets a bit overzealous with “git add” and uploads the 100 CSRs to GitHub. A disgruntled customer of Foobarbaz, still steaming at the company for their bad customer service after Foobarbaz shipped them a broken widget toy for their kid’s birthday, comes across these publicly available CSRs and downloads them. The hot deal on gTLD domains is still ongoing, so they pay the $0.88 and register one of the domains Foobarbaz was going to register but never carried through. They create an account at the same CA that issued the original foobarbaz.com and submit the CSR for their newly registered domain and complete DCV. The certificate gets issued, and they immediately request revocation. Since the CA believes that submission of a CSR with all the SANs constitutes PoP, they also revoke the certificate for foobarbaz.com since the two certificates share a public key. Foobarbaz.com is now unreachable, and our villain goes to bed with a grin on their face.

 

There are mitigations that the CA can put in place to lower the chances of that from happening (such as binding a submitted public key to a specific Subscriber account), but even that may be flawed since it’s essentially TOFU (the first Applicant to submit the CSR “wins”). Given these concerns, I don’t think it necessarily follows that a CSR that contains all SANs of a given certificate request constitutes PoP in all cases.

 

Thanks,

Corey

Ryan Sleevi

unread,
Feb 4, 2022, 11:21:14 AM2/4/22
to Corey Bonnell, Doug Beattie, Kathleen Wilson, dev-secur...@mozilla.org, ry...@sleevi.com
On Fri, Feb 4, 2022 at 8:33 AM Corey Bonnell <Corey....@digicert.com> wrote:

Fully agreed that X.509/PKIX provides the tools to update revocation information after the initial revocation is published via CRL or OCSP. However, from a TLS BR and Mozilla Policy standpoint, there is no requirement for CAs to update reasonCodes, invalidityDates, etc. after initial publication of the revocation. While some CAs may do this, it is not reasonable to assume that all CAs currently do so today. So, in terms of the current written requirements today, the ecosystem baseline is that revocation completes the certificate lifecycle.


I think I follow your argument, but I think we may disagree.

If I understand correctly, you’re pointing out that unless there’s an explicit mandate, the lifecycle is done, while I’m trying to highlight that without an explicit dispensation, the lifecycle isn’t done.

I suppose this is a variation of “default allow” vs “default deny”, or half empty/half full: we may disagree based on perspective, even when looking at the same thing.

> If I understand your attack, although I'm hoping you can more precisely explain it, it sounds like the assumption is that if the attacker self-immolates their cert, then it's impossible to change to keyCompromise later (e.g. as a result of the victim demonstration). Is that the implicit assumption? 

 

I think you understood the attack: the attacker gets a certificate issued, then summarily revokes it with reasonCode that is ignored by a user agent. Since revocation is complete, the CA is relieved of any obligation to update this information after the initial publication. And users of that user agent are still exposed to the risk.

Can you point to what language supports the co Claus ion that “the CA is relieved of any obligation to update this information”? I’m not familiar with any language explicitly supporting this, and that may be why I don’t see this attack as practical?

Ryan Sleevi

unread,
Feb 4, 2022, 11:31:44 AM2/4/22
to Corey Bonnell, Doug Beattie, Jesper Kristensen, Kathleen Wilson, Rob Stradling, dev-secur...@mozilla.org, ry...@sleevi.com
On Fri, Feb 4, 2022 at 9:38 AM Corey Bonnell <Corey....@digicert.com> wrote:

Hi Ryan,

I agree with Rob that a CSR contains all the SANs of a certificate request is not necessarily sufficient PoP. A bit of PKI fan fiction to illustrate:


I think you may be conflating my remarks with Doug’s? I wasn’t proposing an “all sans” rule, but a “subscriber” rule - see below.

There are mitigations that the CA can put in place to lower the chances of that from happening (such as binding a submitted public key to a specific Subscriber account), but even that may be flawed since it’s essentially TOFU (the first Applicant to submit the CSR “wins”). Given these concerns, I don’t think it necessarily follows that a CSR that contains all SANs of a given certificate request constitutes PoP in all cases.

To be clear, I was suggesting that the question of “have they proven POP” is about whether the subscriber, who provided the CSR and validated the domain, is the one who initiates the revocation request.

In this adversarial example, where a rogue CSR is obtained, such as for one of these BygoneSSL-style expired/unregistered domains, the fundamental question it seems we’re asking is: is signing a CSR for that name an authorization for that key to be used with that name? And, if it is, what privileges are afforded to the Subscriber account?

I think you and Rob are arguing either that
a) A CSR shouldn’t be seen as authorization for that domain to use that key

or

b) That zero privileges are afforded and some separate demonstration of control is needed

I’m not sure how b would work though, because even systems like bootstrapping a revocation key are still working on the assumption that the entity who presented the CSR and performed the domain validation challenge is authorized to bootstrap said key. If the CSR isn’t the source of that authorization, where does it flow?

It would seem that, if we take the CSR out of the mix, you’re looking to bootstrap some form of challenge-response protocol, similar to DNS challenge/response. Which, to be fair, a CSR can be as well, as we saw with .onion. But how well does that align with how the WebPKI works today, and has worked for decades?

Is there a connection I’m failing to make here?

Rob Stradling

unread,
Feb 4, 2022, 4:14:38 PM2/4/22
to Matt Palmer, dev-secur...@mozilla.org
You're right, Matt.  Naming things is hard, but accurate naming is worth striving for.  I renamed it from Certificate Revocation Request (CRR) to Key Compromise Request (KCR) just before I clicked send.  I suppose Certificate Revocation For Key Compromise Request (CRFKCR) would have been a more accurate term; that just rolls off the tongue, doesn't it?  😉

Subject: Re: Revocation Reason Codes for TLS End-Entity Certificates
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.


On Fri, Feb 04, 2022 at 12:20:16AM +0000, Rob Stradling wrote:
>   1.  Self-sign some sort of "Key Compromise Request" (KCR) that a CA can
> unambiguously treat as a declaration of key compromise by a holder of that
> key.  Ideally a KCR would be a new type of object that can't be parsed as
> a CSR (e.g., see


That's not a Key Compromise Request, because it requires an issued
certificate.  It's impossible to generate such a Key Compromise Request
without an already-issued certificate.

> or, as some folks have done, a KCR could be a CSR that contains some sort
> of textual indication of intent such as "subject:CN=This CSR is intended
> to prove key compromise".



--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.

Aaron Gable

unread,
Feb 4, 2022, 4:22:35 PM2/4/22
to ry...@sleevi.com, Corey Bonnell, Doug Beattie, Kathleen Wilson, dev-secur...@mozilla.org
All relevant language in the Baseline Requirements (for example, "The CA SHALL revoke a certificate within 24 hours if...") is related to when and how quickly a CA must revoke a certificate. I am not aware of any language in any root program requirements that requires a CA to update the reason code on an already-revoked certificate if or when additional information is obtained.

Thus it seems that yes, if it is widely known that certain user agents are routinely ignoring revocations with certain reason codes, it seems to open up the described attack vector:
1) Compromise someone's key
2) Use that key to issue a cert for a malicious domain
3) Immediately revoke that cert using a reason code that is ignored by user agents
4) Now when the original keyholder revokes for reason keyCompromise, your malicious cert will remain untouched

I wouldn't claim that the certificate lifecycle is done -- obviously, the CA must continue to publish new OCSP responses for the certificate until after it expires. And there is a requirement that CAs process and evaluate all incoming revocation requests. But there is no requirement that processing multiple revocation requests for a single cert happen in any particular way: first request wins, last request wins, "most dire" request wins, or any other method.

Aaron

--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAErg%3DHEOSJD9aLfh78iDAN0027guJ2jfEPN%3D00q7x4JrHzQpbw%40mail.gmail.com.

Rob Stradling

unread,
Feb 4, 2022, 6:05:33 PM2/4/22
to Corey Bonnell, ry...@sleevi.com, Doug Beattie, Jesper Kristensen, Kathleen Wilson, dev-secur...@mozilla.org
> In this adversarial example, where a rogue CSR is obtained, such as for one of these BygoneSSL-style expired/unregistered domains, the fundamental question it seems we’re asking is: is signing a CSR for that name an authorization for that key to be used with that name?

I have no problem with the idea of treating a CSR that contains SAN(s) as authorization by the key holder for certificate(s) to be issued that contain both the corresponding public key and those SAN(s); but I do have a problem with the idea of later treating that same CSR as authorization by the key holder for the key to be considered proven-compromised just because somebody (who may or may not be the key holder) happens to be in possession of a copy of that CSR.

Corey's BygoneSSL scenario isn't the one I was thinking of.  My concern is that the nature of a "Subscriber" might not always be as simple as we might like.  

Consider this scenario:
Alice generates a CSR and leaves a copy of it in a public GitHub repository.
Alice requests a certificate for her domain by providing the CSR to a certificate reseller, who forwards it to the CA.
The CA, who considers the reseller to be the Subscriber, asks the reseller to prove domain control.
The reseller works with Alice to prove domain control.
The CA issues the certificate.
The CA sends the certificate to the reseller.
The reseller forwards the certificate to Alice.
Alice installs her certificate and expects it to work until expiry.
Alice leaves a copy of her CSR in a public GitHub repository.
Eve discovers Alice's CSR and grabs a copy of it.

Attack 1 (where the CA treats anyone's proof-of-possession of the CSR as equivalent to proof-of-possession of the private key):
Eve goes directly to the CA and requests revocation of Alice's cert, selecting Key Compromise as the reason, and presenting Alice's CSR as "proof".
The CA accepts this "proof".
The CA revokes Alice's cert.
Alice is surprised!

Attack 2 (where the CA treats only the Subscriber's proof-of-possession of the CSR as equivalent to proof-of-possession of the private key):
Eve correctly guesses that Alice obtained her cert via a particular certificate reseller.
Eve requests a certificate by providing Alice's CSR to the same certificate reseller, who forwards it to the CA.
The CA notices that it already has suitable validation records for this Subscriber (the reseller) that are < 398 days old.
The CA issues the certificate (without requiring the reseller to again prove control of Alice's domain name).
The CA sends the certificate to the reseller.
The reseller forwards the certificate to Eve.
Eve can't use the certificate, but that was never her intent anyway.
Eve asks the reseller to revoke her cert, selecting Key Compromise as the reason, and presenting Alice's CSR as "proof".
The reseller forwards this revocation request to the CA.
The CA accepts this "proof".
The CA revokes Eve's cert.
The CA also revokes Alice's cert, since it has the same key as Eve's cert and belongs to the same Subscriber (the reseller).
Alice is surprised!

From: Ryan Sleevi <ry...@sleevi.com>
Sent: 04 February 2022 16:31
To: Corey Bonnell <Corey....@digicert.com>
Cc: Doug Beattie <doug.b...@globalsign.com>; Jesper Kristensen <jespe...@gmail.com>; Kathleen Wilson <kwi...@mozilla.com>; Rob Stradling <r...@sectigo.com>; dev-secur...@mozilla.org <dev-secur...@mozilla.org>; ry...@sleevi.com <ry...@sleevi.com>

Subject: Re: Revocation Reason Codes for TLS End-Entity Certificates
 

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.


Matt Palmer

unread,
Feb 4, 2022, 7:58:29 PM2/4/22
to dev-secur...@mozilla.org
On Fri, Feb 04, 2022 at 09:14:35PM +0000, Rob Stradling wrote:
> You're right, Matt. Naming things is hard, but accurate naming is worth
> striving for. I renamed it from Certificate Revocation Request (CRR) to
> Key Compromise Request (KCR) just before I clicked send. I suppose
> Certificate Revocation For Key Compromise Request (CRFKCR) would have been
> a more accurate term; that just rolls off the tongue, doesn't it? 😉

Snappy name, indeed. I think that Certificate Revocation Request is a much
better name for what Sectigo has cooked up there, because it is requesting
revocation for a certificate. That you can tick a box that says "I assert
that this key is compromised" as well is more of a side-effect.

- Matt

Ryan Sleevi

unread,
Feb 5, 2022, 12:06:04 AM2/5/22
to Rob Stradling, Corey Bonnell, Doug Beattie, Jesper Kristensen, Kathleen Wilson, dev-secur...@mozilla.org, ry...@sleevi.com
(Eliding Attack 1, since this discussion is about how it’s already been mitigated)

On Fri, Feb 4, 2022 at 6:05 PM Rob Stradling <r...@sectigo.com> wrote:
Attack 2 (where the CA treats only the Subscriber's proof-of-possession of the CSR as equivalent to proof-of-possession of the private key):
Eve correctly guesses that Alice obtained her cert via a particular certificate reseller.
Eve requests a certificate by providing Alice's CSR to the same certificate reseller, who forwards it to the CA.
The CA notices that it already has suitable validation records for this Subscriber (the reseller) that are < 398 days old.
The CA issues the certificate (without requiring the reseller to again prove control of Alice's domain name).

At this point, do we agree or not that there’s a separate failure?

That is, this seems to be exactly the issue with domain reuse, and exactly the lax practices that are concerning, in as much as no diligence of authorization of the request has been done.

The fact that a certificate was issued, based on Eve’s request, _and_ that the CA considers the reseller the Subscriber, seems to represent two separate failures.

We already went through this with the TLS-01/TLS-ALPN-01 discussion, and there seemed agreement that such a confused deputy system represented a fundamentally unacceptable level of risk, since there, the risk was as well confusion between principals of Alice and Eve. While some providers further allowed Alice a usable certificate, the base level Validation failure was the issue.

The CA sends the certificate to the reseller.
The reseller forwards the certificate to Eve.
Eve can't use the certificate, but that was never her intent anyway.
Eve asks the reseller to revoke her cert, selecting Key Compromise as the reason, and presenting Alice's CSR as "proof".
The reseller forwards this revocation request to the CA.

Here again, we have another failure. To the extent that the reseller is acting as the Subscriber, they have allowed Eve to impersonate Alice, first in the issuance, and then in the revocation.

This is a bad reseller.

Now, I am with you that it’s likely there are bad resellers in the ecosystem. The extent to which we’ve seen resellers escrow private keys is, no doubt, proof of this.

But I’m not sure this is the damning attack, in as much as it relies on the reseller failing. To the CA, only that reseller can make that request. Arguably, nothing we do or say policy wise would change that relationship, since resellers are currently out of scope.

It’s easy to show this by looking at resellers who do escrow the key, or resellers which manages a revocation key (on behalf of Alice). If they are able to be directed by Eve to cause the CA to do some action, then this same attack exists for any protocol which requires “active” proof.

The fundamental problem with this reseller design is that the reseller is, at best, questionable as the Subscriber. If they truly are authorized by Alice, then so are their failures. Yet if they aren’t, then it’s a failure by the CA to obtain a Subscriber agreement with the correct entity.

Have I missed something?

Jesper Kristensen

unread,
Feb 5, 2022, 1:03:18 PM2/5/22
to dev-secur...@mozilla.org
Example: A cloud hosting provider uses different certificates for different tenant's vanity domains, but to save server memory, they share a private key. Tenants can get a CSR from the cloud hosting provider, use it to get a certificate and upload it to the cloud hosting provider. If a CSR is POP in this scenario, then one tenant can revoke certificates for other tenants.

If this is intended, then the CA should be required to forbid this in their subscriber agreement.

Ryan Sleevi

unread,
Feb 5, 2022, 2:24:06 PM2/5/22
to Jesper Kristensen, dev-secur...@mozilla.org
Are we just coming up with random hypotheticals here?

Do you know of any provider that does this?

Is there any counter-proposal for how to ensure that Subscribers with certificates today can reliably revoke their existing certificates? Or are folks coming up with these scenarios actively rejecting this as a valid need?

I don’t disagree that, as with anything, we have risks. I think Rob’s scenario points, somewhat, to the need to curtail domain reuse as narrowly as possible (hours, not years).

I’d be curious to know what the alternatives folks are proposing, or whether it really is to tell Subscribers “tough, you’ve got another hoop to jump through to get these certificates revoked”. Because if we’re willing to do that, wouldn’t it be better to instead do something like mandate all CAs support ACME, to at least provide a consistent protocol for this?

Jesper Kristensen

unread,
Feb 5, 2022, 3:58:03 PM2/5/22
to ry...@sleevi.com, dev-secur...@mozilla.org
I saw someone describe how they reused the key across customers for memory saving (but still one cert per customer domain) in a help thread on Let's Encrypt community forums. But I don't know if they were also accepting customer uploaded certs. I think my main point is that if we decide that a CSR is POP, we need to start telling people that a CSR needs to be kept secret, because that is not obvious now, and we can think of scenarios where someone might share CSRs today, which may be insecure practice in the future.

Matthew Hardeman

unread,
Feb 5, 2022, 5:23:18 PM2/5/22
to Jesper Kristensen, Ryan Sleevi, dev-secur...@mozilla.org
Rather than accept the presentation of any arbitrary CSR over a given key as proof of possession of a key for purposes of revocation request, why not require that the party purporting possession/control/knowledge of the key instead create a CSR with a randomly chosen (by CA) value in the CSR subject like CN=rev-req-01233456789.revoketarget.com?

This is unburdensome in the sense that any party with the key and any technical capabilities relevant to PKI should be able to perform this task without any new or additional tooling.  It also has the advantage that it could be part of an automatic protocol if desired, but also could be implemented in a manual protocol.  Further, it introduces no risk to or from any parties who may previously have treated a CSR as an artifact requiring no protection.

--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CACAF_WiQmexceytd6zGNDDV_E24XfOQX-_QuTE-3yBZzrJc0SA%40mail.gmail.com.

Ryan Sleevi

unread,
Feb 5, 2022, 7:56:26 PM2/5/22
to Matthew Hardeman, Jesper Kristensen, Ryan Sleevi, dev-secur...@mozilla.org
I’m not sure - was that question directed at me?

Hopefully it’s clear why I’m concerned about that, but the proposal being made makes me think that may not be clear? Specifically, this introduces the “hoop jumping” concern and shifts the burden to every Subscriber to do something new and different, versus the status quo today, and that seems a serious step back.

Dimitris Zacharopoulos

unread,
Feb 6, 2022, 9:34:10 AM2/6/22
to dev-secur...@mozilla.org
Hi Matt,

I was out and had to catch up with the messages sent to this thread. It
appears that Rob and Corey have included specific attack scenarios that
seem to answer your questions. However, I added some additional comments
to further explain my position.
As several people stated in this thread, CSRs are not intended to be
kept "private". They could be found in public repositories. Allowing a
third-party to submit a certificate problem report and use a CSR without
any indication in the signed message that this is to be used as proof
that this key is compromised, can cause a DoS.

I recall having seen certificate problem reports that are submitted by
security researchers for which the CN included text indicating that this
is to report a compromised key. I believe the CN was "this key is
compromised" or something along those lines. With that said, if a CA
wants to accept a certificate problem report by a third-party, with a
CSR that just includes CN=mydomain.example.com and treat that as POP for
revoking all certificates that include the public key in that CSR, I
don't think there is anything in the current BRs or Mozilla policy to
forbid it. IMO it would be a bad practice.

Hope it makes things a bit clearer.

Dimitris.

Kathleen Wilson

unread,
Feb 6, 2022, 1:50:16 PM2/6/22
to dev-secur...@mozilla.org
Thanks again for all of you for continuing to discuss this. I have updated the bright green text in the draft policy again. Hopefully this is a sufficient balance and clear enough now. Note: It sounds like there may be need to have further discussions about CSRs and revocations in the CA/Browser Forum -- I'm not trying to solve that here.

==
The CRLReason keyCompromise (1) MUST be used when one or more of the following occurs:
...
- the certificate subscriber requests that the CA revoke the certificate for this reason, with the scope of revocation being described below.

The scope of revocation depends on whether the certificate subscriber has proven possession of the private key of the certificate. A CSR does NOT prove possession of the certificate’s private key.
- If anyone requesting revocation has previously demonstrated or can currently demonstrate possession of the private key of the certificate, then the CA MUST revoke all instances of that key across all subscribers.
- If the certificate subscriber requests that the CA revoke the certificate for keyCompromise, and has not previously demonstrated and cannot currently demonstrate possession of the associated private key of that certificate, the CA MAY revoke all certificates associated with that subscriber that contain that public key. The CA MUST NOT assume that it has evidence of private key compromise for the purposes of revoking the certificates of other subscribers, but MAY block issuance of future certificates with that key.
==

Thanks,
Kathleen

It is loading more messages.
0 new messages