/
964.txt
227 lines (161 loc) · 11.5 KB
/
964.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
[12] [[証明書]]を、その有効期限の満了を待たずに無効とすることを[DFN[[RUBYB[失効]@en[revocation]]]]といいます。
* プロトコル
[13] [[失効][証明書の失効]]情報は、 [[CA]] が発行し、何らかの方法で[[証明書]]の (潜在的)
利用者に伝達する必要があります。[[失効][失効 (証明書)]]情報の伝達方法は色々あります。
[FIG(short list)[
- [[CRL]]
- [[OCSP]]
- [[OCSP stapling]]
- [[CRLSets]]
- [[OneCRL]]
- [[short-lived certificates]]
]FIG]
[3] いずれも問題を抱えており、万能な方法は無いようです。
各実装はそれぞれの方針に従い組み合わせて使っていますが、
それにもそれぞれの問題があるようです。
;; 中には失効の検査を行わない実装もあるようです。
[15] [[CA]] は、[[CRL]] を作成できます。[[証明書]]には、 [[CRL]]
を配布する [[URL]] を記述できます。
[33] [[CA]] は、 [[OCSP]] により失効情報を提供できます。[[証明書]]には、
[[OCSP]] の[[エンドポイント]]の [[URL]] を記述できます。
[[証明書]]を[[検証]]したい者は、[[証明書]]に記述された [[URL]]
を使って [[OCSP]] でアクセスし、[[証明書]]が[[失効]]していないか確認できます。
[35] [[TLSサーバー]]は、予め [[CA]] から [[OCSP]] 情報を入手しておき、
[[TLSクライアント]]に対して [[OCSP stapling]] によってこれを提供できます。
[[TLSクライアント]]は、 [[OCSP]] の処理を [[OCSP stapling]] の情報で代用できます。
[43] [[Google]] は [[CRLSets]] として、 [[Mozilla]] は [[OneCRL]]
として主要な[[証明書]]の失効情報を集約したものを用意し、
[[Chrome]] や [[Firefox]] は定期的にこれをダウンロードして検証に利用します。
* データベース
[SEE[ [[証明書データベース]] ]]
* 歴史
[6] [CITE@en[CA:ImprovingRevocation - MozillaWiki]]
([TIME[2015-03-21 11:05:17 +09:00]] 版)
<https://wiki.mozilla.org/CA:ImprovingRevocation>
[8] [CITE@en[CA:RevocationPlan - MozillaWiki]]
([TIME[2015-03-21 11:08:04 +09:00]] 版)
<https://wiki.mozilla.org/CA:RevocationPlan>
[32] [CITE@en[RFC 7525 - Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)]]
([TIME[2015-05-29 03:22:56 +09:00]] 版)
<https://tools.ietf.org/html/rfc7525#section-6.5>
[2] [CITE@ja[証明書の失効を構成する]]
( ([TIME[2016-05-09 17:14:04 +09:00]]))
<https://technet.microsoft.com/ja-jp/library/cc771079(v=ws.11).aspx>
[9] [CITE@en[ImperialViolet - No, don't enable revocation checking]]
( ([[Adam Langley]]著, [TIME[2016-05-09 20:17:00 +09:00]]))
<https://www.imperialviolet.org/2014/04/19/revchecking.html>
[36] [CITE[The current state of certificate revocation (CRLs, OCSP and OCSP Stapling)]]
( ([TIME[2016-05-09 21:59:02 +09:00]]))
<https://www.maikel.pro/blog/current-state-certificate-revocation-crls-ocsp/>
[37] [CITE@en[How Certificate Revocation Works]]
( ([TIME[2016-05-09 22:47:49 +09:00]]))
<https://technet.microsoft.com/en-us/library/ee619754(WS.10).aspx>
[FIG(quote)[
[FIGCAPTION[
[38] [CITE@en[Issue 305443 - chromium - Chrome for Android doesn't seem to respect CRL - Monorail]]
( ([TIME[2016-05-09 23:24:53 +09:00]]))
<https://bugs.chromium.org/p/chromium/issues/detail?id=305443>
]FIGCAPTION]
> Oct 9, 2013
> Android has never supported revocation checking.
]FIG]
[FIG(quote)[
[FIGCAPTION[
[39] [CITE@en[Issue 362696 - chromium - Missing warning on revoked certificate - Monorail]]
( ([TIME[2016-05-09 23:29:05 +09:00]]))
<https://bugs.chromium.org/p/chromium/issues/detail?id=362696>
]FIGCAPTION]
> On all platforms that perform revocation checks as a system-level component (eg: on Windows and OS X), we always pass flags to allow cached revocation checks. That is, if another application has caused a revoked certificate to be known, we (Chrome) will treat it as revoked. Additionally, we pass flags to disable online revocation checks. However, in certain circumstances, the OS will ignore those flags and force an online revocation check. In those cases as well, the revocation will be picked up.
> Absent both of those cached settings, however, we utilize CRLSets, the contents of which are described at a previous link and, by design, do not contain *every* revoked certificate.
]FIG]
[40] [CITE[Security FAQ - The Chromium Projects]]
( ([TIME[2016-05-07 09:19:23 +09:00]]))
<https://www.chromium.org/Home/chromium-security/security-faq#TOC-What-s-the-story-with-certificate-revocation->
[41] [CITE@en[ImperialViolet - Revocation still doesn't work]]
( ([[Adam Langley]]著, [TIME[2016-05-09 23:37:03 +09:00]]))
<https://www.imperialviolet.org/2014/04/29/revocationagain.html>
[4] [CITE@en[854346 – Treat expired certs with no revocation information as revoked, and do not allow an override]]
( ([TIME[2016-05-10 21:23:36 +09:00]]))
<https://bugzilla.mozilla.org/show_bug.cgi?id=854346>
[FIG(quote)[
[FIGCAPTION[
[5] [CITE[IO::Socket::SSL - search.cpan.org]]
( ([TIME[2016-05-11 00:32:21 +09:00]]))
<http://search.cpan.org/~sullr/IO-Socket-SSL-2.027/lib/IO/Socket/SSL.pod>
]FIGCAPTION]
> It will also check the revocation of the certificate with OCSP, but currently only if the server provides OCSP stapling (for deeper checks see ocsp_resolver method).
]FIG]
[7] [CITE@ja[Microsoft、不正SSL証明書問題に対処 Firefoxは再度更新 - ITmedia エンタープライズ]]
( ([TIME[2016-05-11 01:05:16 +09:00]]))
<http://www.itmedia.co.jp/enterprise/articles/1109/07/news017.html>
[10] [CITE@en[Add CRL generation to revocation updater · Issue #232 · letsencrypt/boulder]]
( ([TIME[2016-05-11 23:05:41 +09:00]]))
<https://github.com/letsencrypt/boulder/issues/232>
[11] [CITE@en[Check Certificate Revocation Lists the OCSP status of an (SSL) Certificate]]
( ([TIME[2016-05-28 01:59:50 +09:00]]))
<https://certificate.revocationcheck.com/>
[FIG(quote)[
[FIGCAPTION[
[1] [CITE@en[1024809 – (OneCRL) Add Revoked Intermediate Certs to revocation list push mechanism]]
( ([TIME[2016-05-31 17:17:59 +09:00]]))
<https://bugzilla.mozilla.org/show_bug.cgi?id=1024809#c59>
]FIGCAPTION]
> I would encourage you to re-think the Issuer+SerialNumber being the only blocking mechanism. Both CRLSets and Microsoft's Certificate Distrust Lists have found that in the real world of revocations (most notably, DigiNotar), issuer+serial number is NOT sufficient. There are times where you want Subject+Public Key, as a given Subject+PublicKey may have many issuers, some of which the affected CA does not disclose.
]FIG]
[FIG(quote)[
[FIGCAPTION[
[14] [CITE[Requiring OCSP for EV (was Re: '''['''ct-policy''']''' Proposed changes to EV/CT Plan) - Google グループ]]
( ([TIME[2016-05-31 17:24:52 +09:00]]))
<https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/jmbbIgmGbdk>
]FIGCAPTION]
> > For Chrome, AIUI you already aim to have your CRLSets cover all EV certs, so why demand OCSP Stapling for EV as well?
> >
> This is not correct, and something we have repeatedly clarified. CRLSets first and foremost has been a means to deal with emergency revocations outside of the binary updates, such as those employed by Firefox, or system updates, such as those employed by Microsoft (prior to certificate distrust lists, which operate comparably) or Apple. Our commitment is to rapid response, and the focus here is on intermediates and certificates with powerful/dangerous capabilities that put a broad base of users at risk.
> In the course of developing this, we saw an opportunity to optimize some of the CRL delivery for end-entity certs, but this was merely opportunistic. While we still employ it, especially for CAs that can provide meaningful revocation information, this is a "nice to have", and may be removed in the future. While I'm sure this would kick off a centithread alone, I don't think we should focus on this.
]FIG]
[FIG(quote)[
[FIGCAPTION[
[16] [CITE[cURL - How To Use]]
( ([TIME[2016-05-31 06:05:05 +09:00]]))
<https://curl.haxx.se/docs/manpage.html#--crlfile>
]FIGCAPTION]
> --crlfile <file>
> (HTTPS/FTPS) Provide a file using PEM format with a Certificate Revocation List that may specify peer certificates that are to be considered revoked.
]FIG]
[FIG(quote)[
[FIGCAPTION[
[17] [CITE[cURL - SSL CA Certificates]]
( ([TIME[2016-05-24 16:25:10 +09:00]]))
<https://curl.haxx.se/docs/sslcerts.html>
]FIGCAPTION]
> Schannel will run CRL checks on certificates unless peer verification is disabled. Secure Transport on iOS will run OCSP checks on certificates unless peer verification is disabled. Secure Transport on OS X will run either OCSP or CRL checks on certificates if those features are enabled, and this behavior can be adjusted in the preferences of Keychain Access.
]FIG]
[FIG(quote)[
[FIGCAPTION[
[18] [CITE@en[マイナンバーカードでSSHする - AAA Blog]]
([[hamano]]著, [TIME[2016-06-23 13:05:40 +09:00]])
<https://www.osstech.co.jp/~hamano/posts/jpki-ssh/>
]FIGCAPTION]
> 証明書の失効情報を得るにはなぜか総務大臣の認可が必要だそうなので証明書の検証が必要な場合は面倒ですが申請するしかないですね。
]FIG]
[FIG(quote)[
[FIGCAPTION[
[19] [CITE@ja[グローバルサインのルート証明書が一時的に失効するトラブル | スラド IT]]
( ([TIME[2016-10-25 02:51:18 +09:00]]))
<http://it.srad.jp/story/16/10/24/0624223/>
]FIGCAPTION]
> 問題の発端となったのは、グローバルサインが10月7日に発行した証明書失効リスト(CRL)。CRLは有効期限が過ぎた証明書を失効させるためのリストなのだが、その中に含まれていたクロスルート証明書と同じ公開鍵、同じサブジェクトネームを持つルート証明書が存在し、「より最近の有効期間開始日を持つクロスルート証明書について、元のルート証明書(R1)に対する置き換えであるとみなしてしまうような実装がされていた」たためにそのルート証明書が失効扱いとなり、このルート証明書に依存する中間CA証明書がすべて無効となってしまったという。
> 10月7日時点では問題は発生していなかったのだが、10月13日に証明書失効情報を提供するためのOnline Certificate Status Protocol(OCSP)で使われるデータベースが更新され、10月7日に発行されたCRLの情報を取り込んだために問題が発覚した模様。
]FIG]
[20] [CITE@ja[GoDaddyのSSL証明書発行の際のドメイン所有者確認システムにバグ、証明書8,850件が失効 | スラド セキュリティ]]
([TIME[2017-01-14 18:21:23 +09:00]])
<https://security.srad.jp/story/17/01/13/2232244/>
[21] [CITE@en[Are revoked certificates detected in Safari and Chrome? - Server - Let's Encrypt Community Support]]
([TIME[2018-01-30 00:21:56 +09:00]])
<https://community.letsencrypt.org/t/are-revoked-certificates-detected-in-safari-and-chrome/42677/6>
[22] [CITE@en[361820 - Check For Server Certificate Revocation checkbox is confusing - chromium - Monorail]]
([TIME[2018-01-30 18:35:41 +09:00]])
<https://bugs.chromium.org/p/chromium/issues/detail?id=361820>
[23] [CITE@en[No bug, Automated blocklist update from host bld-linux64-spot-302 - a…]]
([[ffxbld]]著, [TIME[2018-02-15 04:41:58 +09:00]])
<https://github.com/mozilla/gecko-dev/commit/3d37781c2d360dfbc41d5ef40f5111166475010c#diff-6977f1da0159242e38daf7645b72e52a>