/
863.txt
198 lines (143 loc) · 8.75 KB
/
863.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
* 仕様書
[REFS[
- [17] [CITE@en[RFC 2585 - Internet X.509 Public Key Infrastructure Operational Protocols: FTP and HTTP]] ([TIME[2015-03-22 13:17:09 +09:00]] 版) <http://tools.ietf.org/html/rfc2585>
- [21] [CITE[RFC Errata Report]] ([TIME[2015-04-11 22:30:06 +09:00]] 版) <http://www.rfc-editor.org/errata_search.php?rfc=2585>
- [28] [CITE@en[RFC 7468 - Textual Encodings of PKIX, PKCS, and CMS Structures]] ([TIME[2015-04-20 12:22:43 +09:00]] 版) <https://tools.ietf.org/html/rfc7468#section-6>
]REFS]
* ファイル形式
[24] [[CRL]] のファイル形式には次のものがあります。
[FIG(short list)[
- [[DER]] (>>18)
- [CODE[[[.pem]]]] (>>29)
]FIG]
* 文脈
[27] [[PKCS #7]] データ構造に含まれることがあります。
* DER 符号化
[18] [[CRL]] を [[DER]] [[符号化]]したものの [[MIME型]]は
[DFN[[CODE(MIME)@en[[[application/pkix-crl]]]]]] です [SRC[>>17]]。
[20] [[引数]]に [CODE(MIME)@en[[[version]]]] があります [SRC[>>17, >>21]]。
[23] [[MIME型]]には他に [CODE(MIME)@en[[[application/x-pkcs7-crl]]]]
や [CODE(MIME)@en[[[application/x-x509-crl]]]] があります [SRC[>>22]]。
;; [25] [[PKCS #7]] と名前に入っていますが実際には [[X.509]] [[証明書]]を表しているらしく
[SRC[>>22, >>26]] 謎です。
[19] [[拡張子]]として [CODE[[[.crl]]]] が使われます [SRC[>>17]]。
* [CODE[.pem]] 符号化
[29] [CODE[[[.pem]]]] ファイルでは、ラベル [DFN[[CODE[[[X509 CRL]]]]]]
を使います [SRC[>>28]]。
[30] データは、 [[ASN.1]] [CODE[[[CertificateList]]]] です。
[[BER]] でなければ[['''なりません''']]。 [[DER]]
が[RUBYB[非常に好ましいです]@en[strongly preferred]]。 [SRC[>>28]]
[31] ラベルとしては [DFN[[CODE[[[CRL]]]]]] も稀に用いられましたが、
一般的ではありません。従って [CODE[[[X509 CRL]]]] を使わなければ[['''ならず''']]、
構文解析器も [CODE[[[CRL]]]] に対応する[['''べきではありません''']]。 [SRC[>>28]]
* プロトコル
[1]
[FIG(short list)[
- [[X.500]] / [[LDAP]] による配布
- [[HTTP]] による配布
- [[FTP]] による配布
- [[電子メール]]による配布
- [[OCSP]]
- [[OCSP stapling]]
- [[CRLSets]]
- [[OneCRL]]
]FIG]
[15] [[CA]] は、[[CRL]] を作成できます。[[証明書]]には、 [[CRL]]
を配布する [[URL]] を記述できます。
[33] [[CA]] は、 [[OCSP]] により失効情報を提供できます。[[証明書]]には、
[[OCSP]] の[[エンドポイント]]の [[URL]] を記述できます。
[[証明書]]を[[検証]]したい者は、[[証明書]]に記述された [[URL]]
を使って [[OCSP]] でアクセスし、[[証明書]]が[[失効]]していないか確認できます。
[35] [[TLSサーバー]]は、予め [[CA]] から [[OCSP]] 情報を入手しておき、
[[TLSクライアント]]に対して [[OCSP stapling]] によってこれを提供できます。
[[TLSクライアント]]は、 [[OCSP]] の処理を [[OCSP stapling]] の情報で代用できます。
[43] [[Google]] は [[CRLSets]] として、 [[Mozilla]] は [[OneCRL]]
として主要な[[証明書]]の失効情報を集約したものを用意し、
[[Chrome]] や [[Firefox]] は定期的にこれをダウンロードして検証に利用します。
* メモ
[6] [CITE@en[CA:ImprovingRevocation - MozillaWiki]]
([TIME[2015-03-21 11:05:17 +09:00]] 版)
<https://wiki.mozilla.org/CA:ImprovingRevocation>
[8] [CITE@en[CA:RevocationPlan - MozillaWiki]]
([TIME[2015-03-21 11:08:04 +09:00]] 版)
<https://wiki.mozilla.org/CA:RevocationPlan>
[10] [[CRL issuer]]
[11] [CITE@en[RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile]]
([TIME[2015-02-22 15:44:10 +09:00]] 版)
<http://tools.ietf.org/html/rfc5280#section-3.3>
[12] [CITE@en[RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile]]
([TIME[2015-02-22 15:44:10 +09:00]] 版)
<http://tools.ietf.org/html/rfc5280#section-5>
[13] [CITE[RFC Errata Report]]
([TIME[2015-03-23 15:33:39 +09:00]] 版)
<http://www.rfc-editor.org/errata_search.php?rfc=5280>
[14] [CITE@en[RFC 6818 - Updates to the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile]]
([TIME[2014-12-21 17:28:26 +09:00]] 版)
<http://tools.ietf.org/html/rfc6818>
[FIG(quote)[
[FIGCAPTION[
[16] ([TIME[2014-11-01 05:54:38 +09:00]] 版)
<https://cabforum.org/wp-content/uploads/BRv1.2.3.pdf#page=9>
]FIGCAPTION]
> Certificate Revocation List: A regularly updated time-stamped list of revoked Certificates that is created and
digitally signed by the CA that issued the Certificates.
]FIG]
[22] [CITE@en[559769 – libpkix should allow the content-type application/x-pkcs7-crl when downloading a CRL over HTTP]] ([TIME[2015-04-11 22:49:57 +09:00]] 版) <https://bugzilla.mozilla.org/show_bug.cgi?id=559769>
[26] [CITE['Re: content-type application/x-pkcs7-crl' - MARC]] ([TIME[2015-04-11 22:59:12 +09:00]] 版) <http://marc.info/?l=openssl-users&m=92151321220161&w=2>
[32] [CITE@en[RFC 7525 - Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)]]
([TIME[2015-05-29 03:22:56 +09:00]] 版)
<https://tools.ietf.org/html/rfc7525#section-6.5>
[34] [CITE[Chromeは既定だとオンラインで証明書の失効確認していないので設定方法を調べてみた - piyolog]]
([TIME[2015-12-07 19:59:38 +09:00]] 版)
<http://d.hatena.ne.jp/Kango/20140413/1397345642>
[2] [CITE@ja[証明書の失効を構成する]]
( ([TIME[2016-05-09 17:14:04 +09:00]]))
<https://technet.microsoft.com/ja-jp/library/cc771079(v=ws.11).aspx>
[3] [CITE@ja[CRL 処理について一旦書き出してみる - Hexa's diary]]
( ([TIME[2016-05-09 17:29:05 +09:00]]))
<http://hexa.hatenablog.com/entry/2012/12/18/015959>
[4] [CITE@en-US[CRL checking by IIS | Care, Share and Grow!]]
( ([TIME[2016-05-09 18:46:38 +09:00]]))
<https://blogs.msdn.microsoft.com/saurabh_singh/2010/12/01/crl-checking-by-iis/>
[5] [CITE@en[OpenSSL]]
( ([[OpenSSL Foundation, Inc.]]著, [TIME[2016-05-09 19:43:53 +09:00]]))
<https://www.openssl.org/docs/manmaster/apps/crl.html>
[7] [CITE[opensslによるサーバー証明書失効リスト (CRL) 確認 - IKB: 雑記帖]]
( ([TIME[2016-03-12 15:03:35 +09:00]]))
<http://d.hatena.ne.jp/i_k_b/20100112/1263293430>
[9] [CITE@en[ImperialViolet - No, don't enable revocation checking]]
( ([[Adam Langley]]著, [TIME[2016-05-09 20:17:00 +09:00]]))
<https://www.imperialviolet.org/2014/04/19/revchecking.html>
[36] [CITE[The current state of certificate revocation (CRLs, OCSP and OCSP Stapling)]]
( ([TIME[2016-05-09 21:59:02 +09:00]]))
<https://www.maikel.pro/blog/current-state-certificate-revocation-crls-ocsp/>
[37] [CITE@en[How Certificate Revocation Works]]
( ([TIME[2016-05-09 22:47:49 +09:00]]))
<https://technet.microsoft.com/en-us/library/ee619754(WS.10).aspx>
[FIG(quote)[
[FIGCAPTION[
[38] [CITE@en[Issue 305443 - chromium - Chrome for Android doesn't seem to respect CRL - Monorail]]
( ([TIME[2016-05-09 23:24:53 +09:00]]))
<https://bugs.chromium.org/p/chromium/issues/detail?id=305443>
]FIGCAPTION]
> Oct 9, 2013
> Android has never supported revocation checking.
]FIG]
[FIG(quote)[
[FIGCAPTION[
[39] [CITE@en[Issue 362696 - chromium - Missing warning on revoked certificate - Monorail]]
( ([TIME[2016-05-09 23:29:05 +09:00]]))
<https://bugs.chromium.org/p/chromium/issues/detail?id=362696>
]FIGCAPTION]
> On all platforms that perform revocation checks as a system-level component (eg: on Windows and OS X), we always pass flags to allow cached revocation checks. That is, if another application has caused a revoked certificate to be known, we (Chrome) will treat it as revoked. Additionally, we pass flags to disable online revocation checks. However, in certain circumstances, the OS will ignore those flags and force an online revocation check. In those cases as well, the revocation will be picked up.
> Absent both of those cached settings, however, we utilize CRLSets, the contents of which are described at a previous link and, by design, do not contain *every* revoked certificate.
]FIG]
[40] [CITE[Security FAQ - The Chromium Projects]]
( ([TIME[2016-05-07 09:19:23 +09:00]]))
<https://www.chromium.org/Home/chromium-security/security-faq#TOC-What-s-the-story-with-certificate-revocation->
[41] [CITE@en[ImperialViolet - Revocation still doesn't work]]
( ([[Adam Langley]]著, [TIME[2016-05-09 23:37:03 +09:00]]))
<https://www.imperialviolet.org/2014/04/29/revocationagain.html>
[42] [CITE[The Hidden Costs of Heartbleed]]
( ([TIME[2016-05-10 00:36:49 +09:00]]))
<https://blog.cloudflare.com/the-hard-costs-of-heartbleed/>