juillet 2007
L	M	M	J	V	S	D
« Juin		Août »
	1
2	3	4	5	6	7	8
9	10	11	12	13	14	15
16	17	18	19	20	21	22
23	24	25	26	27	28	29
30	31

EV certificate support

7/23/2007 jmdesp Pas de commentaires

NSS 3.12 will support EV certificates :
« Libpkix provides a much more complete an modern parsing of certificates, most importantly policy parsing and handling cross certificate environments correctly. Both of these are needed for EV (the primary driver of getting libpkix in). (It also includes such things a on the fly fetching of intermediate certs. »

Roadmap :
http://wiki.mozilla.org/NSS:Roadmap#Future_Work:_NSS_3.13_and_Beyond
Preview of new version :
http://wiki.mozilla.org/NSS_Shared_DB_Samples

Les bugs au sujet de EV :
https://bugzilla.mozilla.org/show_bug.cgi?id=374336 (modif à faire dans PSM, PSM gère les liste de policy id à reconnaître par AC)
https://bugzilla.mozilla.org/show_bug.cgi?id=375666 (pas de fonction spécialisée dans NSS)

Gestion des politiques chez Microsoft :
http://technet2.microsoft.com/windowsserver/en/library/061476b3-6183-4b7a-94ac-447d720ec0411033.mspx?mfr=true

Une description des problèmes techniques de la cross-validation :
http://alwayson.goingon.com/permalink/post/7871
« Once a given client system has a specific EV SSL root installed (by way of EV Upgrader or manual installation, from the Microsoft Web site, by the user) that client will experience « green bar » behavior »

« To designate a root certificate as an EV root, Microsoft will publish associated metadata in the Microsoft Update service […]. There will be many new EV roots created by CA’s like Entrust and VeriSign and published in Microsoft Update, but you can also have an older root that gets new EV metadata associated with it. »
« they will choose the shortest path available through locally installed Roots »
« XP/Vista will not choose an EV path over a legacy path. The EV status is determined after a trust path has been chosen »
« web sites will need a cross certificate that chains up to a ‘legacy’ root, in order to support browsers such as Firefox and Opera »
« The site seal will embed a little script to check if the user is on IE 7 and then load some content from a separate SSL protected site. »
« they’ll protect that site with their EV root without a cross cert and it will trigger the appropriate download of roots and metadata. »

OK, so it goes like this.
Web servers are configured to provide to the client the following cert chain :
SSL server cert -> Cross certified EV CA cert -> Legacy root CA cert
There exist also the following chain :
SSL server cert -> Self-signed root EV CA cert

The trick for XP is to force the download of « Self-signed root EV CA cert » given that only self-signed root certificate either pre-installed or coming from the update site can have the « EV bit ».

Mozilla, nss, Pki rien

La Billetterie

Historique

Commentaires

Archives

Méta

EV certificate support

Déposer un commentaire