search

mozilla / pkipolicy

Documents for Mozilla's PKI policies - certificate root program, etc.
47 stars 21 forks source link

Clarify OCSP/CRL Availability Requirements #214

Open wthayer opened 4 years ago

wthayer commented 4 years ago

Mozilla's expectations for OCSP and CRL availability do not appear to be very clear, and as a result CAs inconsistently report outages. For example, GlobalSign reported a recent multi-day service degradation but IdenTrust did not. The BRs require 24x7 availability, but services are never 100% available and I suspect that Mozilla doesn't want CAs to report every second of downtime recorded by their monitoring systems. I suggest creating some guidance for CAs. For example, Mozilla could require CAs to treat an outage (defined as: the majority of users can't get a response from the service within 10 seconds) of more than 45 minutes (roughly 99.9% availability over the period of a month) as an incident.

Alternately, one could argue that with with OneCRL and CRLite Mozilla doesn't care about availability of these services, and guidance should be that CAs don't need to report CRL/OCSP outages as incidents. Of course this leaves some sharp edges exposed - CAs that don't participate in CRLite, and Thunderbird users, for instance.

BenWilson-Mozilla commented 4 years ago

Discussions have been started on the m.d.s.p. and CA/B Forum server certificate list re: OCSP uptime requirements. https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/Pnyo3vhMhJY

BenWilson-Mozilla commented 1 year ago

Section 4.10.2 of the Baseline Requirements says, "The CA SHALL maintain an online 24x7 Repository that application software can use to automatically check the current status of all unexpired Certificates issued by the CA." One proposal for a ballot in the CA/Browser Forum suggested adding:

The Repository SHALL be continually available and the CA SHALL disclose its Service Level Objectives in its CPS for the Repository measured against the following Service Level Indicators at a minimum:

Availability: Percent of OCSP and CRL service requests that receive a response conforming to Section 4.9.9. Latency: Percent of responses with response time less than or equal to 5 seconds. Publishing time: Time to publish revocation data (including propagation time). OCSP and CRL consistency time: Time to achieve consistency between OCSP responses and CRLs, in seconds.

Service Level Indicators SHALL be measured across a 30-day rolling window. CAs SHALL specify the location from where the response time is measured in its CPS.

BenWilson-Mozilla commented 1 year ago

I'm going to remove this from the version 2.9 batch of changes.

BenWilson-Mozilla commented 4 days ago

See https://bugzilla.mozilla.org/show_bug.cgi?id=1905419#c3