2

When I establish TLS/SSL with some server he sends me the certificate in the process. The certificate is signed by a certificate authority.

In my PC/browser I have a list of trusted certificate authorities.

Do I send the certificate to the authority or I validate it locally (checking the certificate's signature using data stored within the certificate authority list)?

(note: if needed take the browser for the example TLS/SSL client)

croraf
  • 163
  • 6
  • Yes this is a duplicate of https://security.stackexchange.com/questions/141311/is-certificate-validation-done-completely-local (where actually your answer there answers my question), but not of the other duplicate suggestion. – croraf Nov 01 '18 at 06:33

2 Answers2

6

Certificates are validated locally. However, the client may contact the CA repository if some pieces of information are missing. For example, if an intermediate CA certificate is missing from the local store and the web server didn't return it during the handshake, the client may download the missing certificate from the CA repository. Additionally, the client can check certificate revocation by contacting the CA via OCSP or by downloding a CRL from the CA repository when no up-to-date revocation information is stored in the local cache.

Signature and chain validations are always performed locally.

Οurous
  • 107
  • 6
Crypt32
  • 5,901
  • 12
  • 24
  • 2
    +1 TL;DR: certs are validated locally, but if you want up-to-date information on whether the cert has been revoked then the client needs to contact the CA. – Mike Ounsworth Oct 31 '18 at 20:56
  • I mentioned that client contacts CA-managed OCSP/CRL servers. – Crypt32 Oct 31 '18 at 20:57
  • Yup! Hence why it's a "+1 TL;DR", not a correction. – Mike Ounsworth Oct 31 '18 at 20:58
  • 3
    If the server staples an OCSP response, that can be validated locally as well (since it is signed). But when the server neglects to do this, the client will need to come up with its own revocation information. – Kevin Oct 31 '18 at 23:51
  • So in principle the server is required to send all the intermediate certificates during handshake? (The root is not needed though, as it can be assumed the client has that) – croraf Nov 01 '18 at 06:22
5

Does checking the certificate chain require connecting to external servers?

Not necessarily, if the chain is complete from a trusted CA to the leaf certificate (the site's certificate) then no requests are needed. Each cert is either trusted, or signed by a cert higher in the chain. For example.com this would look like this:

  • Root CA (trusted as it is installed in the browser)
    • Intermediate A (trusted as it is signed by Root CA)
      • Intermediate B (trusted as it is signed by Intermediate A)
        • Site cert (trusted as it is signed by Intermediate B)

Does checking revocation require connecting to external sources?

Using a CRL, or normal OCSP requires making an external request to check if the certificate has been invalidated since being issued, this can be a privacy issue as it allows a third party (the one running the OCSP responder) to track users.

To work around this issue, OCSP stapling can be used, where the server requests the OCSP response and returns it while it is valid to clients, before having to get a fresh response, preventing stale responses being used forever.

What happens when the chain is incomplete?

If the chain is incomplete then an AIA Extention can be used to point to the issuer of a certificate, allowing the client to repair the gap in the chain, but client support for this is not ensured, so it is better to present a full chain when possible.

croraf
  • 163
  • 6
jrtapsell
  • 3,179
  • 15
  • 30
  • Can you clarify what would it mean "trusted certificate"? I think in your first section it should say "Each cert is either root, or...", therefore each cert in the chain is trusted? – croraf Nov 01 '18 at 06:40