Hello, I'm currently writing an extension for firefox that checks a fingerprint from a SSL-Certificate against the stored fingerprint for a configured domain. If the fingerprint does not match a warning appears. This extension should support a trusted anchor without a CA like verisign and could be used to secure for example home banking sites.
The extension is currentliy in pre-alpha phase and the next month I don't have much time to work on it. So maybe begin next year you may see it. greetings wof Balint Balogh wrote: > Hello > > Suppose Example Ltd. runs its own local CA that issues certificates to > servers and email addresses at example.com and its subdomains. The > certificate of this CA is installed as a trusted CA certificate into every > browser (Firefox) and email client (Thunderbird) of employees. > > Example Ltd. wants to make sure that only their own CA may sign > certificates claiming to belong to example.com or any of its subdomains. > That is, if a user tries to connect to any *.example.com server whose > SSL/TLS certificate has not been signed by the CA of Example Ltd., the > user should see a security warning about an invalid server certificate > (likewise for email if using S/MIME). > > Without this security measure, any CA that has its certificates in client > software has the power to thwart SSL/TLS security by issuing fake > certificates claiming to belong to *.example.com servers or email > addresses. > > Is there a way around this problem, without disabling or removing all > other certificates? Certificates signed by other, widely recognized CAs, > whose certificates are included by default in Mozilla products should > still be considered valid except for *.example.com domains. > > Thanks for any help. > > Balint Balogh _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
