Hello Kurt and others. This is something I'd like to see a very long answer from someone in charge of these thing in Mozilla.
TIA, Martin. On Feb 22, 2010, at 23:25 , Kurt Seifried wrote: > > This does not mean that the certificate verification mechanics are at fault; > it only means that CA selection protocol has not been thought out properly: > it limped along with a handful of CAs, it is showing the serious symptoms > of the malaise with hundreds. In the meantime, does anybody here have any > estimate of the number of CAs we expect to be around in the foreseeable > future? And what was the number of CAs anticipated when the current > anointment protocol was conceived? > > I think it's more subtle than that, some of the problems in brief: > > 1) Mozilla/Firefox either trust a CA 100% or not at all. > 2) Since I can't adjust trust or have Firefox warn me that I'm viewing a site > using a certificate I don't completely trust I can either remove the root > certificate, and then encounter unknown certificates and deal with that, or I > can manually look at EACH certificate I encounter and figure out who signed > it and whether or not I trust them enough (I might trust a site that I simply > read, but not to enter my credit card # for example). > 3) It's very difficult even for technical users to find out who exactly > signed a certificate. For example a certificate is signed by "valicert", who > is that? (Tumbleweed bought Valicert and then Axway bought Tumbleweed, who > the heck is Axway and what exactly do they do?). Or a certificate is signed > by beTrust, who is that? (which joined up with Baltimore cybertrust to form > Cybertrust, and in turn Verizon purchased the whole thing.). > 4) CAs are generally not restricted in whom they can issue certs to, i.e. > governmental CA's (Turkey, Holland, Denmark, etc.) are not restricted to > issuing certs within .tk, .nl, .dk for example (there are good arguments for > and against this, but I think it should at least be discussed, and I'd love > to see a bit more user control over this). > 5) There is no way for an end user to really verify the CPS/CS stuff, most > CAs seem to publish them online, quite a few are out of date by several years > 6) There appears to be no re-evaluation for CA's that are bought out or merge > with other CAs > 7) There are several suspicious and questionable looking CA's in > Mozilla/Firefox, e.g.: Internet Publishing Services from Spain, they have 7 > certificates, what possible need is there for 7 certificates? > 8) The CA approval protocol appears to be largely fail open, they submit > paperwork showing they comply with certain standards/etc at a certain time > point and then there is a public comment period (where exactly?) and if > no-one objects they are in. > 9) there is no formal process to revoke certificates for a CA that violate > the rules. Heck theres no official set of rules for them to break (one signed > malware code, on hundred signed malware codes? a provably weak domain > authentication process that allows people to buy certificates for domains > they don't own reliably, etc.). > 10) I'm not even sure whom exactly to contact about these issues or to > report security problems with respect to a CA doing bad things (so I've been > lurking on the list for a bit and am now posting). > > I've also seem these topics raised in this forum, Bugzilla, etc. and nothing > much come of them which is what I expect to happen here sadly. One simple > question I'd love to see answered: who exactly is in charge of this and what > exactly do they do (it seems that certificate approval duty floats around > between a few people). > > -Kurt -- Martin Paljak http://martin.paljak.pri.ee +3725156495 -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
