Unsubscribe
On Wednesday, July 21, 2010, Anders Rundgren <anders.rundg...@telia.com> wrote: > On 2010-07-21 16:26, Amax Guan wrote: >> Thank you very much, it's very helpful. I put most of the replies inline. >> >> >> On Wed, Jul 21, 2010 at 8:30 AM, Gervase Markham <g...@mozilla.org >> <mailto:g...@mozilla.org>> wrote: >> >> On 20/07/10 04:23, Amax Guan wrote: >> >> I've got a problem help China Construction Bank(CCB for short) >> support Firefox. CCB has its own CA root, used to issue certificate >> to >> his users, and they issued some server cert using this cert. >> >> >> Do you know why they cannot buy a cert from a trusted CA, like every >> other business (including most banks)? >> >> >> I think basically it's because they have too much Cert to issue (One for >> each user), it cost too much money, and they do not want anyone else to know >> how many users they have, and their names, >> including the CA. > > Absolutely. It would be extremely inconvenient also- > >>Kai mentioned that it's OK to use a untrusted CA signed user certificate in >>Firefox to sign, But they are not only using this cert in signing, they also >>use the cert for two-way SSL, >> and they periodically renew the cert. But if you generate a user Certificate >> that's issued by a untrusted CA, there will be an alert popup. > > If that's really true I would call it a bug. I guess it is renewal that > really is the > problem? <keygen> doesn't support renewals. > > Few if any end-user banks certificates have their root in browsers. > >> The server cert I don't know why, but I guess maybe it's because they >> already have this CA system, they just want to save some money and time? I >> mean not every cert on their website is signed by >> themselves, they have verisign certificates on most of their webpages, but >> on some specific server, they use cert issued by their own CA. The server >> using their own CA is in the certificate generation >> process, I wonder is it related to two-way SSL or something? >> >> And btw, every bank in China has its own CA System, to generate user >> certificate. > > Yes, and that is how it should be, SSL certificates is another (hopefully > unrelated) topic. > > Anyway, Chinese banks will some day get a solution in Firefox that actually > addresses consumers (rather than cryptographers), but it will take some > time to get it out of the door: > > http://webpki.org/auth-token-4-the-cloud.html > > Since US banks and Government Agencies do not use certificates for consumers > and citizens this is primarily a European/Asian issue and we cannot expect to > get any support from Mozilla except maybe a "Good luck" or so :-) > > Regards > Anders Rundgren > >> >> >> And they >> want to put their CA Root certificate into Firefox, so that there >> will >> be no alert popup in the certificate generate process and no security >> alert when users access their website. And here comes the questions >> >> >> Can you be more specific about the errors that people who bank with CCB >> encounter in "the certificate generate process"? >> >> >> They use keygen tag to generate the user certificate (They need to renew the >> certificate periodically), and the form is submitted to a cert page with >> contentType=x509/certificate or something like >> that. Firefox will automatically save the certificate to where it's >> corresponding key is, and after that popup an alert saying the cert is >> download successfully. AND THEN, if the CA of the cert is >> untrusted, Firefox will pop up another alert talking about "Cannot import >> the certificate, the issuer of the cert is unknown, the cert is invalid or >> ...." >> >> >> 1. Right now, we are trying to use certutil.exe in their USB-Key >> driver installer to do that. However, one of my colleague seems to >> have >> some problem build the certutil.exe in visual studio 2005. And >> sometimes, it fails to run on some machine. I tried to find a stable >> version of that tool through google, but I failed. Is there any >> stable >> version of certutil I can download, that will work on most version of >> windows? Or why is it so hard to build, is there some way to make it >> better? >> >> >> I don't know the answer to this particular question. >> >> >> Unlucky for me:( Because according to several emails I made yesterday, >> this way seems to be the most doable and effective way. >> >> >> >> 2. Since the certutil.exe solution did not went very well, we >> think >> maybe we could embed their CA cert in our Firefox China Edition. >> According to my knowledge, at least half of the population in China >> are >> CCB bank users, and cannot access online bank is our major problem in >> China, so we think this make sense. We can make an addon to do that, >> but >> it occurred to us that an addon is so open, that anyone that knows >> where >> it is can change the cert, or do something else dangerous. So, is >> there >> a better way to put the cert in? Maybe through a binary XPCOM is >> better? >> >> >> The Mozilla project does not issue copies of Firefox that trust new CAs >> without those CAs going through the official process, as described below. >> Even when we do go through the process, people >> still object - see the CNNIC case. There is absolutely no chance of any >> official Firefox being released which trusts a cert belonging to another >> Chinese company, or any company, without it going >> through the trust checking process. Many of our users in China, as well >> as those elsewhere, would not like it. >> >> CCB may, of course, create their own addon to add the cert (assuming >> that's technically possible). But all their customers would need to install >> it individually. It is no more or less dangerous to >> use an addon than any other method. >> >> What is the current procedure for people who bank with CCB who use IE, >> Safari or Chrome? Do those browsers trust the CCB certificate? >> >> >> CCB only works in IE right now, and online banking sure is our top >> priority in China now. In IE,there is a concept of trust zone, and in their >> installer, they put themselves in the trust zone, and >> put their CA cert in the windows Cert DB through CSP. >> Btw: They are talking with MS to put their CA root in windows. >> >> >> 3. Is it possible to put the bank's CA cert in firefox's default >> cert db? So that we don't need to worry about security problems... >> >> >> It is certainly possible. There is a process for this: >> https://wiki.mozilla.org/CA: <https://wiki.mozilla.org/CA:How_to_apply>-- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
