oops199 wrote:
The generality to which I refer "push" is a basic philosophy that seems to pervade an awful lot if not all the net today. Specifically, by not making the installed certs both more evident to the user and by not making them fully removable by users, FF is "doing what is best" for ?the users? or for site publishers?
This is a debate that's been going on for a while re computer security: To what extent should you actively involve the user in security-related decisions, vs. in essence making the decision for them. I don't think there's necessarily a right or wrong answer, because it depends both on the user and the context.
One major issue (as Nelson Bolyard noted) is that presenting users with a lot of dialogs and decisions ("Accept this cert? Yes or no?") runs the risk of training people to just click "OK" on everything that gets in the way of whatever they're trying to do (or at least, what they think they're trying to do -- because they may have been misled by an attacker).
Perhaps today our browsers just may be trying to do too much and do not allow the user to effectively block "unneeded" frills. A summary on that would be that most of us block all flash and view sites that rely on flash as both security risks (5 flash vulns in last 6 months) and unnecessary marketting hype.
Based on your use of the term "most of us", I think here you're assuming that what you and others like you do (or want to do) is automatically typical of the broader population of browser users. I don't think most people block Flash; heck, even I don't block Flash, and I'm squarely in the "power user" category when it comes to security.
So just because you and others like you want to exercise individual judgment on each and every preloaded CA doesn't in and of itself mean that the majority of Internet users would want to do so.
regarding the cert problems: The answer to your which one question is "yes both". As far as specifci examples, I do not track that and have no desire to do so. As a somewhat tech user, I expect experts to do that and I would refer you to at least three entries in the SANS diary over the last 6 months on failures to revoke known fraud certs (both Twaite and Verisign I believe), failure to verify the cert applicant before issuing a cert, and as pointed out above one of the root certs has apparently expired.
I looked at the SANS site and didn't see any references to anything like this, with the exception of the 2001 incident in which Verisign issued a code signing cert to someone falsely claiming to be a Microsoft representative. Some pointers (from anyone) would be welcome.
However note that this sort of thing is a judgment call, for various reasons: Is a problem reported for a particular CA an isolated incident, or does it indicate a systemic problem with the CA? Also, what's the benefit of removing or disabling a particular CA's root certs vs. the impact on users and sites of doing so. It's an unfortunate fact of life that in practice it is much less disruptive to remove a root CA cert for a small CA than for a CA with significant market share, so in theory a large CA could probably "get away with more" than a small CA in terms of sloppy practices, secure in the knowledge that it was "too big to disable". (I might add that this situation is not helped by the trend of consolidation in the CA industry.)
I think that actually removing CA certs is like the "atomic bomb" of browser security: a good threat to have but one you'd want to think very carefully before using due to the inevitable fallout. In practice I think browser suppliers, including us, will focus more on getting CAs to revoke bad certificates quickly and on improving browser support for doing certificate revocation checking by default "out of the box" (e.g., automatically querying OCSP responders for those CAs providing them).
(There's been work in Firefox and other Mozilla products relating to this topic, but I'll leave this to the developers to address, because I don't recall the exact current state of this work.)
So are you saying that FF has fully proofed the root certs? If not, then the following of a proceedure did not seem to have eliminated questionablly operated root certs.
I'm not sure what you mean by "fully proofed". For new CA certs (i.e., added since the Mozilla Foundation was formed and since we had the new CA certificate policy) we went through the procedures discussed in the CA policy and evidenced in the Bugzilla records. For "legacy" CA certs (i.e., inherited from the AOL/Netscape regime) we haven't yet gone through and subjected them to the same process. Instead we're adopting a "management by exception" policy where we'll look at a particular CA if someone reports a potential problem with it.
sleepy & tired
Go to bed and enjoy your rest :-) Frank -- Frank Hecker [EMAIL PROTECTED] _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
