On 20/07/10 04:23, Amax Guan wrote:
I've got a problem help China Construction Bank(CCB for short)
support Firefox. CCB has its own CA root, used to issue certificate to
his users, and they issued some server cert using this cert.
Do you know why they cannot buy a cert from a trusted CA, like every
other business (including most banks)?
And they
want to put their CA Root certificate into Firefox, so that there will
be no alert popup in the certificate generate process and no security
alert when users access their website. And here comes the questions
Can you be more specific about the errors that people who bank with CCB
encounter in "the certificate generate process"?
1. Right now, we are trying to use certutil.exe in their USB-Key
driver installer to do that. However, one of my colleague seems to have
some problem build the certutil.exe in visual studio 2005. And
sometimes, it fails to run on some machine. I tried to find a stable
version of that tool through google, but I failed. Is there any stable
version of certutil I can download, that will work on most version of
windows? Or why is it so hard to build, is there some way to make it better?
I don't know the answer to this particular question.
2. Since the certutil.exe solution did not went very well, we think
maybe we could embed their CA cert in our Firefox China Edition.
According to my knowledge, at least half of the population in China are
CCB bank users, and cannot access online bank is our major problem in
China, so we think this make sense. We can make an addon to do that, but
it occurred to us that an addon is so open, that anyone that knows where
it is can change the cert, or do something else dangerous. So, is there
a better way to put the cert in? Maybe through a binary XPCOM is better?
The Mozilla project does not issue copies of Firefox that trust new CAs
without those CAs going through the official process, as described
below. Even when we do go through the process, people still object - see
the CNNIC case. There is absolutely no chance of any official Firefox
being released which trusts a cert belonging to another Chinese company,
or any company, without it going through the trust checking process.
Many of our users in China, as well as those elsewhere, would not like it.
CCB may, of course, create their own addon to add the cert (assuming
that's technically possible). But all their customers would need to
install it individually. It is no more or less dangerous to use an addon
than any other method.
What is the current procedure for people who bank with CCB who use IE,
Safari or Chrome? Do those browsers trust the CCB certificate?
3. Is it possible to put the bank's CA cert in firefox's default
cert db? So that we don't need to worry about security problems...
It is certainly possible. There is a process for this:
https://wiki.mozilla.org/CA:How_to_apply
However, it can take many months.
I hope that's helpful :-)
Gerv
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
