On 20/07/10 04:23, Amax Guan wrote:
I've got a problem help China Construction Bank(CCB for short) support Firefox. CCB has its own CA root, used to issue certificate to his users, and they issued some server cert using this cert.
Do you know why they cannot buy a cert from a trusted CA, like every other business (including most banks)?
And they want to put their CA Root certificate into Firefox, so that there will be no alert popup in the certificate generate process and no security alert when users access their website. And here comes the questions
Can you be more specific about the errors that people who bank with CCB encounter in "the certificate generate process"?
1. Right now, we are trying to use certutil.exe in their USB-Key driver installer to do that. However, one of my colleague seems to have some problem build the certutil.exe in visual studio 2005. And sometimes, it fails to run on some machine. I tried to find a stable version of that tool through google, but I failed. Is there any stable version of certutil I can download, that will work on most version of windows? Or why is it so hard to build, is there some way to make it better?
I don't know the answer to this particular question.
2. Since the certutil.exe solution did not went very well, we think maybe we could embed their CA cert in our Firefox China Edition. According to my knowledge, at least half of the population in China are CCB bank users, and cannot access online bank is our major problem in China, so we think this make sense. We can make an addon to do that, but it occurred to us that an addon is so open, that anyone that knows where it is can change the cert, or do something else dangerous. So, is there a better way to put the cert in? Maybe through a binary XPCOM is better?
The Mozilla project does not issue copies of Firefox that trust new CAs without those CAs going through the official process, as described below. Even when we do go through the process, people still object - see the CNNIC case. There is absolutely no chance of any official Firefox being released which trusts a cert belonging to another Chinese company, or any company, without it going through the trust checking process. Many of our users in China, as well as those elsewhere, would not like it.
CCB may, of course, create their own addon to add the cert (assuming that's technically possible). But all their customers would need to install it individually. It is no more or less dangerous to use an addon than any other method.
What is the current procedure for people who bank with CCB who use IE, Safari or Chrome? Do those browsers trust the CCB certificate?
3. Is it possible to put the bank's CA cert in firefox's default cert db? So that we don't need to worry about security problems...
It is certainly possible. There is a process for this: https://wiki.mozilla.org/CA:How_to_apply However, it can take many months. I hope that's helpful :-) Gerv -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto