Ian Grigg wrote:
Julien Pierre wrote:
Duane wrote:
Surely any form of encryption is better then in the clear?
Only if you are encrypting to the correct party, and not to a thief.
This is why we have CAs and trust.
That's too big a jump. It's quite hard for a thief
to jump in the middle and
Nelson B wrote:
...
Not really. Without the authentication, any proxy, including the
so-called transparent proxies, could descrypt all traffic in both
directions without the end parties detecting it.
So, we are saying here that, because there is a small
threat of an active/compromised node
Julien Pierre wrote:
Well, now you have heard one. What do you want me to do to prove it,
give you the person's name, e-mail and and phone number, the name of the
university ? I do have that info, but I don't believe she would want me
to share it.
Of course. The 1st issue here is whether
Julien Pierre wrote:
[...]
I guess I am the only one in the world who has that option turned on,
the dialog does come up for every one of my google search and other
posts. And I know to watch for it when I submit sensitive data. It has
come up on a few occasions. In Mozilla, the dialog is on by
Jean-Marc Desperrier wrote:
Maybe the trick would be instead to use a visual warning the form is
unsafe, it would be a lot easier to make sure this warning can not be
removed by dynamic html.
Make things too annoying and web masters will promote another product
and users will do likewise.
Julien Pierre wrote:
Jean-Marc Desperrier wrote:
You mean a bank *operating* in France, Julien ?
If that's so, that's a disgusting thing to do.
You can call any consumers' association and denounce that.
If your bank really did that, they lied and cheated you.
Yes they did ...
Maybe *this* is where
Jean-Marc Desperrier wrote:
Julien Pierre wrote:
[...]
I guess I am the only one in the world who has that option turned on,
the dialog does come up for every one of my google search and other
posts. And I know to watch for it when I submit sensitive data. It
has come up on a few occasions.
Jean-Marc Desperrier wrote:
You mean a bank *operating* in France, Julien ?
If that's so, that's a disgusting thing to do.
You can call any consumers' association and denounce that.
If your bank really did that, they lied and cheated you.
Yes they did ...
The french law is very clear. You can
Ian Grigg wrote:
I also know someone in the US who lost her credit card number over a
connection. She did a non-SSL transactions (with a business that
didn't have a cert) on a university network.
I'd be interested in establishing that - this is
the first time I've ever heard anyone claim
Ian,
Ian Grigg wrote:
The point in auditing the CAs is that it's better than not auditing
the CAs at all.
It's not an absolute. There is no point in auditing
the CAs if it achieves little or nothing, in terms of
security, and costs money.
True, but I lost you after the if. I think the
Duane wrote:
Julien Pierre wrote:
I don't need to tell you how vulnerable that is to snooping by all
the ISPs and relays, or any thief in between. I don't have any stats
on it, but I bet it's a significant cause of fraud.
I rate this about the same as companies that get credit card
Julien Pierre wrote:
Only if you are encrypting to the correct party, and not to a thief.
This is why we have CAs and trust.
Ian made a point of this about a Gold company using a self signed
certificate and not having a problem. At this current point in time if I
were a thief, there are
Duane wrote:
Julien Pierre wrote:
Only if you are encrypting to the correct party, and not to a thief.
This is why we have CAs and trust.
Ian made a point of this about a Gold company using a self signed
certificate and not having a problem. At this current point in time if
I were a thief,
Julien Pierre wrote:
Perhaps we should have another dialog explaining to the user
in plain english but with more detail what they are really doing by
disabling this option, with a second confirmation dialog. It should stay
enabled.
While your at it explain to them in plain english what self
Julien Pierre wrote:
No, I know from experience that if you have a bogus transaction on your
card in France, it's up to you to prove it, and the bank will not
automatically reverse it. You have to file police reports and so on.
It's very painful. I know several other people to whom it happened
Jean-Marc Desperrier wrote:
I also know someone in the US who lost her credit card number over a
connection. She did a non-SSL transactions (with a business that
didn't have a cert) on a university network.
I'd be interested in establishing that - this is
the first time I've ever heard
Duane,
Duane wrote:
Those banking/fund protections may apply in some cases in the USA, but
they certainly don't always in other countries. If someone steals your
credit card number in France, you may still be liable. So SSL security
plays a much more important role than you think. I know this
Ian,
Ian Grigg wrote:
So SSL security
plays a much more important role than you think. I know this from
experience.
You have experience of someone stealing your
credit card over a connection? That's something
I'd like to hear about. It would be very useful
to apply some statistics to the
Julien Pierre wrote:
If that's his point, then I completely disagree with it. Just because
every other part of Mozilla does security reviews wrong (or not at all)
doesn't mean we also should do the same for the NSS and other security
components of Mozilla.
The point is, if you set this bar too
Julien Pierre wrote:
Security is after all about the weakest link, what point is there
auditing CAs if you don't audit the hosts interacting with finacial
information after you send it over the net?
The point in auditing the CAs is that it's better than not auditing the
CAs at all.
It's
Duane wrote:
Call it a network audit then, obviously automated processes don't care
if they scan 1 host or 50... However most smaller websites, the kind
that don't get patched and subsequantly get infected with worms and chew
all the bandwidth on the internet, are usually on the same server as
Duane wrote:
Frankly I'd be more worried about domain hijacking, how many large ISPs
have the ability to point bankingsite.com to another location if their
DNS server was compromised, further more how many end users would notice
the lock was missing as they entered their banking details into
Duane wrote:
[...] when in reality all that needs to happen is
the CRL/OCSP remain in operation, which in the event of a CA going bust
[...]
Good CA pay an insurance to cover that case. If they go bust, their
insurance pays someone to insure that minimal service.
Normally if your bank goes
Jean-Marc Desperrier wrote:
It should be possible to find a solution that way, where these people
would just have to be able to do some basic maintenance, *not* correct
bugs, and would not pay any hosting charge.
We're actually going forwards in terms of money, as income from
David Ross wrote:
The purpose of third-party audits is to provide evidence that the
CA's practices include some defined level of care when using the
CA certificate to sign a Web server certificate.
For the average person, this is fairly meaningless.
It's akin to trust me, we have auditors.
David Ross wrote:
We are talking about MONEY and PRIVACY. How much risk are you
willing to take with these?
I'm inclined to agree with Ian here, while you're being distracted by
flashy audits how many of those online shopping carts with a
commercially issued certificate have their MS SQL
If a CA goes out of business, they should revoke any CA certificates and
all End Entity certificates that they issued.
When the infrastructure providing protection for the CA's private keys
can no longer be guaranteed, then the integrity of the CA is called into
question and it should be
If a CA goes out of business, they should revoke any CA certificates and
all End Entity certificates that they issued.
When the infrastructure providing protection for the CA's private keys
can no longer be guaranteed, then the integrity of the CA is called into
question and it should be
Duane wrote:
Scott Rea wrote:
When a CA issues an SSL certificate, generally all they are asserting
is that the public key in the cert relates to a private key owned by
the subject and was requested by an individual authorized on behalf
of the company responsible for the domain of the
Scott Rea wrote:
I totally agree with what you are saying - and maybe there is a business
opportunity in there a CA could issue 2 types of SSL certs - 1)
based around the current model that simply asserts the identity of the
server; 2) that additionally asserts that the company has passed
Scott Rea wrote:
should be revoked. Before decommissioning the CA, it should issue one
last CRL with a validity period past the last expiry date of any End
Entity certificate it has issued that includes all the remaining End
Entity certs that it has issued with a reason of cessationOfOperation
Please don't post messages more than once to this newsgroup.
If you post, and don't see it appear right away, Please wait at least
5 mintues, and do whatever is necessary to get your newsreader to
update its message headers from the server before posting again.
Thanks.
--
Nelson B
Duane wrote:
We are talking about MONEY and PRIVACY. How much risk are you
willing to take with these?
So I take it you remove a lot of certificates from your copy of Mozilla
then?
I have disabled all CA certificates on my PC except those of the
three CAs vetted by the California
Scott Rea wrote:
When a CA issues an SSL certificate, generally all they are asserting is
that the public key in the cert relates to a private key owned by the
subject and was requested by an individual authorized on behalf of the
company responsible for the domain of the subject. That is
Ian,
Ian Grigg wrote:
While you were worried about some mythical man
in the middle sneaking in and stealing your
password for no good purpose (the bank/fund
would be covered against that in general), you
were probably being robbed blind by your mutual
fund.
Those banking/fund protections may
David Ross wrote:
Duane wrote:
We are talking about MONEY and PRIVACY. How much risk are you
willing to take with these?
So I take it you remove a lot of certificates from your copy of Mozilla
then?
I have disabled all CA certificates on my PC except those of the
three CAs vetted by the
David Ross wrote:
Actually, I don't expect anything beyond that. If you read the
actual WebTrust Program for Certification Authorities, you will
see that an accredited CA verifies that the purchaser is who he
says he is and that the CA signing key is kept secure to avoid
issuing unauthorized or
Julien Pierre wrote:
Those banking/fund protections may apply in some cases in the USA, but
they certainly don't always in other countries. If someone steals your
credit card number in France, you may still be liable. So SSL security
plays a much more important role than you think. I know this
Julien Pierre wrote:
So SSL security
plays a much more important role than you think. I know this from
experience.
You have experience of someone stealing your
credit card over a connection? That's something
I'd like to hear about. It would be very useful
to apply some statistics to the
Ian Grigg wrote:
No crook in his right mind or even his wrong mind
would do an MITM. It just isn't a practical attack.
That applies as much to open, cleartext connections
as to SSL connections. So, what's the threat here?
The threat I think everyone is complaining about is the fact CAs might
John Gardiner Myers wrote:
In the Exactly what information section, I don't entirely agree with
the continuity of CA operations requirement. While continuity
requirements for any CRL and/or OCSP service might make sense, there is
no risk to mozilla users if a listed CA fails to continue
Frank Hecker wrote:
David Ross wrote:
#3: I indicate that a CA that fails an audit or loses
accreditation should have its certificates removed and the removal
should be publicized. Mozilla users should not rely on a
deficient CA.
Note that in practice this will be problematic, since AFAIK
John Gardiner Myers wrote:
Ian Grigg wrote:
David Ross wrote:
Clearly (at least to me), the answer is: The primary and most
important use of a CA certificate is to provide the Mozilla user
with assurance that (1) a critical Web site is indeed what it
purports to be
(This is not clear at
I agree with that last sentence. Continuity of operations is primarily
to keep revocation going. If revocation stops, rightful private key
holders are therafter unprotected from damages due to compromised keys.
Would it make sense for MF to have some assurance by the CA that the CRL
would be
Folks,
The uniting of the business assertion with the cryptographic assertion
is accomplished via 2 step process:
1. The statement from the CA on how the cryptographic assertion is made
- what checks and balances, identification and authentication mechanisms
are employed to assure that the
Scott Rea wrote:
I seem to have read somewhere recently that Microsoft was considering
requiring CAs to pass the WebTrust audit before they would allow their
certs to be embedded in their browser - anyone confirm that?
Were you sleeping the last two/three years, or more ? :-)
It must be since
Frank Hecker wrote:
Nelson Bolyard wrote:
The built-in list of CAs, and the built-in list of trust info is
no longer stored in the cert DB. It's in a shared library that gets
replaced when a new (or old) version of mozilla is installed.
[snip]
If users CHANGE the trust settings on a root CA, or
Duane wrote:
I agree with that last sentence. Continuity of operations is primarily
to keep revocation going. If revocation stops, rightful private key
holders are therafter unprotected from damages due to compromised keys.
Would it make sense for MF to have some assurance by the CA that the
John Gardiner Myers wrote:
Ian Grigg wrote:
David Ross wrote:
Clearly (at least to me), the answer is: The primary and most
important use of a CA certificate is to provide the Mozilla user
with assurance that (1) a critical Web site is indeed what it
purports to be
(This is not clear at all.
Nelson Bolyard wrote:
Rather than for a minimum of 12 months, I would say until the last
issued EE cert expires. Then, yes, I think that makes sense.
This would have to be a policy decision for MF I think, and if you were
to require this I also think that the MF would need to decide on a term
Nelson Bolyard wrote:
John Gardiner Myers wrote:
Ian Grigg wrote:
David Ross wrote:
Clearly (at least to me), the answer is: The primary and most
important use of a CA certificate is to provide the Mozilla user
with assurance that (1) a critical Web site is indeed what it
I definitely agree with benefits and risks being the key factor to the
policy.
4.1 is merely a corollary of the benefits requirement.
4.2 is only necessary to evaluate the risks requirement.
4.3 should add a requirement that the data be compatibly licensed.
I do believe we need more details
Frank,
I think you have just opened a big can of worms with this Certificate
policy.
- It should be called a Mozilla Certificate authority policy, not
Certificate policy. I don't think there is any plan to include any
non-CA certificates.
- I think the term default certificate database is
- I am not a lawyer, but I really think you are underestimating the
liability issues for the foundation if it chooses to select
certificates. Has the Mozilla Foundation hired a lawyer to look at the
issue to make a determination of the liability risks the security policy
exposes the Foundation
Even if MF relies on a 3rd party whats to absolve them of all
responsibility, after all they still included the certificate regardless
of any 3rd party saying it was ok,
Ignoring the semantics of any particular legal
threat, it may be worth considering creating a
single corporation,
Julien Pierre wrote:
Frank,
I think you have just opened a big can of worms with this Certificate
policy.
- It should be called a Mozilla Certificate authority policy, not
Certificate policy. I don't think there is any plan to include any
non-CA certificates.
I originally called it the
Frank Hecker wrote [in part]:
As noted in prior discussions, the Mozilla Foundation and mozilla.org
staff are considering adopting a formal policy regarding selection of
new CA certificates for inclusion in the default certificate database
distributed with Mozilla, Firefox, Thunderbird, etc.
David Ross wrote:
The first question that must be answered is: Why continue
developing Mozilla? I would hope the answer does NOT revolve
around an exercise in computer science but instead reflects a
desire to create a high-quality software application for personal
and commercial use -- an
Frank Hecker wrote:
Julien Pierre wrote:
- It should be called a Mozilla Certificate authority policy, not
Certificate policy. I don't think there is any plan to include any
non-CA certificates.
I originally called it the Mozilla CA Certificate Policy, but changed it
just to have a shorter
My take on this is, the policy should be carefully examined before it is
decided, it's not something to do in a hurry just because there are a
couple CAs that are shouting that they want to be included right away.
It may well be that the right policy requires some work to actually
implement.
I
Duane wrote:
I couldn't find the reference off hand in your postings Frank but a
thought occurred to me that rather then removing CAs immediately, make a
small code change to reject any certificates issued by a CA after a
certain date if they were found to be in breach of any policies, MF or
We are talking about MONEY and PRIVACY. How much risk are you
willing to take with these?
So I take it you remove a lot of certificates from your copy of Mozilla
then?
___
mozilla-crypto mailing list
[EMAIL PROTECTED]
David Ross wrote:
After reviewing the discussion in this thread (and other threads),
I must conclude that the whole approach to developing a policy is
flawed. A policy should represent specifics based on a more
general philosophy, but I don't think the philosophy itself is
clear in this case.
Ian Grigg wrote:
David Ross wrote:
Clearly (at least to me), the answer is: The primary and most
important use of a CA certificate is to provide the Mozilla user
with assurance that (1) a critical Web site is indeed what it
purports to be
(This is not clear at all. I think it rests on
a number
I have not yet read the policy or FAQ, which I will do soon.
However, I thought you might be interested in how the state of
California approves certificate authorities under its Government
Code Section 16.5. This code section deals with digital
signatures on documents that require signatures
Frank Hecker wrote [in part]:
As noted in prior discussions, the Mozilla Foundation and mozilla.org
staff are considering adopting a formal policy regarding selection of
new CA certificates for inclusion in the default certificate database
distributed with Mozilla, Firefox, Thunderbird, etc.
Frank,
I think the Policy is good, except for one comment on
the Risk, which I've responded more towards the FAQ
entry, here:
http://www.hecker.org/mozilla/certificate-faq/policy-details/
In particular, we will evaluate whether or not a CA
operates in a manner likely to cause undue risk for
Frank Hecker wrote:
What about the probability of loss? Insurance makes most sense when the
probability of low is relatively low
Of course what Frank Hecker meant was the probability of loss :-)
Frank
--
Frank Hecker
hecker.org
___
mozilla-crypto
David Ross wrote:
My comments on the policy are in the PDF file at
http://www.rossde.com/Mozilla_certs/Policy.pdf.
Thanks for your comments. I especially appreciate your taking the time
to create suggested revisions.
#3: I indicate that a CA that fails an audit or loses
accreditation should
Ian Grigg wrote:
Risk is a very tricky thing to assess. Firstly, risk
cannot be assessed without proper attention to the
value at risk, and the threats against that value.
See my response to David Ross for related comments.
A better way may be to reflect those risk assessments
back to those that
70 matches
Mail list logo
