Thank you very much, it's very helpful. I put most of the replies inline.
On Wed, Jul 21, 2010 at 8:30 AM, Gervase Markham <g...@mozilla.org> wrote:
> On 20/07/10 04:23, Amax Guan wrote:
>
>> I've got a problem help China Construction Bank(CCB for short)
>> support Firefox. CCB has its own CA root, used to issue certificate to
>> his users, and they issued some server cert using this cert.
>>
>
> Do you know why they cannot buy a cert from a trusted CA, like every other
> business (including most banks)?
>
I think basically it's because they have too much Cert to issue (One for
each user), it cost too much money, and they do not want anyone else to know
how many users they have, and their names, including the CA. Kai mentioned
that it's OK to use a untrusted CA signed user certificate in Firefox to
sign, But they are not only using this cert in signing, they also use the
cert for two-way SSL, and they periodically renew the cert. But if you
generate a user Certificate that's issued by a untrusted CA, there will be
an alert popup.
The server cert I don't know why, but I guess maybe it's because they
already have this CA system, they just want to save some money and time? I
mean not every cert on their website is signed by themselves, they have
verisign certificates on most of their webpages, but on some specific
server, they use cert issued by their own CA. The server using their own CA
is in the certificate generation process, I wonder is it related to two-way
SSL or something?
And btw, every bank in China has its own CA System, to generate user
certificate.
> And they
>> want to put their CA Root certificate into Firefox, so that there will
>> be no alert popup in the certificate generate process and no security
>> alert when users access their website. And here comes the questions
>>
>
> Can you be more specific about the errors that people who bank with CCB
> encounter in "the certificate generate process"?
>
They use keygen tag to generate the user certificate (They need to renew the
certificate periodically), and the form is submitted to a cert page with
contentType=x509/certificate or something like that. Firefox will
automatically save the certificate to where it's corresponding key is, and
after that popup an alert saying the cert is download successfully. AND
THEN, if the CA of the cert is untrusted, Firefox will pop up another alert
talking about "Cannot import the certificate, the issuer of the cert is
unknown, the cert is invalid or ...."
> 1. Right now, we are trying to use certutil.exe in their USB-Key
>> driver installer to do that. However, one of my colleague seems to have
>> some problem build the certutil.exe in visual studio 2005. And
>> sometimes, it fails to run on some machine. I tried to find a stable
>> version of that tool through google, but I failed. Is there any stable
>> version of certutil I can download, that will work on most version of
>> windows? Or why is it so hard to build, is there some way to make it
>> better?
>>
>
> I don't know the answer to this particular question.
Unlucky for me:( Because according to several emails I made yesterday,
this way seems to be the most doable and effective way.
>
> 2. Since the certutil.exe solution did not went very well, we think
>> maybe we could embed their CA cert in our Firefox China Edition.
>> According to my knowledge, at least half of the population in China are
>> CCB bank users, and cannot access online bank is our major problem in
>> China, so we think this make sense. We can make an addon to do that, but
>> it occurred to us that an addon is so open, that anyone that knows where
>> it is can change the cert, or do something else dangerous. So, is there
>> a better way to put the cert in? Maybe through a binary XPCOM is better?
>>
>
> The Mozilla project does not issue copies of Firefox that trust new CAs
> without those CAs going through the official process, as described below.
> Even when we do go through the process, people still object - see the CNNIC
> case. There is absolutely no chance of any official Firefox being released
> which trusts a cert belonging to another Chinese company, or any company,
> without it going through the trust checking process. Many of our users in
> China, as well as those elsewhere, would not like it.
>
> CCB may, of course, create their own addon to add the cert (assuming that's
> technically possible). But all their customers would need to install it
> individually. It is no more or less dangerous to use an addon than any other
> method.
>
> What is the current procedure for people who bank with CCB who use IE,
> Safari or Chrome? Do those browsers trust the CCB certificate?
>
CCB only works in IE right now, and online banking sure is our top
priority in China now. In IE,there is a concept of trust zone, and in their
installer, they put themselves in the trust zone, and put their CA cert in
the windows Cert DB through CSP.
Btw: They are talking with MS to put their CA root in windows.
>
> 3. Is it possible to put the bank's CA cert in firefox's default
>> cert db? So that we don't need to worry about security problems...
>>
>
> It is certainly possible. There is a process for this:
> https://wiki.mozilla.org/CA:How_to_apply
> However, it can take many months.
>
> Got it.
> I hope that's helpful :-)
>
> It sure is, thank you very much for your help
> Gerv
>
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
