Hi Anders
Thanks for your information. Do you know where I can download a windows
binary of certutil.exe?
On Wed, Jul 21, 2010 at 11:32 PM, Anders Rundgren <anders.rundg...@telia.com
> wrote:
> On 2010-07-21 16:26, Amax Guan wrote:
> > Thank you very much, it's very helpful. I put most of the replies inline.
> >
> >
> > On Wed, Jul 21, 2010 at 8:30 AM, Gervase Markham <g...@mozilla.org<mailto:
> g...@mozilla.org>> wrote:
> >
> > On 20/07/10 04:23, Amax Guan wrote:
> >
> > I've got a problem help China Construction Bank(CCB for
> short)
> > support Firefox. CCB has its own CA root, used to issue
> certificate to
> > his users, and they issued some server cert using this cert.
> >
> >
> > Do you know why they cannot buy a cert from a trusted CA, like every
> other business (including most banks)?
> >
> >
> > I think basically it's because they have too much Cert to issue (One for
> each user), it cost too much money, and they do not want anyone else to know
> how many users they have, and their names,
> > including the CA.
>
> Absolutely. It would be extremely inconvenient also-
>
> >Kai mentioned that it's OK to use a untrusted CA signed user certificate
> in Firefox to sign, But they are not only using this cert in signing, they
> also use the cert for two-way SSL,
> > and they periodically renew the cert. But if you generate a user
> Certificate that's issued by a untrusted CA, there will be an alert popup.
>
> If that's really true I would call it a bug. I guess it is renewal that
> really is the
> problem? <keygen> doesn't support renewals.
>
> Few if any end-user banks certificates have their root in browsers.
>
> > The server cert I don't know why, but I guess maybe it's because they
> already have this CA system, they just want to save some money and time? I
> mean not every cert on their website is signed by
> > themselves, they have verisign certificates on most of their webpages,
> but on some specific server, they use cert issued by their own CA. The
> server using their own CA is in the certificate generation
> > process, I wonder is it related to two-way SSL or something?
> >
> > And btw, every bank in China has its own CA System, to generate user
> certificate.
>
> Yes, and that is how it should be, SSL certificates is another (hopefully
> unrelated) topic.
>
> Anyway, Chinese banks will some day get a solution in Firefox that actually
> addresses consumers (rather than cryptographers), but it will take some
> time to get it out of the door:
>
> http://webpki.org/auth-token-4-the-cloud.html
>
> Since US banks and Government Agencies do not use certificates for
> consumers
> and citizens this is primarily a European/Asian issue and we cannot expect
> to
> get any support from Mozilla except maybe a "Good luck" or so :-)
>
> Regards
> Anders Rundgren
>
> >
> >
> > And they
> > want to put their CA Root certificate into Firefox, so that there
> will
> > be no alert popup in the certificate generate process and no
> security
> > alert when users access their website. And here comes the
> questions
> >
> >
> > Can you be more specific about the errors that people who bank with
> CCB encounter in "the certificate generate process"?
> >
> >
> > They use keygen tag to generate the user certificate (They need to renew
> the certificate periodically), and the form is submitted to a cert page
> with contentType=x509/certificate or something like
> > that. Firefox will automatically save the certificate to where it's
> corresponding key is, and after that popup an alert saying the cert is
> download successfully. AND THEN, if the CA of the cert is
> > untrusted, Firefox will pop up another alert talking about "Cannot import
> the certificate, the issuer of the cert is unknown, the cert is invalid or
> ...."
> >
> >
> > 1. Right now, we are trying to use certutil.exe in their
> USB-Key
> > driver installer to do that. However, one of my colleague seems
> to have
> > some problem build the certutil.exe in visual studio 2005. And
> > sometimes, it fails to run on some machine. I tried to find a
> stable
> > version of that tool through google, but I failed. Is there any
> stable
> > version of certutil I can download, that will work on most
> version of
> > windows? Or why is it so hard to build, is there some way to make
> it better?
> >
> >
> > I don't know the answer to this particular question.
> >
> >
> > Unlucky for me:( Because according to several emails I made
> yesterday, this way seems to be the most doable and effective way.
> >
> >
> >
> > 2. Since the certutil.exe solution did not went very well, we
> think
> > maybe we could embed their CA cert in our Firefox China Edition.
> > According to my knowledge, at least half of the population in
> China are
> > CCB bank users, and cannot access online bank is our major
> problem in
> > China, so we think this make sense. We can make an addon to do
> that, but
> > it occurred to us that an addon is so open, that anyone that
> knows where
> > it is can change the cert, or do something else dangerous. So, is
> there
> > a better way to put the cert in? Maybe through a binary XPCOM is
> better?
> >
> >
> > The Mozilla project does not issue copies of Firefox that trust new
> CAs without those CAs going through the official process, as described
> below. Even when we do go through the process, people
> > still object - see the CNNIC case. There is absolutely no chance of
> any official Firefox being released which trusts a cert belonging to another
> Chinese company, or any company, without it going
> > through the trust checking process. Many of our users in China, as
> well as those elsewhere, would not like it.
> >
> > CCB may, of course, create their own addon to add the cert (assuming
> that's technically possible). But all their customers would need to install
> it individually. It is no more or less dangerous to
> > use an addon than any other method.
> >
> > What is the current procedure for people who bank with CCB who use
> IE, Safari or Chrome? Do those browsers trust the CCB certificate?
> >
> >
> > CCB only works in IE right now, and online banking sure is our top
> priority in China now. In IE,there is a concept of trust zone, and in their
> installer, they put themselves in the trust zone, and
> > put their CA cert in the windows Cert DB through CSP.
> > Btw: They are talking with MS to put their CA root in windows.
> >
> >
> > 3. Is it possible to put the bank's CA cert in firefox's
> default
> > cert db? So that we don't need to worry about security
> problems...
> >
> >
> > It is certainly possible. There is a process for this:
> > https://wiki.mozilla.org/CA:How_to_apply
> > However, it can take many months.
> >
> > Got it.
> >
> >
> > I hope that's helpful :-)
> >
> > It sure is, thank you very much for your help
> >
> >
> > Gerv
> >
> >
> >
>
>
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
