In Ian's earlier reply in this thread, he makes some good arguments against trying to use self-signed X509 certs for email or other end-user purposes (e.g. email, ssl client auth, ssl server auth).
But the bug report that Ralf cited (and in which I invited a discussion in this newsgroup) was talking about an orthogonal issue. I'd like to discuss that subject here. The subject of bug http://bugzilla.mozilla.org/show_bug.cgi?id=184649 was the handling of the MIME content-type application/pkix-cert. That generic MIME content type is used by "that other brand" of software for the download of all types of certs, generically, whether they're CA certs, or SSL server certs, or SSL client certs, or SMIME email certs, and whether they're certs that belong to the user who is downloading them or somebody else's certs; that is, whether the user who is downloading them also has the private key that goes with them, or not. Mozilla (and Netscape browsers before it) uses different MIME content types for CA certs, for OTHER users email certs, and for a user's own EMAIL or SSL client auth certs. I think mozilla has also added a new type for downloading an SSL server cert belonging to a remote SSL server. This begs the question, why does mozilla want separate MIME content types for these certs? They all just X509 certs, so why different content types for each? The answer is that downloading each type of cert (arguably) wants a different user experience. Some examples may help clarify this. A user who is downloading a CA cert needs to decide whether or not to trust that CA cert. Trust of a downloaded CA cert certainly most NOT be automatic, or else every rogue cert issued by dishonest CAs would be as trusted as legitimate certs, and PKI certs would be worthless! Having a separate MIME type for downloading CA certs gives the browser the chance to use a dialog that leads the user through the choices he/she must make. When a user is attempting to download his/her own personal email cert or SSL client authentication cert, a check should be done to ensure that the user has the private key associated with that cert. Otherwise, the user will find that he/she cannot sign emails that can be verified with that cert, and/or cannot decrypt emails that were encrypted with that cert. The different MIME type for a user's own personal cert gives the browser the opportunity to make that check and help or alert the user if the private key is missing. The browser can detect whether or not the local user DOES have the private key for a downloaded cert, but cannot in general tell whether the local user was SUPPOSED TO have the private key or not. The idea is that the CA site (from which the user downloads his/her own cert) has that knowledge and can help by specifying the content type that makes that clear. Today, mozilla doesn't recognize the generic application/pkix-cert MIME content type at all. On a Windoze system, Windoze own cert manager gets invoked to handle the cert, so the cert gets downloaded into windoze cert store, not into mozilla's cert store. That's VERY confusing for users, IMO. IMO, mozilla should intercept that MIME type and handle it with mozilla's own GUIs, and ensure that the cert gets downloaded into mozilla's cert store. The question is: when a mozilla user downloads a cert with that generic mime content type, what user experience should the user have? One option is that the cert just gets silently stored in the user's cert DB, and the user will have to run the cert manager to sort it out later. Perhaps that is how "the other brand" does it. But I think that's not a very satisfactory solution. Another option is to try to figure out what kind of cert it is by examining the cert, and try to select an appropriate user dialog (e.g. "wizard) according to what we find. That would be good if most or all certs were well formed, proper PKIX certs, but often they're not, ESPECIALLY if they were actually NOT from a real CA, and were instead "home brew" certs, made with the help of some PKIX test program like NSS's certutil, or OpenSSL's test program. It's the home brew certs that are least likely to be recognizable, and most likely to need the end-user's help to figure out what kind of cert they were supposed to be. So, the final option (for this message) is to ask the user "what kind of cert is this supposed to be?" Is it your own cert? Is it some other user's cert? Is is a CA cert? And this is complicated by the fact that many users have no clue what CA is or what it does, or why they shouldn't just trust all the CA certs they ever find. So, how do _you_ think mozilla should handle the generic application/pkix-cert MIME content type? -- Nelson Bolyard Disclaimer: I speak for myself, not for Netscape
