Alan Dobkin wrote: > > I am new to this forum, so I apologize if this issue has been addressed > already. However, I have searched the newsgroup archives and bugzilla > and haven't found any related threads, so here goes: > > Does Mozilla/NSS have a policy for adding "Intermediate Certification > Authorities"? In particular, I am interested in the "Starfield Secure > Certification Authority", owned by "Starfield Technologies, Inc." > (a.k.a. GoDaddy). I am not associated with them in any way other than > being a satisfied customer for a few years. They are extremely popular > for domain registrations (#1 in new transactions, #2 after Network > Solutions in total market share - see RegistrarStats.com), and they now > offer low-cost SSL certificates. I expect these will become very > popular as well in the near future if they aren't already. > > They are certified by WebTrust (description below). In addition, they > are already included in Microsoft Internet Explorer, which makes a > strong argument for including them in Mozilla. In order for Firefox to > gain widespread acceptance, it is important for web sites that "just > work" in Internet Explorer to also work in Firefox, without any user > intervention. Any web sites that work in IE but appear to be broken in > Firefox (even if "broken" simply means a dialog box pops up saying the > site isn't trusted) will deter users from switching their browser. > > In the IE Certificates window, there is a tab for "Intermediate > Certification Authorities". There are currently 18 (at least on my > system) CAs listed here, including Starfield and several other providers > (6 are for Microsoft themselves). There is no similar tab in the > Firefox Certificate Manager, so perhaps this functionality would need to > be added first, presenting additional complications. > > Here is the description I found at WebTrust: > http://www.webtrust.org/abtseals.htm > > > Starfield Technologies, Inc. > > GoDaddy.com (www.godaddy.com) is the flagship ICANN-accredited domain > > name registrar for The Go Daddy Group, Inc, which serves over 2 > > million customers worldwide. The Go Daddy Group family of companies > > enables individuals and businesses to acquire, create and safeguard > > their unique identities and brands on the Internet. GoDaddy's > > Certification Authority, the Starfield Secure Certification Authority, > > provides a range of highly trusted, 128-bit SSL certificates at > > low-cost with 24/7 customer support. The Go Daddy Group also includes > > membership-based registrar Blue Razor Domains, Inc; Wild West Domains, > > Inc., reseller support organization; Domains By Proxy, Inc., which > > provides private domain registration services; and Starfield > > Technologies, Inc., which serves as the Group's research and > > development arm. > > Here is a link to the Starfield Technologies, Inc. Repository, which > contains their Intermediate Certificate, and the Root Certificate for > their provider, ValiCert: > https://certificates.starfieldtech.com/Repository.go > > Please let me know if I should open a corresponding Bugzilla request. > > Thanks for considering this issue!
In many cases, the intermediate certificate is installed on the Web server with the site certificate. This is merely good design for secure Web sites. Mozilla (and most other browsers) can verify a site certificate against an intemediate certificate from the site's Web server providing the latter is signed by a primary certificate in the browser's database or also on the site's server. In Mozilla's Certificate Manager window, intermediate and primary certificates are managed together under the Authorities tab. An intermediate certificate is found under the organization that issued it, usually with the primary certificate that signed it. If you mark an intermediate certificate as trusted, you don't even need the primary certificate. If you don't have a Mozilla.org Bugzilla account for submitting new bugs, request the addition of certificates to the Mozilla database by sending an E-mail message to Frank Hecker. See his <http://www.hecker.org/mozilla/ca-certificate-list/> for his address. You should first look at the list of certificates on that Web page to see which certificates are already in process (in your case, neither Starfield nor GoDaddy are listed). As I indicated above, however, good Web design should include a copy of an intermediate certificate on a Web server that contains a site certificate was signed by that intermediate certificate. Therefore, I'm not sure whether intermediate certificates will be added to the Mozilla database. -- David E. Ross <http://www.rossde.com/> I use Mozilla as my Web browser because I want a browser that complies with Web standards. See <http://www.mozilla.org/>. _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
