Re: Facts about Comodo Resellers and RAs
I bought Comodo EV SSL from https://cheapsslsecurity.com/comodo/evssl.html, a reseller of comodo ssl and other major ssl brands, but thank to their support team i never need to face directly to the certification authority - comodo itself and got solution from the re-seller's support team. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Facts about Comodo Resellers and RAs
Having said that, neither myself nor the company I run have gained financially from this - currently it seems that all CAs have taken damage. Reckless behavior is ruining our businesses, the trust we try to build and the strengthening of Internet security at large is put into jeopardy. It is my duty to prevent that if possible. There is no conflict of interest even if the result of my involvement would put a competitor out of business - it's their failure not mine. And with it, they risk the reputation and security of Mozilla and all relying parties which depend on it. Rght. Couple of observations on all of this (having read most all of the other original thread) as a disinterested observor (Full disclosure: I used to resell SSL certs some time back). 1. You kid only your self if you think you have no appearance of conflict of interest in this issue. You do, in spite of your wishing not to. But you are not alone. The prior thread was in full dogpile mode against Comodo by a few who seem to have some baggage against them by the levels of reaction compared to the severity of the issue and its corresponding triage by Comodo. IMHO 2. You would do well to reflect and consider whether or not the complete commodization of domain validated certificates themselves, both by their very nature (email validation of domain ownership. I mean really now), as well as the pricing models employed by the various competitors in the SSL field (yourself notable among them) have not done more harm to the industry, or more specifically the relative level of security, authority and credibility of SSL as a security model, as perceived by users. Once one acknowledges that being a CA is nothing more than a license to print money, subject to independent operational audits, then you can have a meaningful discussion on what 'security' your providing to a user. See EV validation procedures and their corresponding pricing model, compared to Organization Validated certs if you care to refute that statement. Yes, I'm looking at you Verisign. There is such a low barrier to entry for a Domain Validated certificate even when the system works correctly. A couple of bucks to register a domain name with GoDaddy, a couple more (or zero) dollars to get an SSL cert, and any script kiddy worth his salt can now start blasting out Please login to your BOA savings account to reverify your account info, and hope for a MITM opportunity to pop up on his monitor, DV certs have next to zero credibility on ANY website that purports to protect personal or financial info. You know that I'm sure. There are tons MITM attacks sucessfully carried out every year by crooks who have VALID DV certs on their fraud sites. How do you think RSA sells so many handheld password tokens? Which begs the question of why Mozilla needs to suddenly go into fire drill mode over RA auditing practices with respect to Comodo. Its a joke. 3. I was a little taken aback at the surprise and shock expressed by the resident experts that Comodo RA resellers do DV authentication (or at least, are supposed to as part of their resale agreements). Is this to imply that NONE of the other CAs that have wholesale agreements with third party resellers allow a DV cert to be sold pending CA relegated authentication directly? Are we that naive in 2009? Thawt? Globalsign? Verisign? RapidSSL? GoDaddy? Surely Comodo is not the only one out there that allows their resellers to perform initial DV cert validation subject to CA audits. I can't prove it, but I'd bet $20, the number of primary CAs who do is greater than 1. Someone, it appears, has never taken a look at the Certification Practice Statements of the various CA's I guess (to the extent that you can find them all). I seem to recall that the RSA X.509 spec allows for this type of subservient RA model as long as proper audit controls are in place to maintain verification compliance. In a nutshell, does anyone who declares himself an expert in the SSL industry REALLY think this cause irreprerable harm to the other CAs? Should Comodo tighten up on its audit procedures? Certainly looks that way. But since any primary CA out there who does this probably only does sample audits (are YOU going to pay KPMG their hourly to go through every record out in the field? Not bloody likely), the possibility still exists for that 'rogue' cert to skate by. If total security is paramount, should not all CAs make sure third party resellers validate all domains internally through them? Absolutely, but be careful about the unintended consequences of what that would do the internal costs to the CAs, and the subsequent knock on costs to the channel. It might even raise the prices in the street a little if they all did it at once, somehting positive! However if the X.509 spec doesn't call for it, whos first in line to volunteer to implement it for DV certs? Thats what you have OV and EV certs for, no? And afterall, as all know, money is ultimately the reason in
Re: Facts about Comodo Resellers and RAs
Comodo's CPS [1] lists the following: 1.10.2 Web Host Reseller Partners Through a “front-end” referred to as the “Management Area”, the Web Host *Reseller* Partner has access to the *RA* functionality including but not limited to the issuance of Secure Server Certificates is obliged to *conduct validation* in accordance with the validation guidelines and agrees via an online process (checking the “I have sufficiently validated this application” checkbox when applying for a Certificate) that sufficient validation has taken place prior to issuing a certificate. This seems to be exactly in line with my comment [2] and the published image [3]. If this is correct, than it is in direct conflict with section 4.2.7 PositiveSSL and PositiveSSL Wildcard Secure Server Certificates of this statement [4]: To validate PositiveSSL and PositiveSSL Wildcard Secure Server Certificates, *Comodo* checks that the Subscriber has control. and the use of generic e-mails which ordinarily are only available to person(s) controlling the domain name administration, for example, webmaster@ . . ., postmaster@ . . ., admin@; This basically means that Comodo outsources domain validation not only to RAs but also to resellers. In addition, domain validation is effectively circumvented and non-existent for such resellers. The mere checking of the checkbox is the only requirement for the issuance of any certificate. This is in my opinion insufficient and and undue risk! Considering the size of Comodo's reseller and RA network (which I'm sure makes up the biggest junk of their certificates issuance), it is reasonable to assume that unvalidated certificates exist currently. Additionally I want to point out that the CPS [4] explicitly states that Comodo performs the validation, which however is not the case as we've seen with certstar. Since I was reading this document during the review period of Comodo this spring, I was fairly convinced that Comodo performs those validations. I request to receive further information about how exactly domain control is validated and which controls Comodo has in place to prevent fraudulent or mistaken issuance. Incidentally I've found discrepancy in statements made by Robin as to the status of certstar in particular and concerning domain validation in general. [1] http://www.comodo.com/repository/09_22_2006_Certification_Practice_Statement_v.3.0.pdf [2] https://bugzilla.mozilla.org/show_bug.cgi?id=470897#c27 [3] https://bugzilla.mozilla.org/attachment.cgi?id=354425 [4] http://www.comodo.com/repository/PositiveSSL_addendum_to_the_Certification_Practice_Statement.pdf -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Facts about Comodo Resellers and RAs
On 12/24/2008 05:44 PM, Eddy Nigg: I have received also testimonials that Mozilla and Microsoft received previously complaints and evidences about the business practices of Comodo. I'm not aware which specific actions were taken back then. I have to make a small correction about this statement. The complaints and evidences mentioned above are not recent and in severity of a lower extend than recent events. Thanks. -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Facts about Comodo Resellers and RAs
On 12/24/2008 08:14 PM, Paul C. Bryan: Eddy: I personally believe you are working for the good of the PKI infrastructure, but you have to see that being a competitor to Comodo puts you in a perceived conflict of interest here. Is there no one you could put your contact(s) in touch with that is in a more neutral position to evaluate this issue and inform the community? Paul, I have been active here for some time already. I'm providing my knowledge and experience to Mozilla and the community, which might be specially interesting, because I know more than many. I see the potential issues from various different sides. I have maintained my loyalty to Mozilla which doesn't have to be in conflict with any other interests I may have. And my interest is to maintain an even level of PKI security in the browser for the good of all of us. Having said that, neither myself nor the company I run have gained financially from this - currently it seems that all CAs have taken damage. Reckless behavior is ruining our businesses, the trust we try to build and the strengthening of Internet security at large is put into jeopardy. It is my duty to prevent that if possible. There is no conflict of interest even if the result of my involvement would put a competitor out of business - it's their failure not mine. And with it, they risk the reputation and security of Mozilla and all relying parties which depend on it. Unfortunately many others which are in the known haven't come forward for unknown reasons. I'd be more than glad if they did. But would you prefer if I'd put a middle-man in front of myself? Would you prefer that I've sorted it out with Comodo directly? The personal gain could have been much higher perhaps. Rest be assured, that not I'm making any final decisions at Mozilla. Frank Hecker who is currently responsible, knows me well enough and has the knowledge about this subject. He will make the ultimate decision about which actions to take. In this specific case I'm the messenger and reporter, but also others have already made their call for action here at dev.tech.crypto. At last, this and other issues concerns all of us - many million users depend on the work we are doing here and elsewhere. I have nothing to hide, I openly disclose my affiliation (see my signature) upfront. I always did. I'm active and involved at different open source and open standards projects, maintain connection with major organizations throughout the world. I'm certain that my contributions and expertise are usually valued. Thank you for your time! -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
