date:20081228

Kaspar Brand wrote, On 2008-12-27 03:21:
 Michael Ströder wrote:

 I personally don't know whether the current Mozilla implementation of
 crypto.generateCRMFRequest includes the private key of an encryption
 cert.
 
 Only if you tell it do so, and only if it's a key-exchange-only key. [1]
 Additionally, an Encryption Key Copy warning dialog will be presented
 when key escrow is attempted - try the attached demo. [2]

 [1] https://developer.mozilla.org/en/GenerateCRMFRequest
 
 [2] Caveat: may leave you (or your cert DB, more precisely) with
 a lot of orphan keys, if used generously - i.e. it's probably better
 to use it with a separate profile.

Kaspar, Thanks for this information and demo.  I had been told that this
dialog exists, but I had never seen it before your demo.  I'd like to
see this demo go into a page on a mozilla web site, such as (say)
developer.mozilla.org.

I also think we need a page or two on developer.mozilla.org that fully
documents both the keygen tag and the crypto.generateCRMFRequest method.
The existing documentation is very incomplete.  The keygen tag, for
example, accepts many more arguments than are now publicly documented.
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Security-Critical Information (i.e. Private Key) transmitted by Firefox to CA (i.e. Thawte) during X.509 key/cert generation

Fost1954 wrote, On 2008-12-27 06:54:

 *_With other words (adapted from N. Bolyard):_*
 
 b) Is there any way for a Firefox user to detect that his CA has requested
 [the] private key [to be transmitted] ?
 
 _Possible Answer by Kaspar Band: _ ...an Encryption Key Copy warning
 dialog will be presented.
 
 My personal question: Is this warning dialog really ALWAYS the case ?

I think the question is: is there any way for a web site to suppress
that dialog?

 c) When requesting a certificate from a CA, what can a Firefox user do to
 prevent [transmission] of the newly generated private key?
 Possible Answer by kaspar Band:
 
 Not too difficult to achieve, actually. Just add this line to your
 prefs.js:[...]

I think Kaspar's suggestion will disable the use of
crypto.generateCRMFRequest entirely, not just for the case where key
escrow has been requested.  Is that right Kaspar?

In any case, as long as the warning dialog cannot be suppressed, then
I think it is both necessary and sufficient to address Fost's concerns.
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: [Fwd: Follow-Up on www.verisign.com SSL Order]

2008-12-28 Thread Michael Ströder

Reed Loden wrote:
 On Sat, 27 Dec 2008 13:55:45 +0100
 Michael Ströder mich...@stroeder.com wrote:
 
 Patricia,

 we saw several strange things from Certstar during the last days, not
 just one mistake:

 1. Spam e-mail to StartCom customers showing dubious business
 practices
 
 Spam wasn't just sent to StartCom customers...

So that's even worse.

 3. Strange from address with another famous trademark as local part
 used in another posting here
 
 I'm sure Patricia was just submitting to the newsgroups via Google
 Groups, and I bet her google account is the address used in the post
 to which you're referring. She probably just forgot to change it to
 her work address before sending. I wouldn't fault her or her company for
 this mistake in any way.

Do you really think so? Please re-read my text above about local part
of the from address in question. Typically when using a Google account
the local part is a name chosen by the user and the domain part belongs
to Google. In this case I wouldn't have said anything because it's
obviously normal. But that was not the case. The from address used was:
goo...@servage.net

Ciao, Michael.
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

CAs and external entities (resellers, outsourcing)

2008-12-28 Thread Kai Engert

After having read the posts related to the unbelievable event, I 
understand the event involved an approved CA and an external entity they 
work with.


From my perspective, it's a CA's job to ensure competent verification
of certificate requests. The auditing required for CAs is supposed to
prove it.

The verification task is the most important task. All people and
processes involved should be part of the assuring audit.

The current Mozilla CA Certificate Policy says:
6. We require that all CAs whose certificates are distributed with our
software products: ... provide attestation of their conformance to the
stated verification requirements ...

In my opinion, it means, a CA must do this job themselves.

The policy currently does not appear to handle the scenario where a CA
delegates the verification job to an external entity. So it's unclear
whether it's forbidden or allowed if the external entity has received
equivalent attestation of their conformance.

In my personal opinion, a CA violates the Mozilla CA Certificate Policy
if they delegate the verification job to an external entity not owning
attestation of their conformance to the stated verification requirements.

If we'd like to be strict, we could remove CAs from our approved list if
they have shown to be non-conforming in the above way.

In any case, the CA policy should get clarified about involving external
entities in the verification and issueing process. All existing CAs
should be required to make a statement about their current business
practices with regards to external entities. After a grace period all 
CAs must either stop using external entities, or get conformance 
attestation for all involved entities.


Kai


smime.p7s
Description: S/MIME Cryptographic Signature
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Security-Critical Information (i.e. Private Key) transmitted by Firefox to CA (i.e. Thawte) during X.509 key/cert generation


On 12/28/2008 12:50 PM, Nelson B Bolyard:

I also think we need a page or two on developer.mozilla.org that fully
documents both thekeygen  tag and the crypto.generateCRMFRequest method.
The existing documentation is very incomplete.  Thekeygen  tag, for
example, accepts many more arguments than are now publicly documented.


Now that's interesting. What are those additional arguments?

--
Regards

Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog:   https://blog.startcom.org
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Security-Critical Information (i.e. Private Key) transmitted by Firefox to CA (i.e. Thawte) during X.509 key/cert generation

2008-12-28 Thread Michael Ströder

Nelson B Bolyard wrote:
 I also think we need a page or two on developer.mozilla.org that fully
 documents both the keygen tag and the crypto.generateCRMFRequest method.

+1

 The existing documentation is very incomplete.  The keygen tag, for
 example, accepts many more arguments than are now publicly documented.

Which arguments are that?

Ciao, Michael.
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

dropping the root is useless


On 28/12/08 12:13, Kai Engert wrote:


If we'd like to be strict, we could remove CAs from our approved list if
they have shown to be non-conforming in the above way.



Yes, we could!  But this is what we call a blunt weapon.  It is also a 
dangerous weapon.  Consider (all) the consequences in the current case.


First, losses we will incur, regardless:

  1.  Certs:  All end-users who rely on these certs will lose.  That 
probably numbers in the millions.  All subscribers will lose, probably 
in the thousands.  The CA will lose;  potentially it will lose its 
revenue stream, or have it sliced in half (say), which is what we would 
call in business circles a plausible bankrupcy event.


  2.  Mozo:  Mozilla will lose because of all the undelivered security 
(all those good certs and subscribers and end-users).  It may be sued by 
the CA and the CA's investors and/or the receiver/liquidator for a bad 
decision.


  3.  Industry:  All other CAs will lose because they will now have to 
include in their business plans the possibility of a root being dropped 
by a bad decision.


  4.  Security will go down, because less certs are delivered and in 
use.  (It's hard to calculate the secondary losses here, but not 
impossible.)


Second, the losses we seek to stop:

1.  Against that you can weigh the damages done so far and the harm to 
protect against.  We know it is down to 11 or so certs, all revoked. 
Therefore, we know that the damage is stopped now, and there is only an 
unknown window of 11 certs from their issuance to last week.


In practice, this calculates as zero damages, because the likely 
scenario is that no harmful certs were issued [1].


2.  There is the possible benefit to the other CAs as a punishment tool, 
in the case where the decision is good (see 3. above).  There could be a 
knock-on effect in convincing CAs to tighten their game.  However, this 
needs to be balanced against other costs and loss of certs, and in 
practice, the dominant factor is this:  more certs is more security, 
less certs is less security.




Until we get new info, this is the estimate on the table.  Therefore 
dropping the root will cause large losses, and will stop nothing, in the 
current case.




The wider policy problem here for Mozilla, for this forum, and for the 
whole PKI is that no matter which way you analyse, it, we've got nothing 
in the way of a punishment.  Stick any numbers you like in the above 
example, and watch what happens.  Removing the root is useless as a 
punishment.  It only has downside, for all.  It will likely never 
happen, and we should stop talking about it.



iang


[1] no harmful certs == unreliable certs issued to people to do bad 
things.  E.g., we ignore false certs that are already controlled.

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Can you rely on an Audit?


On 28/12/08 12:13, Kai Engert wrote:


 From my perspective, it's a CA's job to ensure competent [stuff].


OK.


The auditing required for CAs is supposed to prove it.




This might be a bit too strong.  Let's look at that.

What audits do is confirm criteria, and provide an opinion that the 
criteria are met, according to the opinion of the Auditor [1].


Now let's look at some of the limitations or caveats or bugs in that 
process:


1.  It is up to you to read the criteria and decide if they are 
appropriate to your needs.


2.  It is also up to you to decide whether the opinion letter is good 
enough whatever that means.


2.b.  And, it is also up to you to investigate and understand the 
various languages and procedures that an Auditor uses, customarily, to 
weaken an apparently strong claim.


3.  It is also up to you to check that the Audit verifies the Mozilla 
policy.  I don't know, but my understanding was that Audits are 
generally done to WebTrust or ETSI criteria, and not to the policy. 
There would need to be a specific comment from the Auditor to say that 
the policy was included in scope.


Has anyone here read the opinions and confirmed inclusion of the policy 
in the audit opinions?


4.  It is also up to you to decide whether the Auditor has 
characteristics that speak highly of the opinion.  Without getting into 
that debate, suffice to say, the singularity of the process is a 
weakness in and of itself.




Where does this get us?

It should be clear that Audits don't prove anything.  At all.  If you 
take an audit to prove something then *you have made a mistake* ; 
although we might agree that that this is a mistake that many people are 
comfortable for you to make, and they are unlikely to correct you in.


The question is more likely placed as whether you can rely on an Audit. 
 If you get through all the above, your answer is probably maybe.  If 
you have a friend in the business, feel free to pose this question to 
them.  Ask around, get some opinions.


(And, if we accept the above, if you don't get through all of your above 
checks, how can your answer be any better than maybe ?)


Perhaps more broadly, we could ask whether we as a community get any 
benefit from an audit at all, given the rather drastic nature of an 
individual maybe.  I think the answer is yes, cautiously:  it probably 
ensures that a CA is up to a known and reasonable level of practices [2].


So, at least we know where a CA is likely at, once they've passed 
their audit.  Whereas before, we would be simply relying on advertising, 
which is hopeless.




The good news is that we can actually cover a lot of these weaknesses by 
moving to more open disclosures.  The Internet has given us wonderful 
opportunities to move more information more reliably, something that is 
not factored into current Audit thinking.


So it may not be a huge issue that classical Audits have flaws (c.f., 
they are not perfect, nor prove what you want) as long as we look at 
where the flaws are found in practice and identify ways to use the open 
source approach to overcome those flaws [3].


iang



[1] disclosure, I work as an auditor

[2] I am ignoring costs analysis here, so it may be that the benefit 
described does not return on investment.


[3] we sometimes call this open governance.
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: dropping the root is useless


On 12/28/2008 02:46 PM, Ian G:


1. Certs: All end-users who rely on these certs will lose. That probably
numbers in the millions. All subscribers will lose, probably in the
thousands. The CA will lose; potentially it will lose its revenue
stream, or have it sliced in half (say), which is what we would call in
business circles a plausible bankrupcy event.


Not relevant.


2. Mozo: Mozilla will lose because of all the undelivered security (all
those good certs and subscribers and end-users). It may be sued by the
CA and the CA's investors and/or the receiver/liquidator for a bad
decision.


I suggest to you refrain from now on to give legal advice on these 
matters, Mozilla has a legal department and lawyers for that. But if we 
are at it, Mozilla has no legal or any other requirement (as far as I 
know) to include or keep a root. The Mozilla CA Policy clearly reserves 
the right to remove any of the roots (including all of them) at any 
time. If this isn't the case we all should know about it. Additionally 
it's Mozilla which also has the right to sue the CA and not the other 
way around. Just for your knowledge, Microsoft and other vendors reserve 
the same right.



3. Industry: All other CAs will lose because they will now have to
include in their business plans the possibility of a root being dropped
by a bad decision.


Very good! Even though I'm not the proponent of the proposal to remove 
Comodo's root (instead work towards a real improvement, with the removal 
as a stick), this is exactly what possible removal should achieve. 
Refrain CAs from making bad decisions. More than that, some CAs are on 
disadvantage when competing with CAs which are willing to take high 
risks. This must be clearly recognized and I'm all in favor of having to 
compete on equal footing. This isn't the case today.




4. Security will go down, because less certs are delivered and in use.
(It's hard to calculate the secondary losses here, but not impossible.)


That's easy to revert, I'm certain there are a bunch of CAs ready to 
issue new certs to them.



1. Against that you can weigh the damages done so far and the harm to
protect against. We know it is down to 11 or so certs, all revoked.


That's absolutely not correct. Right now nobody knows - including Comodo 
- how many certs are really unvalidated because of the lack thereof. 
This is what I know at the moment and it would be good if Comodo could 
dispute that claim and advice differently or confirm it.



2. There is the possible benefit to the other CAs as a punishment tool,
in the case where the decision is good (see 3. above). There could be a
knock-on effect in convincing CAs to tighten their game.


Right! I'm all in favor of that, lets go for it!


However, this
needs to be balanced against other costs and loss of certs, and in
practice, the dominant factor is this: more certs is more security, less
certs is less security.


Less unvalidated certs is more security, not less. An unknown number of 
unvalidated certs is no security at all.



--
Regards

Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog:   https://blog.startcom.org
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Can you rely on an Audit?


On 12/28/2008 03:23 PM, Ian G:


[1] disclosure, I work as an auditor


Since you are making a claim here of being an auditor - and specially in 
the context of WebTrust or similar criteria, can you please also 
disclose which formal training and titles you have? For which audit firm 
are you working currently and/or have you worked in the past? Thanks.


--
Regards

Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog:   https://blog.startcom.org
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: dropping the root is useless

(following is just for the record so as to deal with the response.  No 
new info is in here for other readers.)




On 28/12/08 14:21, Eddy Nigg wrote:

On 12/28/2008 02:46 PM, Ian G:


1. Certs: All end-users who rely on these certs will lose. That probably
numbers in the millions. All subscribers will lose, probably in the
thousands. The CA will lose; potentially it will lose its revenue
stream, or have it sliced in half (say), which is what we would call in
business circles a plausible bankrupcy event.


Not relevant.



Well!  If they are not relevant, then perhaps we can turn SSL off, with 
no consequences?




I suggest to you refrain from now on to give legal advice on these
matters, Mozilla has a legal department and lawyers for that. But if we
are at it,



Let's deal with this self-contradictory statement.

To ignore the obvious legal ramifications (agreements in RPAs, 
disclaimers to end-users, potential lawsuits ...) would be negligence, IMHO.


We know the ramifications exist.  We know they may be serious.  We know 
that assertations of security are being made to end-users.  Hence to 
continue making these assertations, and not treat them seriously would 
be negligence.


I personally choose not to follow that path into negligence, and will 
continue to consider the legal ramifications, which leads to the 
question of how we consider them.


We could simply refer them to the legal department, as you suggest. 
Mozilla has a legal department, as you kindly point out, but they are 
silent.  They may have entirely good reasons for being silent, but that 
makes them more or less useless for the work of this forum.  So 
referring them to that legal department is not an option for now.


We could simply refer them to our own legal department.  But, we are all 
here as volunteers, and while some of the businesses may like to put 
their counsel at the service of this group, this won't work because of 
conflicts of interest.  This is therefore not an option.


Which leaves the final option:  we have to deal with it, ourselves, and 
we have to work with the known and understood caveats that none of us 
are lawyers.




Others may have other views, but I would suggest that in this forum, we 
have to consider the legal ramifications.




Mozilla has no legal or any other requirement (as far as I
know) to include or keep a root.



No, I'm afraid there is an agreement to list the root, under a policy. 
Once listed, Mozilla has to operate according to its side of the bargain.


This is a general consequence of business, there is nothing special 
about it.  Ask any experienced business person.




The Mozilla CA Policy clearly reserves
the right to remove any of the roots (including all of them) at any
time. If this isn't the case we all should know about it.



The problem being, that even if it reserves the right to make a choice 
for any reason, this does not give Mozilla carte blanche.  If it makes a 
bad choice, a judge can imply a reasonableness test.


This is one of those areas where we really do need lawyers in the 
conversation, but I will short circuit that with a prediction of mine, only:


the lawyers will likely say, we will find out in court.

Great answer, huh?  It sure keeps the lawyers in work, and it provides 
little help for us.  See earlier analysis.




Additionally
it's Mozilla which also has the right to sue the CA and not the other
way around. Just for your knowledge, Microsoft and other vendors reserve
the same right.



Everyone has the right to walk into court.  That point is empty of 
practical value.




3. Industry: All other CAs will lose because they will now have to
include in their business plans the possibility of a root being dropped
by a bad decision.


Very good! Even though I'm not the proponent of the proposal to remove
Comodo's root (instead work towards a real improvement, with the removal
as a stick), this is exactly what possible removal should achieve.



Please read it carefully.  a root being dropped by a BAD decision.



Refrain CAs from making bad decisions.



Oh, ok.  No, I meant MOZILLA making a bad decision.  E.g., a mistake.



More than that, some CAs are on
disadvantage when competing with CAs which are willing to take high
risks. This must be clearly recognized and I'm all in favor of having to
compete on equal footing. This isn't the case today.



Indeed.  You won't achieve it by dropping a root, and you won't achieve 
it by _threatening_ to drop a root.


I suggest you will achieve precisely the reverse, because some CAs will 
have an advantage in that negotiation, and they will overcome any 
positive benefit in a way that has little bearing on security for the users.


Standard business stuff, really.



4. Security will go down, because less certs are delivered and in use.
(It's hard to calculate the secondary losses here, but not impossible.)


That's easy to revert, I'm certain there are a bunch of CAs ready to
issue new certs to them.

Re: Can you rely on an Audit?


On 28/12/08 14:57, Eddy Nigg wrote:

On 12/28/2008 03:23 PM, Ian G:


[1] disclosure, I work as an auditor


Since you are making a claim here of being an auditor - and specially in
the context of WebTrust or similar criteria,



OK, to answer the implied question here, the criteria are those written 
by David Ross, and are known sometimes as DRC.  They are listed here:


http://rossde.com/CA_review/

For the interested readers:  DRC were developed following a review of 
WebTrust by David Ross, and his criteria cross-reference to WebTrust for 
ease of comparison.  Those are my words, see the link for his own words.




can you please also
disclose which formal training and titles you have?



BSc(hons) Computer Science, University of NSW.
MBA, London Business School.



For which audit firm
are you working currently and/or have you worked in the past? Thanks.


None.


Interested readers might now relate this to point 9, 10 of the policy.

http://www.mozilla.org/projects/security/certs/policy/


iang
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: dropping the root is useless


On 12/28/2008 04:24 PM, Ian G:

1. Certs: All end-users who rely on these certs will lose. That probably
numbers in the millions. All subscribers will lose, probably in the
thousands. The CA will lose; potentially it will lose its revenue
stream, or have it sliced in half (say), which is what we would call in
business circles a plausible bankrupcy event.


Not relevant.



Well! If they are not relevant, then perhaps we can turn SSL off, with
no consequences?



I was clearly replying to the later part:

The CA will lose; potentially it will lose its revenue stream, or have 
it sliced in half (say), which is what we would call in business circles 
a plausible bankrupcy event.


It's not relevant.



No, I'm afraid there is an agreement to list the root, under a policy.
Once listed, Mozilla has to operate according to its side of the bargain.



Apparently you are reading something I haven't.


The problem being, that even if it reserves the right to make a choice
for any reason, this does not give Mozilla carte blanche.


Mozilla can make a bad decision, no doubt. This case is most likely not 
one of those you are referring to.




Please read it carefully. a root being dropped by a BAD decision.


A root isn't removed before careful considerations. A bad decision 
doesn't warrant not to remove any roots at all if necessary. Mozilla can 
also reinstate a root.




They stated how many, IIRC. I recall it was something like 111 certs
issued and 11 outstanding that had not been re-verified within around 48
hours (these numbers are not accurate, but indicative) and were
therefore revoked.


That's for the specific certstar case. Domain validation isn't performed 
by Comodo on a wide scale apparently and perhaps no validation is 
performed at all.



--
Regards

Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog:   https://blog.startcom.org
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Security-Critical Information (i.e. Private Key) transmittedby Firefox to CA (i.e. Thawte) during X.509 key/cert generation

2008-12-28 Thread Anders Rundgren

I wouldn't spend much work on keygen and crypto.generateCRMFRequest
because they don't match today's needs anyway.  You cannot even as an
issuer control PIN code settings (policy) unless you have a pre-configured 
crypto
container, i.e. these mechanisms are tools for toy PKIs.

Serious PKIs use smart cards and physical card/key/certificate distribution
because the on-line alternatives are more or less useless in addition to being
completely non-standard.   The coming HTML5 standards work does not
even *try* to address this mess.  I think they did the right thing; PKI 
standards
in browsers reached an all-time-high already 10 years ago.

PKIX are not aware of the problem because PKIX don't do browsers,
they do ASN.1.

Anders

- Original Message - 
From: Michael Ströder mich...@stroeder.com
Newsgroups: mozilla.dev.tech.crypto
To: dev-tech-crypto@lists.mozilla.org
Sent: Sunday, December 28, 2008 13:38
Subject: Re: Security-Critical Information (i.e. Private Key) transmittedby 
Firefox to CA (i.e. 
Thawte) during X.509 key/cert generation


Nelson B Bolyard wrote:
 I also think we need a page or two on developer.mozilla.org that fully
 documents both the keygen tag and the crypto.generateCRMFRequest method.

+1

 The existing documentation is very incomplete.  The keygen tag, for
 example, accepts many more arguments than are now publicly documented.

Which arguments are that?

Ciao, Michael.
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto 

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Security-Critical Information (i.e. Private Key) transmitted by Firefox to CA (i.e. Thawte) during X.509 key/cert generation

2008-12-28 Thread Fost1954

2008/12/28 Nelson B Bolyard nel...@bolyard.me


 I think the question is: is there any way for a web site to suppress
 that [private key transmission warning-] dialog?


Yes: this should be the point. Having the certainty, that a warning dialog
cannot be suppressed when a private key is to be transferred, Firefox Users
would feel (and be) on the safe side.


 ___
 dev-tech-crypto mailing list
 dev-tech-crypto@lists.mozilla.org
 https://lists.mozilla.org/listinfo/dev-tech-crypto

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

problem with JSS-based custom RMI factory

2008-12-28 Thread alex . agranov

I'm trying to create a simple Java RMI application with a custom
factory that uses JSS SSL classes. So I created a simple server and
client factories that create SSLServerSocket and SSLSocket instances
correspondingly. But when my client tries to lookup in the registry,
the following happens:
   1) the client factory is called and it creates an instance of
SSLSocket
   2) write() method is called on the socket
   3) then it's supposed to call socketWrite() native method - but for
some reason the native method lookup fails and I grab the
ClassNotFound exception

Now, I'm pretty sure that my envrionment (LD_LIBRARY_PATH and
CLASSPATH) are set correctly and JSS is properly initialized - 'cause
see it listed in current providers and I have a sample code that
generates a key inside the NSS token, right before the RMI lookup
code, and it works just fine.

May be it has something to do with the fact that the SSLSocket code is
called from RMI, and native calls can't be resolved from there? Any
idea on how this can be worked around?
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: CAs and external entities (resellers, outsourcing)


Hi Kai,

long reply, I appreciate the grounding in actual policies and practices! 
 This allows us to explore what we really can and cannot do.


(I've cut two of your comments out to other posts where they might be 
generally intersting for the wider audience.)



On 28/12/08 12:13, Kai Engert wrote:

After having read the posts related to the unbelievable event, I
understand the event involved an approved CA and an external entity they
work with.



Seems about right.



 From my perspective, it's a CA's job to ensure competent verification
of certificate requests. The auditing required for CAs is supposed to
prove it.


[see other post]


The verification task is the most important task. All people and
processes involved should be part of the assuring audit.



The current Mozilla CA Certificate Policy says:
6. We require that all CAs whose certificates are distributed with our
software products: ... provide attestation of their conformance to the
stated verification requirements ...



OK!  And, we can reasonably suggest that pt 7 covers verification, as 
per the above.



In my opinion, it means, a CA must do this job themselves.



No, to me, it means the CA must provide attestation of conformance by an 
independent party.  That means they must show how they meet the things 
that Mozilla lists in pt 7.




Which language suggests they have to do verification *themselves* ?



BTW, it would be quite problematic to insist that the CAs do this job 
themselves.


CAs are not generally experts on the issues raised.  Traditionally, CAs 
outsource the processess within verification to a range of different 
organisations:  government registries, commercial credit agencies, 
credit card companies, passport offices, birth registries, etc.  That 
is, to insist they do it themselves would mean that they would have to 
develop skills that might be better handled elsewhere, and might in the 
end reduce to moving the deckchairs around.




The policy currently does not appear to handle the scenario where a CA
delegates the verification job to an external entity. So it's unclear
whether it's forbidden or allowed if the external entity has received
equivalent attestation of their conformance.



I conclude it is allowed.  However, whichever way it is done, the policy 
still insists that conformance to pt 7 is required.


So, following that policy, a reasonable investigation to pursue in the 
current case is what that form of the attestation was, and how precise 
it was, etc.




In my personal opinion, a CA violates the Mozilla CA Certificate Policy
if they delegate the verification job to an external entity not owning
attestation of their conformance to the stated verification requirements.



I'm not sure I parse that, but I think you mean:

   If the CA delegates,
   and does not own the conformance requirement,
   then they have violated the policy.

If so, ok.  I see the following simplification:

   If the CA does not own the
   conformance to verification requirement,
   then they have violated the policy.



If we'd like to be strict, we could remove CAs from our approved list if
they have shown to be non-conforming in the above way.



[see other post]


In any case, the CA policy should get clarified about involving external
entities in the verification and issueing process.



There are normal business and PKI assumptions in operation here:

  The CA will involve external entities for as many things as possible.

  The CA will document the external entities.

  The CA will take responsibility for the result.

  (The CA will express its liability and warranty in its RPA.)



It may be that you want to surface and state these assumptions.

However, to turn it into a criteria or policy point, you would need to 
much more clearly refine your point, *and* you should clearly relate it 
to how this will improve security.  I suggest this is much tougher than 
it sounds.




E.g., Which external entities are OK?  Why?  How are they checked?

Is it ok to accept an audit?  Which audit?

Where is the line drawn?  Is a passport an outsourcing?  If not, is a 
credit card?  Is a website?


Why consider external entities when we don't describe documents?  If we 
care to regulate external entities, shouldn't we also regulate use of 
credit cards, which are known to be poor identity documents?


Is one check enough?  Two?  Correlated?  Serial or parallel?

And add a thousand other questions.  It gets complex!

It is for this reason of complexity that we normally apply a 
reasonableness test.  It is reasonable to use external entities, and 
as long as it is stated in the CPS, then it is up to each party to 
decide whether they accept that for their individual circumstances.


(Those parties include:  the CA, auditor(s), vendors, downstream 
vendors, relying parties, and ultimately end-users.)




All existing CAs
should be required to make a statement about their current business
practices with regards to external

Re: dropping the root is useless


On 28/12/08 15:42, Eddy Nigg wrote:

On 12/28/2008 04:24 PM, Ian G:
I was clearly replying to the later part:

The CA will lose; potentially it will lose its revenue stream, or have
it sliced in half (say), which is what we would call in business circles
a plausible bankrupcy event.

It's not relevant.



Well, that part may not be a loss that effects a security discussion. 
But I've made the point before that economic interests are much more 
important and may be dominant.  See below the discussion of lawyers.


So perhaps you won't mind if I keep bringing them up.  We might simply 
disagree as to their practical relevance to the real world discussion.




No, I'm afraid there is an agreement to list the root, under a policy.
Once listed, Mozilla has to operate according to its side of the bargain.



Apparently you are reading something I haven't.



Statements (policy, etc) plus actions gives rise to an agreement.  The 
agreement doesn't have to be written in one document to exist, it can 
exist without anything to read, or with many things to read.




The problem being, that even if it reserves the right to make a choice
for any reason, this does not give Mozilla carte blanche.


Mozilla can make a bad decision, no doubt. This case is most likely not
one of those you are referring to.



Well, who is going to warrant that for Mozilla?



Please read it carefully. a root being dropped by a BAD decision.


A root isn't removed before careful considerations. A bad decision
doesn't warrant not to remove any roots at all if necessary. Mozilla can
also reinstate a root.



If in court, we can be sure that the CA will argue that the decision is 
bad.  The judge will bend over backwards to let the CA make that case; 
that's what the court is there for.


(This then turns on who has the burden, and what question has to be 
answered.  Er, now we need the lawyers.)




What I'm about here is that:  in any wider business analysis, the answer 
is that, short of total collapse, do not remove the root.  And if there 
is total collapse, you will be wrong regardless, so it doesn't really 
matter what you do.


I am not saying I *like* it.  In fact, I don't like it.

I'm saying the tool is bankrupt.  Think of other tools, this one will 
not work for you.




Let me put it another way:  one phone call from the CA's lawyer to 
Mozo's lawyer is probably sufficient to solve this problem *for the CA*.


Ask yourself whether you have a lawyer.  Ask your lawyer whether he can 
make the phone call.  Ask your lawyer how the phone call will go (he 
doesn't need to make it).


Let us know what he says, for the education of us all.



They stated how many, IIRC. I recall it was something like 111 certs
issued and 11 outstanding that had not been re-verified within around 48
hours (these numbers are not accurate, but indicative) and were
therefore revoked.


That's for the specific certstar case. Domain validation isn't performed
by Comodo on a wide scale apparently and perhaps no validation is
performed at all.



Oh, that's a new claim, beyond this reseller.

Is there any evidence?  If so, then maybe there should likely be a new 
investigation, and widespread revocations by the CA of the non-verified 
certs.  OK, as discussed earlier, actual investigations are outside 
scope of here (which begs the important question of where it is in scope 
of!) so let's not speculate further on Comodo's exact position.


Back to the damages estimate:  we still need to form an estimate of how 
many certificates were issued to people of malintent.


Without that, we are still left with a damages estimate of zero, albeit 
one multiplied by a much larger number of users, with a much greater 
range of possible error.


iang
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Security-Critical Information (i.e. Private Key) transmittedby Firefox to CA (i.e. Thawte) during X.509 key/cert generation


On 28/12/08 15:47, Anders Rundgren wrote:


PKIX are not aware of the problem because PKIX don't do browsers,
they do ASN.1.



Who does browsers?

iang
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Security-Critical Information (i.e. Private Key) transmittedby Firefox to CA (i.e. Thawte) during X.509 key/cert generation

2008-12-28 Thread Michael Ströder

Anders Rundgren wrote:
 I wouldn't spend much work on keygen and crypto.generateCRMFRequest
 because they don't match today's needs anyway.

Anders, does the word keygen trigger an automatic response in your
news bot? ;-}

Your comment is not relevant in this context. Off course the *existing*
implementation of keygen and crypto.generateCRMFRequest should be
fully *documented* as Nelson suggested.

Ciao, Michael.

 - Original Message - 
 From: Michael Ströder mich...@stroeder.com
 Newsgroups: mozilla.dev.tech.crypto
 To: dev-tech-crypto@lists.mozilla.org
 Sent: Sunday, December 28, 2008 13:38
 Subject: Re: Security-Critical Information (i.e. Private Key) transmittedby 
 Firefox to CA (i.e. 
 Thawte) during X.509 key/cert generation
 
 
 Nelson B Bolyard wrote:
 I also think we need a page or two on developer.mozilla.org that fully
 documents both the keygen tag and the crypto.generateCRMFRequest method.
 
 +1
 
 The existing documentation is very incomplete.  The keygen tag, for
 example, accepts many more arguments than are now publicly documented.
 
 Which arguments are that?
 
 Ciao, Michael.
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Security-Critical Information (i.e. Private Key) transmittedbyFirefox to CA (i.e. Thawte) during X.509 key/cert generation

2008-12-28 Thread Anders Rundgren

Michael Ströder wrote:

Anders Rundgren wrote:
 I wouldn't spend much work on keygen and crypto.generateCRMFRequest
 because they don't match today's needs anyway.

Anders, does the word keygen trigger an automatic response in your
news bot? ;-}

Well, some 1000h into its successor have left some traces :-) :-)

Your comment is not relevant in this context. Off course the *existing*
implementation of keygen and crypto.generateCRMFRequest should be
fully *documented* as Nelson suggested.

Maybe, maybe not.

I assume that private key transfer is only allowed (if possible at all) for 
encryption keys.

It seems to me that this is a rather useless function since most organizations
are more concerned about sent data than received ditto.  I.e. key escrow
doesn't work very well for organizations which is why Outlook has an entirely
different approach to message escrow which actually works (clear-text
message logging in parallell to encrypted messaging).

If the fear is rather that the CA could impersonate a user, it can do that
without notifying the user with warning dialogs.

If the goal is rather providing encryption key backup for consumers, I guess
we are back to the question if S/MIME encryption is for real or not.
Based on actual usage by consumers this issue is already settled.

That is, if private key transfer actually is enabled the correct solution [IMO]
is not to dicument it, but to disable it.

Anders

 - Original Message - 
 From: Michael Ströder mich...@stroeder.com
 Newsgroups: mozilla.dev.tech.crypto
 To: dev-tech-crypto@lists.mozilla.org
 Sent: Sunday, December 28, 2008 13:38
 Subject: Re: Security-Critical Information (i.e. Private Key) transmittedby 
 Firefox to CA (i.e.
 Thawte) during X.509 key/cert generation


 Nelson B Bolyard wrote:
 I also think we need a page or two on developer.mozilla.org that fully
 documents both the keygen tag and the crypto.generateCRMFRequest method.

 +1

 The existing documentation is very incomplete.  The keygen tag, for
 example, accepts many more arguments than are now publicly documented.

 Which arguments are that?

 Ciao, Michael.
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto 

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: CAs and external entities (resellers, outsourcing)


On 12/28/2008 01:13 PM, Kai Engert:


The current Mozilla CA Certificate Policy says:
6. We require that all CAs whose certificates are distributed with our
software products: ... provide attestation of their conformance to the
stated verification requirements ...



Kai, just to counter Ian's reply:

The objective of the Mozilla CA policy is to provide sound, reliable and 
in this context reasonable security for its users.


This is anchored clearly in the Mozilla Manifesto as a principal and 
further described and defined in the Mozilla CA Policy what PKI and CAs 
concerns. The Mozilla CA Policy is clear in its requirements, *intend* 
and what it is meant to achieve. All the rest is just throwing sand into 
ones eyes.


In this respect section 7 of said policy clearly states what the 
requirements are. CAs may find different ways to achieve and conform to 
those requirements, however it should not lead to a compromise of those 
requirements. Personally I wouldn't outsource domain control validation 
but incorporate it into the general process of certificate issuance. In 
case it is delegated, the third party must provide attestation of their 
conformance. I think this is what you were proposing...


--
Regards

Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog:   https://blog.startcom.org
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: dropping the root is useless

2008-12-28 Thread David E. Ross

On 12/28/2008 4:46 AM, Ian G wrote [in part]:
 On 28/12/08 12:13, Kai Engert wrote:
 
 If we'd like to be strict, we could remove CAs from our approved list if
 they have shown to be non-conforming in the above way.
 
 
 Yes, we could!  But this is what we call a blunt weapon.  It is also a 
 dangerous weapon.  Consider (all) the consequences in the current case.
 
 First, losses we will incur, regardless:
 
1.  Certs:  All end-users who rely on these certs will lose.  That 
 probably numbers in the millions.  All subscribers will lose, probably 
 in the thousands.  The CA will lose;  potentially it will lose its 
 revenue stream, or have it sliced in half (say), which is what we would 
 call in business circles a plausible bankrupcy event.
 

So when a CA behaves badly, we should still be concerned that the CA
might lose money?  Because a CA might go bankrupt, we should do nothing?

How about the users of Mozilla products who might lose money or even go
bankrupt because they trusted a root certificate from such a CA?  No,
such losses are not known (yet).  What did happen, however, indicates
that such losses are indeed possible and not only through Certstar.

-- 
David E. Ross
http://www.rossde.com/

Go to Mozdev at http://www.mozdev.org/ for quick access to
extensions for Firefox, Thunderbird, SeaMonkey, and other
Mozilla-related applications.  You can access Mozdev much
more quickly than you can Mozilla Add-Ons.
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: [Fwd: Follow-Up on www.verisign.com SSL Order]


On 12/28/2008 09:45 PM, Reed Loden:


You can use any e-mail address as a Google Account, so yes, I
really think so. Patricia's reply confirms this, too.



Reed, Servage is a hosting company, their MX record isn't that of 
Google, but their own. This email account is not hosted with Google. You 
can't just use any email address you like, you must set the DNS zone 
accordingly.



--
Regards

Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog:   https://blog.startcom.org
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Security-Critical Information (i.e. Private Key) transmittedbyFirefox to CA (i.e. Thawte) during X.509 key/cert generation

Anders Rundgren wrote, On 2008-12-28 07:52:
 [...] most organizations are more concerned about sent data than received
 [...]

This is one reason (out of many) that Mozilla's S/MIME mail clients require
that the sender be an implicit recipient of any encrypted messages sent.
It ensures that the sender's private key is also able to decrypt the
messages he sends.
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Security-Critical Information (i.e. Private Key) transmittedby Firefox to CA (i.e. Thawte) during X.509 key/cert generation

(Note: this is almost completely off-topic as relates to the OP's message.)

REAL programmers do everything they can to point out flaws of things
that don't meet their needs, but are easier to use, older,
more-debugged, and sufficient for those cases that don't require the
ability to trust code running on the client machine to implement the
policy that the server asks for.

i.e., just because they don't meet YOUR needs of today doesn't mean
they don't meet MINE.  And the requirements you have are more in line
with requiring DRM (and thus Trusted Computing where the user of the
machine doesn't have access to the trusted platform module) than
anything that can be implemented in user-land, anyway.

If I understand what you've been working with, you're encoding key
generation/request parameters into XML to be handled by the client.
If you're doing XML for the parameters-provision, why not break the
certificate request into XML too?  Oddly enough, there is an ITU
standard for this -- it's called XML Encoding Rules for ASN.1, or XER.

I'm actually surprised nobody's started using XER for certificate
storage/examination.  Since DER is a means of encoding ASN.1
structures into the minimum number of bits, and since XER is an
alternate encoding mechanism (though arguably into the MAXIMUM number
of bits) for the same data, it would work -- yes, the signature is
calculated over the DER encoding of the data, but that can be
reconstituted from the XER.  (My understanding is that this is part of
what certificate validation is supposed to handle anyway -- all the
information split out and stuck in a database, then
reconstituted/revalidated as necessary.)

Yes, we'd need special tools to verify the signature, but we already
need special tools to parse DER.  It would be a net win for
debuggability and understanding what is in each certificate without
having to load our DER parser every time we want to look at it.

-Kyle H

On Sun, Dec 28, 2008 at 6:47 AM, Anders Rundgren
anders.rundg...@telia.com wrote:
 I wouldn't spend much work on keygen and crypto.generateCRMFRequest
 because they don't match today's needs anyway.  You cannot even as an
 issuer control PIN code settings (policy) unless you have a pre-configured 
 crypto
 container, i.e. these mechanisms are tools for toy PKIs.

 Serious PKIs use smart cards and physical card/key/certificate distribution
 because the on-line alternatives are more or less useless in addition to being
 completely non-standard.   The coming HTML5 standards work does not
 even *try* to address this mess.  I think they did the right thing; PKI 
 standards
 in browsers reached an all-time-high already 10 years ago.

 PKIX are not aware of the problem because PKIX don't do browsers,
 they do ASN.1.

 Anders

 - Original Message -
 From: Michael Ströder mich...@stroeder.com
 Newsgroups: mozilla.dev.tech.crypto
 To: dev-tech-crypto@lists.mozilla.org
 Sent: Sunday, December 28, 2008 13:38
 Subject: Re: Security-Critical Information (i.e. Private Key) transmittedby 
 Firefox to CA (i.e.
 Thawte) during X.509 key/cert generation


 Nelson B Bolyard wrote:
 I also think we need a page or two on developer.mozilla.org that fully
 documents both the keygen tag and the crypto.generateCRMFRequest method.

 +1

 The existing documentation is very incomplete.  The keygen tag, for
 example, accepts many more arguments than are now publicly documented.

 Which arguments are that?

 Ciao, Michael.
 ___
 dev-tech-crypto mailing list
 dev-tech-crypto@lists.mozilla.org
 https://lists.mozilla.org/listinfo/dev-tech-crypto

 ___
 dev-tech-crypto mailing list
 dev-tech-crypto@lists.mozilla.org
 https://lists.mozilla.org/listinfo/dev-tech-crypto

___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Security-Critical Information (i.e. Private Key) transmitted by Firefox to CA (i.e. Thawte) during X.509 key/cert generation

Michael Ströder wrote, On 2008-12-28 04:38 PST:
Nelson B Bolyard wrote:
I also think we need a page or two on developer.mozilla.org that fully
documents both the keygen tag and the crypto.generateCRMFRequest method.

The existing documentation is very incomplete. The keygen tag, for
example, accepts many more arguments than are now publicly documented.

Let me start by saying that there are very few documents known to me that
are authoritative documentation of the keygen tag, and all are essentially
archival copies of documentation developed at Netscape in a prior
millennium. They are:
http://devedge-temp.mozilla.org/library/manuals/1998/htmlguide/tags10.html#1615503
which is now 11 years old, and
http://docs.sun.com/source/816-5535-10/index.html#DSA (6 years old) and
https://developer.mozilla.org/En/HTML/HTML_Extensions/KEYGEN_Tag
which seems to be the most complete, but is still not complete.

Which arguments are that?

Now, here's what's not documented.

1. The attribute name keyparams is a synonym for the attribute name pqg.
Either name may be used for that attribute.

2. There are 3 recognized values for the keytype attribute.
They are rsa, dsa and ec.

3. When the keytype is ec, the EC curve used in the generated key is
selected by the value of the optional keyparams attribute, if
- it is present and
- it is one of the strings found in the table at
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/manager/ssl/src/nsKeygenHandler.cpprev=1.49mark=179-256#177
- and the indicated curve is supported in that browser.

Otherwise, it is chosen by the user's choice from the key size choice box
according to the following table
Key SizeCurve
-
Highsecp384r1
Medium secp256r1
Low secp256r1

The documentation for crypto.generateCRMFRequest is found at
https://developer.mozilla.org/en/JavaScript_crypto/generateCRMFRequest
but it is also incomplete. The EC key generation documentation is missing.
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: dropping the root is useless

On Sun, Dec 28, 2008 at 6:24 AM, Ian G i...@iang.org wrote:
 (following is just for the record so as to deal with the response.  No new
 info is in here for other readers.)

I would very much appreciate it if you would stop using fear,
uncertainty, and doubt to manipulate the audience into believing your
and only your viewpoint.

Unlike you, Eddy actually runs a certifying authority.  This means
that he has operational experience with not only the technical sides
of things, but also the legal sides of things.

Just because you also happen to be an advocate for CAcert (and --
unlike Eddy -- feel the urge to hide that affiliation) does not mean
that you actually run it, or have the depth or breadth of knowledge
necessary to do so.  This message shows me that you honestly don't
care about what security actually is, you just care about the
end-user experience.  This is NOT the same thing.  As such, my
opinion of your authority on the subject matter has diminished
severely.

True security involves knowing what the risks are.  Mozilla's policy
for root inclusion tries to reduce the uncertainty for end-users;
unfortunately, as has been pointed out repeatedly, there is still far
too much uncertainty for end-users in Comodo's operations.  They have
lost my trust, the same way that you have.

 On 28/12/08 14:21, Eddy Nigg wrote:

 On 12/28/2008 02:46 PM, Ian G:

 1. Certs: All end-users who rely on these certs will lose. That probably
 numbers in the millions. All subscribers will lose, probably in the
 thousands. The CA will lose; potentially it will lose its revenue
 stream, or have it sliced in half (say), which is what we would call in
 business circles a plausible bankrupcy event.

 Not relevant.


 Well!  If they are not relevant, then perhaps we can turn SSL off, with no
 consequences?

If Nelson can upbraid me for ad hominem attacks, I'm going to upbraid
you for ad absurdem arguments.

TLS (can we PLEASE stop using SSL, since the last version of SSL
that got ratified by any standards organization was SSLv2, and SSLv3
is a hack that reached internet-draft phase but was never formally
recognized?) has the option of negotiating a secure connection without
the use of any certificates at all.  (Further, SSLv3 also had the same
mechanism.)

There's still the endpoint confidentiality concept -- nobody between
the client and the server that the client is talking to can hear
what's being said between them.  The problem that certificates (or key
continuity management) is designed to solve is the problem where the
client thinks it's talking to one server, when it's really talking to
another (the fraudulent endpoint attack in the case where the
server-endpoint doesn't pass any data to the real server, and the man
in the middle attack in the case it does).

 To ignore the obvious legal ramifications (agreements in RPAs, disclaimers
 to end-users, potential lawsuits ...) would be negligence, IMHO.

 We know the ramifications exist.  We know they may be serious.  We know that
 assertations of security are being made to end-users.  Hence to continue
 making these assertations, and not treat them seriously would be negligence.

 I personally choose not to follow that path into negligence, and will
 continue to consider the legal ramifications, which leads to the question of
 how we consider them.

In my mind (and this is not legal advice, merely a statement of
thought presented for the purposes of argument), Mozilla has a duty to
me as an end-user to uphold the letter and spirit of its CA
Certificate Policy.  I've already presented my thought on how a full
tort could be brought against Mozilla by the operator of any CA
already in the trust list.  If a Comodo-issued certificate causes any
user damage after the initial disclosure on the list, a tort could be
brought against Mozilla by that end-user.

 Mozilla has no legal or any other requirement (as far as I
 know) to include or keep a root.

 No, I'm afraid there is an agreement to list the root, under a policy. Once
 listed, Mozilla has to operate according to its side of the bargain.

The policy explicitly provides for Mozilla removing a root, at its
option.  Section 4 of the CA Certificate Policy: We reserve the right
to not include a particular CA certificate in our software products,
to discontinue including a particular CA certificate in our products,
or to modify the trust bits for a particular CA certificate included
in our products, at any time and for any reason.

It gives examples of the situations that it could do so in, but it
also explicitly states that its appropriate reasons for doing so ARE
NOT LIMITED TO those examples.

Please also recognize that the right and protection of the many tends,
at least in the US court system that Mozilla and Comodo are subject
to, outweighs the right and protection of the few or one (the company
which operates the CA).

 This is a general consequence of business, there is nothing special about
 it.  Ask any experienced

Re: dropping the root is useless

On Sun, Dec 28, 2008 at 9:28 AM, Ian G i...@iang.org wrote:
 On 28/12/08 17:06, David E. Ross wrote:
 How about the users of Mozilla products who might lose money or even go
 bankrupt because they trusted a root certificate from such a CA?  No,
 such losses are not known (yet).  What did happen, however, indicates
 that such losses are indeed possible and not only through Certstar.

 Yes, indeed.  That's a big question.

 What I am suggesting is that dropping the root will not address that
 question.  It is too blunt a weapon to be used reliably.

Considering that trustability is viewed as a binary state, it's the
only weapon that Mozilla has.

-Kyle H
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: dropping the root is useless


On 29/12/08 00:37, Kyle Hamilton wrote:

On Sun, Dec 28, 2008 at 9:28 AM, Ian Gi...@iang.org  wrote:

On 28/12/08 17:06, David E. Ross wrote:

How about the users of Mozilla products who might lose money or even go
bankrupt because they trusted a root certificate from such a CA?  No,
such losses are not known (yet).  What did happen, however, indicates
that such losses are indeed possible and not only through Certstar.

Yes, indeed.  That's a big question.

What I am suggesting is that dropping the root will not address that
question.  It is too blunt a weapon to be used reliably.


Considering that trustability is viewed as a binary state, it's the
only weapon that Mozilla has.



Yes.  This is reason for concern.

iang
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: dropping the root is useless

On Sun, Dec 28, 2008 at 3:42 PM, Ian G i...@iang.org wrote:
 On 29/12/08 00:37, Kyle Hamilton wrote:
 Considering that trustability is viewed as a binary state, it's the
 only weapon that Mozilla has.


 Yes.  This is reason for concern.

FWIW, I agree.

Alright, I propose that, in a new thread, we open the table for
discussion of the problems inherent in the binary-state model, and
ways to mitigate these problems?

-Kyle H
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: dropping the root is useless


On 29/12/08 00:36, Kyle Hamilton wrote:

On Sun, Dec 28, 2008 at 6:24 AM, Ian Gi...@iang.org  wrote:




Unlike you, Eddy actually runs a certifying authority.  This means
that he has operational experience with not only the technical sides
of things, but also the legal sides of things.



I support your right to an opinion, but can you please ground your 
criticisms in facts of relevance, rather than ad hominims.




Just because you also happen to be an advocate for CAcert


Strawman.  An Auditor is perhaps an advocate in the sense that he writes 
an opinion.  I have not done that, and won't for another 6 months at 
current progress.  Here's *just* the local dirt:


https://bugzilla.mozilla.org/show_bug.cgi?id=215243#c158

I think the advocacy claim looks a little silly, no?  Absurd, even.



(and --
unlike Eddy -- feel the urge to hide that affiliation)  does not mean
that you actually run it, or have the depth or breadth of knowledge
necessary to do so.  This message shows me that you honestly don't
care about what security actually is, you just care about the
end-user experience.  This is NOT the same thing.  As such, my
opinion of your authority on the subject matter has diminished
severely.



You are entitled to your opinion, but I would ask you to consider that 
this is a policy forum, not an ad hominem shooting match.




True security involves knowing what the risks are.  Mozilla's policy
for root inclusion tries to reduce the uncertainty for end-users;
unfortunately, as has been pointed out repeatedly, there is still far
too much uncertainty for end-users in Comodo's operations.



The point I have made is that the discussion of Comodo's operations is 
outside scope of this forum.  You may feel that you have an opinion, and 
you have a right to it.  However, this forum is not for the 
investigation of breaches or failures to comply with policies.


If you dislike that, don't start a war against me.  Suggest a policy 
change to Mozilla.  If you want wordings, try this:


   x.  Any breaches of security or failures to comply will be
   discussed in the policy forum of Mozilla, a ruling by consensus
   delivered, and will be binding on the CA.

Don't disagree with me in a post, do something.  Write the proposal, 
change the policy.  Words are less important than acts.




They have
lost my trust, the same way that you have.



Now over to you.  Act, not talk.  Make a dispute resolution forum happen.



On 28/12/08 14:21, Eddy Nigg wrote:

On 12/28/2008 02:46 PM, Ian G:

1. Certs: All end-users who rely on these certs will lose. That probably
numbers in the millions. All subscribers will lose, probably in the
thousands. The CA will lose; potentially it will lose its revenue
stream, or have it sliced in half (say), which is what we would call in
business circles a plausible bankrupcy event.

Not relevant.


Well!  If they are not relevant, then perhaps we can turn SSL off, with no
consequences?


If Nelson can upbraid me for ad hominem attacks, I'm going to upbraid
you for ad absurdem arguments.

TLS (can we PLEASE stop using SSL, since the last version of SSL
that got ratified by any standards organization was SSLv2, and SSLv3
is a hack that reached internet-draft phase but was never formally
recognized?) has the option of negotiating a secure connection without
the use of any certificates at all.  (Further, SSLv3 also had the same
mechanism.)

There's still the endpoint confidentiality concept -- nobody between
the client and the server that the client is talking to can hear
what's being said between them.  The problem that certificates (or key
continuity management) is designed to solve is the problem where the
client thinks it's talking to one server, when it's really talking to
another (the fraudulent endpoint attack in the case where the
server-endpoint doesn't pass any data to the real server, and the man
in the middle attack in the case it does).



Er, Kyle, you are off on a tangent here.  My point with Eddy was fully 
addressed by him pointing out that he was only dealing with the last 
sentance, I thought he was referring to the earlier sentances.  A 
reasonable clarification.




To ignore the obvious legal ramifications (agreements in RPAs, disclaimers
to end-users, potential lawsuits ...) would be negligence, IMHO.

We know the ramifications exist.  We know they may be serious.  We know that
assertations of security are being made to end-users.  Hence to continue
making these assertations, and not treat them seriously would be negligence.

I personally choose not to follow that path into negligence, and will
continue to consider the legal ramifications, which leads to the question of
how we consider them.


In my mind (and this is not legal advice, merely a statement of
thought presented for the purposes of argument), Mozilla has a duty to
me as an end-user to uphold the letter and spirit of its CA
Certificate Policy.  I've already presented my thought on how a full
tort could be

Re: dropping the root is useless


On 12/29/2008 03:09 AM, Ian G:


The point I have made is that the discussion of Comodo's operations is
outside scope of this forum. You may feel that you have an opinion, and
you have a right to it. However, this forum is not for the investigation
of breaches or failures to comply with policies.

If you dislike that, don't start a war against me. Suggest a policy
change to Mozilla. If you want wordings, try this:

x. Any breaches of security or failures to comply will be
discussed in the policy forum of Mozilla, a ruling by consensus
delivered, and will be binding on the CA.



I don't think you are entirely correct, Ian. The community has its say, 
is free to discuss, suggest, propose, vent its anger and more. The 
ultimate decision lies with Frank and Mozilla's management, however 
discussions, suggestions, opinions, proposals are an important part of 
shaping those decisions I think. I'm saying this from experience as many 
times the mentioned above influenced decisions and/or resulted directly 
in actions. I think this is what makes Mozilla incredible unique.


Not every objection, suggestion or proposal results in a standing 
ovation obviously, but overall I'm quite pleased. And it's a two way 
street many times, as members of Mozilla and the community made 
suggestions or voiced their opinion, which directly lead to changes at 
the company *I* run. Sometimes this happened in the public forums, 
sometimes in private. The decisions are taken obviously elsewhere, 
however this forum directly influenced some them.


In that respect I disagree that this forum isn't the right place to 
discuss, disclose, propose, exchange thoughts and even investigate. I 
wouldn't know a better place. And in the same time, I'd disagree that 
the community should make the ultimate decision, the responsibility is 
clearly with the Mozilla Foundation (?) and must be decided there.



--
Regards

Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog:   https://blog.startcom.org
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: dropping the root is useless

2008-12-28 Thread David E. Ross

On 12/28/2008 3:45 PM, Kyle Hamilton wrote [in part]:
 CertStar was found out, only due to the diligence of someone on this
 list.  How many other RAs haven't been found out yet?  We can't know,
 because Comodo won't say.  This affects the confidence I have in their
 system (i.e., it removes ALL confidence that Mozilla extended on my
 behalf).

Actually, Eddy discovered the problem only through the fortuitous
receipt of spam from CertStar.  If he had not received the spam -- even
if others had received it -- it is possible the problem would never have
been discovered.  This is why the discovery is so frightening.

Now that it is known that a subordinate reseller operating under one CA
issued certificates without authenticating the identity of the
subscribers, we know that the theoretical concern expressed (before all
this) about resellers is no longer theoretical.  NOW is the time to
require that all CAs supervise the operations of their RAs and
resellers.  This must be done in a way that independent audits of the
CAs examine the implementation of such supervision, which can be
accomplished by requiring (at least with respect to the Mozilla
database) that CPs explicitly address how that supervision is performed.

Either a CA's CP must explicitly state that there are NO external RAs or
resellers, or else the CP must describe how external subordinates are
monitored.  Without this, a CA's request to have its root certificate
included in the Mozilla database should be denied.  Since an audit will
generally report on the implementation of such a policy but not
necessarily on the policy's adequacy, the internal and public reviews of
CA requests must examine the adequacy of the CA's policy for monitoring
external subordinates.

-- 
David E. Ross
http://www.rossde.com/

Go to Mozdev at http://www.mozdev.org/ for quick access to
extensions for Firefox, Thunderbird, SeaMonkey, and other
Mozilla-related applications.  You can access Mozdev much
more quickly than you can Mozilla Add-Ons.
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: dropping the root is useless