Re: Root certificate authorities
On 3/5/11 3:22 PM, Nelson B Bolyard wrote: Brian Smith wrote: Ritmo2k wrote: Anyone know if its possible to configure Firefox to implicitly trust all certificate authorities installed in the Windows Trusted Root Certification Authorities Store? Firefox does not support this yet. See: https://bugzilla.mozilla.org/show_bug.cgi?id=454036 https://bugzilla.mozilla.org/show_bug.cgi?id=390221 There's an unfinished set of code in Mozilla's CVS repository that implements a PKCS#11 module on top of MS CAPI, enabling access to certs and keys in Windows' cert and key stores. Read about it in http://mxr.mozilla.org/security/source/security/nss/lib/ckfw/capi/ There are some pretty major security implications to doing something like this. Windows does not have a static list of root certs in the Root Store. Instead, it dynamically phones home to Microsoft to checdk for root certs when a user tries to use an end-entity cert that chains up to an unknown root cert. Microsoft also adds new root certs without any meaningful end-user notice. The end result is that there is no way for you to predict what will be in your trusted list. On 3/4/11 9:46 PM, Brian Smith wrote: In theory you could write a script that exports all the CA certificates from the Windows certificate store and then uses those tools to import them into the user's certificate database. But, you would have to run it individually each for user. And, you would not be able to run it while Firefox is running. You can also manually export the CA certificates from the Windows certificate store as individual files and then import them into Firefox manually using Tools - Options - Advanced - View Certificates - Import. This will only give you the state of your local cache of a subset of the Microsoft-approved certs. If you wanted Firefox to behave like Chrome or IE you would have to trigger the phone home upon encountering an unknown root cert. The larger question is why this is seen as better. More root certs does not equal better security, and there's no evidence that the Microsoft process for approving roots is better than the Mozilla one. Reference: http://support.microsoft.com/kb/931125 Root certificates on Windows Vista and later are distributed via the automatic root update mechanism – that is, per root certificate. When a user visits a secure Web site (by using HTTPS SSL), reads a secure email (S/MIME), or downloads an ActiveX control that is signed (code signing) and encounters a new root certificate, the Windows certificate chain verification software checks Microsoft Update for the root certificate. If it finds it, it downloads the current Certificate Trust List (CTL) containing the list of all trusted root certificates in the Program, and verifies that the root certificate is listed there; it then downloads the specified root certificate to the system and installs it in the Windows Trusted Root Certification Authorities Store. If the root certificate is not found, the certificate chain is not completed, and the system returns an error. To the user, a successful root update is seamless. The user does not see any security dialog boxes or warnings. The download happens automatically. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Root certificate authorities
On 3/5/2011 9:22 PM, Nelson B Bolyard wrote: There's an unfinished set of code in Mozilla's CVS repository that implements a PKCS#11 module on top of MS CAPI, enabling access to certs and keys in Windows' cert and key stores. Read about it in http://mxr.mozilla.org/security/source/security/nss/lib/ckfw/capi/ Nelson, are there any movements to finish this ones? I could potentially work on it as I'm mainly a Windows developer. -hb- -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Root certificate authorities
On Mar 5, 1:22 pm, Nelson B Bolyard nel...@bolyard.me wrote: Brian Smith wrote: Ritmo2k wrote: Anyone know if its possible to configure Firefox to implicitly trust all certificate authorities installed in the Windows Trusted Root Certification Authorities Store? Firefox does not support this yet. See: https://bugzilla.mozilla.org/show_bug.cgi?id=454036 https://bugzilla.mozilla.org/show_bug.cgi?id=390221 There's an unfinished set of code in Mozilla's CVS repository that implements a PKCS#11 module on top of MS CAPI, enabling access to certs and keys in Windows' cert and key stores. Read about it inhttp://mxr.mozilla.org/security/source/security/nss/lib/ckfw/capi/ -- /Nelson Bolyard Thanks everybody for all the info. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Root certificate authorities
This probably means you understood the docs right :) I do not think it is possible with standard mozilla-nss environment Ritmo2k jcas...@gmail.com wrote in message news:mailman.664.1298998686.4383.dev-tech-cry...@lists.mozilla.org... I have read the docs for the tools at http://www.mozilla.org/projects/security/pki/nss/tools/index.html but I am still unclear as to how or if its even possible to configure Firefox to implicitly trust all certificate authorities installed in the Windows Trusted Root Certification Authorities Store? Any ideas? Thanks! -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Root certificate authorities
Brian Smith wrote: Ritmo2k wrote: Anyone know if its possible to configure Firefox to implicitly trust all certificate authorities installed in the Windows Trusted Root Certification Authorities Store? Firefox does not support this yet. See: https://bugzilla.mozilla.org/show_bug.cgi?id=454036 https://bugzilla.mozilla.org/show_bug.cgi?id=390221 There's an unfinished set of code in Mozilla's CVS repository that implements a PKCS#11 module on top of MS CAPI, enabling access to certs and keys in Windows' cert and key stores. Read about it in http://mxr.mozilla.org/security/source/security/nss/lib/ckfw/capi/ -- /Nelson Bolyard -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Root certificate authorities
Ritmo2k wrote: Anyone know if its possible to configure Firefox to implicitly trust all certificate authorities installed in the Windows Trusted Root Certification Authorities Store? Firefox does not support this yet. See: https://bugzilla.mozilla.org/show_bug.cgi?id=454036 https://bugzilla.mozilla.org/show_bug.cgi?id=390221 - Brian -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Root certificate authorities
Ritmo2k wrote: I took a look at http://www.mozilla.org/projects/security/pki/nss/tools/index.html but it wasn’t obvious to me if this was even possible using those tools. In theory you could write a script that exports all the CA certificates from the Windows certificate store and then uses those tools to import them into the user's certificate database. But, you would have to run it individually for each user. And, you would not be able to run it while Firefox is running. You can also manually export the CA certificates from the Windows certificate store as individual files and then import them into Firefox manually using Tools - Options - Advanced - View Certificates - Import. Cheers, Brian -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
