Including regional CA root certs
Gervase Markham
"We require that all CAs whose certificates are distributed with our
software products provide some service relevant to typical users of our
software products."
We have interpreted this to include standard commercial CAs, other CAs
who sell certificates to anyone or almost anyone, and government-run
CAs. We have interpreted it to exclude CAs which are internal to a
business or organisation.
We have two outstanding applications for inclusion from CAs who
represent not a national government, but a regional government. They are
from the regional government of Catalonia, Spain[1] and the city
government of Vienna, Austria[2].
The inclusion of a CA incurs a cost - in time to evaluate the request
(and we do have a backlog), in download size, and in marginally
increased risk of a failure of the system by e.g. private key
compromise. We have to balance that against the expected usefulness of
the root certificate to our users.
We are, at this time, uncertain as to where and how to draw the line,
and so are putting the issue here for discussion. Options include, but
are not limited to, excluding all CAs serving less than a country,
including all CAs who apply, and shipping some certs in some builds and
not in others. Thoughts?
Please respect the Followup-To header.
Gerv
[0]
http://www.mozilla.org/projects/security/pki/nss/ca-certificates/policy.html
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=295474
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=295474
Giacomo Magnini
supply an extension with the rest (or even more than one)?
Ciao, Giacomo.
Ben Bucksch
> The mozilla.org CA certificate policy[0] states, in part:
>
> "We require that all CAs whose certificates are distributed with our
> software products provide some service relevant to typical users of
> our software products."
>
> We have interpreted this to include standard commercial CAs, other CAs
> who sell certificates to anyone or almost anyone, and government-run
> CAs. We have interpreted it to exclude CAs which are internal to a
> business or organisation.
>
> We have two outstanding applications for inclusion from CAs who
> represent not a national government, but a regional government. They
> are from the regional government of Catalonia, Spain[1] and the city
> government of Vienna, Austria[2].
First: Do these CAs and the other government-run CAs issue certs only to
memebers of the organization (employees etc.) or so the citizens? I
think that makes a big difference: In the former case, it's just a CA
internal to an organization (even if large org). If the latter, the
government practically acts as CA for their citizens and replaces normal
CAs, so I think they have a good argument to be in.
These new applications are the same on a smaller scale. I don't have a
strong opinion here.
However, the 2 particular cases are maybe special, each:
* Catalonia is an "autonomous community". I don't know whether
there's a delicate political dimension to it. Compare ETA, which
fights for independence of the Basque communities/regions.
* Vienna - like Munich - is switching to Linux, OpenOffice and
Mozilla, and making news. Maybe we want to give them special support.
Toni Hermoso Pulido
Hash: SHA1
En/na Ben Bucksch ha escrit:
> * Catalonia is an "autonomous community". I don't know whether
> there's a delicate political dimension to it. Compare ETA, which
For sake of clarity, without entering in political considerations, an
Autonomous Community is a Spanish political division, which regarding
competences (which may actually vary highly depending on the Autonomous
Community) is roughly something between a German land and a French région.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFyOAI3O471rZ7Q9wRAsstAKCf7/aTe22GSg8HSoLNmQWNCDplawCePmub
YlOHh0a0AFz3NAxQCHcRTS8=
=Smso
-----END PGP SIGNATURE-----
Heikki Toivonen
> We are, at this time, uncertain as to where and how to draw the line,
> and so are putting the issue here for discussion. Options include, but
> are not limited to, excluding all CAs serving less than a country,
> including all CAs who apply, and shipping some certs in some builds and
> not in others. Thoughts?
I would not like to see regional (less than a country) CAs included in
the mainline products distributed by Mozilla.
Currently my preference would be to see these as part of the most
specific language pack for that region (in some cases people can
download a localized product instead of an xpi as well).
--
Heikki Toivonen
Toni Hermoso Pulido
Hash: SHA1
En/na Heikki Toivonen ha escrit:
> Gervase Markham wrote:
>> We are, at this time, uncertain as to where and how to draw the line,
>> and so are putting the issue here for discussion. Options include, but
>> are not limited to, excluding all CAs serving less than a country,
>> including all CAs who apply, and shipping some certs in some builds and
>> not in others. Thoughts?
>
> I would not like to see regional (less than a country) CAs included in
> the mainline products distributed by Mozilla.
>
- From what I can understand according to that criterion: a public CA from
Andorra (with less than 70.000 inhabitants and with no current public CA
nowadays) would be accepted, but the Autonomous Community of Catalonia
with more than 7.000.000 inhabitants and a current public CA submitted
as a bug since 2 years ago, wouldn't.
As a matter of a fact, a public Spanish certificate may be useless for
Catalonian users except for state's transactions, which are less
frequent than regional and local ones, where CatCert is being used.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFyPOw3O471rZ7Q9wRAhBdAJ90GQzfW0tnYGaUEfrBhXnOpQE/XACfeSFz
tLgLoBp+L7g7HQlyS1gCAcM=
=8W29
-----END PGP SIGNATURE-----
Frank Hecker
> First: Do these CAs and the other government-run CAs issue certs only to
> memebers of the organization (employees etc.) or so the citizens?
In (I think) all the cases we're concerned with, the government-run CAs
do in fact issue certificates to individual citizens and/or to
corporations or other non-governmental organizations. However note that
if a government CA issues certificates only to government departments
then it might still be relevant to typical Mozilla users; for example,
the government CA might issue SSL certificates for servers used to
provide government services to citizens, businesses, etc.
> I think that makes a big difference: In the former case, it's just a CA
> internal to an organization (even if large org).
I agree that if certificates are used solely for internal government use
then there's no justification for including such a CA in the default
Mozilla list.
Frank
--
Frank Hecker
hec...@mozillafoundation.org
Frank Hecker
> - From what I can understand according to that criterion: a public CA from
> Andorra (with less than 70.000 inhabitants and with no current public CA
> nowadays) would be accepted, but the Autonomous Community of Catalonia
> with more than 7.000.000 inhabitants and a current public CA submitted
> as a bug since 2 years ago, wouldn't.
Yes, examples like this are exactly why we're soliciting opinions on
whether we should modify our policy.
Incidentally, note also that there are different possible definitions of
what constitutes a "country" (or more formally, a "sovereign state").
For example, Andorra is a United Nations member state, but Taiwan
(Republic of China) is not; however we've already approved a government
root CA for Taiwan. There are other interesting edge cases of entities
that have ISO 3166-1 country codes but are not necessarily considered
full sovereign states. Wikipedia has some interesting background on the
complexities of this question:
http://en.wikipedia.org/wiki/List_of_sovereign_states
David E. Ross
The policy should be revised to permit (not mandate) localized root
certificates in localized Mozilla products. Catalan is listed at
<http://www.mozilla.org/projects/l10n/mlp_status.html> as a target
language for localization of Mozilla products. With such a policy
revision, Bug 295474 could left to the localizers to address if they so
choose.
The wrong bug number is cited for the Vienna certificate. It's #342503
at <https://bugzilla.mozilla.org/show_bug.cgi?id=342503>. Since German
is also a target language for localization, this too could be addressed
by such policy change.
In any case, the installation of new root certificates is not overly
difficult for users. Thus, I don't understand the constant harping by
those who insist that Mozilla must install certificates contrary to its
policy (especially contrary to the last bullet under Section 6).
--
David E. Ross
<http://www.rossde.com/>
Concerned about someone (e.g., Pres. Bush) snooping
into your E-mail? Use PGP.
See my <http://www.rossde.com/PGP/>
pascal
> Toni Hermoso Pulido wrote:
>> - From what I can understand according to that criterion: a public CA
>> from
>> Andorra (with less than 70.000 inhabitants and with no current public CA
>> nowadays) would be accepted, but the Autonomous Community of Catalonia
>> with more than 7.000.000 inhabitants and a current public CA submitted
>> as a bug since 2 years ago, wouldn't.
>
> Yes, examples like this are exactly why we're soliciting opinions on
> whether we should modify our policy.
We definitely should, it would not make sense to allow the Vatican (a
800 people "state" ;-) ) to have a public CA included in Mozilla while
refusing Catalonia to have one. In the end, the purpose of including CAs
is to give the right service to our users and if our users have to
switch to IE to pay their taxes to the government or if Firefox can't be
used by companies/administrations in Spain because it does not include a
major regional CA we are doing something wrong, aren't we ?
>
> Incidentally, note also that there are different possible definitions of
> what constitutes a "country" (or more formally, a "sovereign state").
> For example, Andorra is a United Nations member state, but Taiwan
> (Republic of China) is not; however we've already approved a government
> root CA for Taiwan. There are other interesting edge cases of entities
> that have ISO 3166-1 country codes but are not necessarily considered
> full sovereign states. Wikipedia has some interesting background on the
> complexities of this question:
>
Then if the state of Washington would need its own CA for its citizens
we would refuse it because Washington is not a United Nations member
state ? If the answer is no, we would accept their CA, then you have
your answer for the specific case of Catalonia because the legal
background is the same: two regional states in a federal nation whose
independance and rights are protected by a constitution.
Then you have the Vienna case, which is indeed more tricky ;)
Pascal
Michael Ströder
>
> We have two outstanding applications for inclusion from CAs who
> represent not a national government, but a regional government. They are
> from the regional government of Catalonia, Spain[1] and the city
> government of Vienna, Austria[2].
> We are, at this time, uncertain as to where and how to draw the line,
> and so are putting the issue here for discussion. Options include, but
> are not limited to, excluding all CAs serving less than a country,
> including all CAs who apply, and shipping some certs in some builds and
> not in others. Thoughts?
I'd recommend that all builds should include the same set of
pre-installed CA certs.
Ciao, Michael.
Gervase Markham
> What about including a "minimal" list in the distribution, and then
> supply an extension with the rest (or even more than one)?
That is one technical way we could achieve the goal of shipping
different sets of certs with different builds, yes. But the question is
not about whether it's technically possible. :-)
Gerv
Gervase Markham
> - From what I can understand according to that criterion: a public CA from
> Andorra (with less than 70.000 inhabitants and with no current public CA
> nowadays) would be accepted, but the Autonomous Community of Catalonia
> with more than 7.000.000 inhabitants and a current public CA submitted
> as a bug since 2 years ago, wouldn't.
That would be correct. This is one of the side-effects you get from
drawing the line at the country level.
But if you said "we'll allow any CA which serves a constituency of
5,000,000 people or more", then you may get legitimate complaints from
the governments of up to 80 countries!
Gerv
Gervase Markham
> I'd recommend that all builds should include the same set of
> pre-installed CA certs.
Asserting an opinion is fine, but it will carry more weight if backed up
with a justification :-)
Gerv
Gervase Markham
> For sake of clarity, without entering in political considerations, an
> Autonomous Community is a Spanish political division, which regarding
> competences (which may actually vary highly depending on the Autonomous
> Community) is roughly something between a German land and a French région.
Very tactfully put :-)
Gerv
Gervase Markham
> The policy should be revised to permit (not mandate) localized root
> certificates in localized Mozilla products. Catalan is listed at
> <http://www.mozilla.org/projects/l10n/mlp_status.html> as a target
> language for localization of Mozilla products. With such a policy
> revision, Bug 295474 could left to the localizers to address if they so
> choose.
Devil's advocate, then:
- How would you choose which languages to include it in? All languages
spoken in the region in question? There are quite a lot of expat English
speakers in Catalonia... If not all, you would end up with Jose's
browser having the CA, but Fred, who lives next door, not having it.
- Would this mean we wouldn't mind about the excess baggage for people
half a world away who speak the same language? E.g. if we included a CA
for the state of Maine, USA, in the en-US build then currently that CA
would also go to Australians, as there's no en-AU.
> In any case, the installation of new root certificates is not overly
> difficult for users.
Perhaps not. But it's not something we really want to encourage them to
do, because it's too easy for them to shoot themselves in the foot.
Gerv
João Miguel Neves
> David E. Ross wrote:
> > In any case, the installation of new root certificates is not overly
> > difficult for users.
>
> Perhaps not. But it's not something we really want to encourage them to
> do, because it's too easy for them to shoot themselves in the foot.
>
root certificate securely (as in making sure it comes from a reliable
source).
Getting normal users used to adding root certificates to Firefox is,
IMHO, a security issue. If adding a root certificate becomes usual, and
even only a small part of the users don't check correctly the origin of
the certificates, SSL will provide no extra security (they can be caught
in man-in-the-middle attack).
For this I'd say that any public service (let's say used by more than
100.000 firefox users - calculated by browser quota times users with
internet access in the country) should have its root CA in Firefox, in
order to protect Firefox users.
The number above should be adjusted to whatever number of CAs is
possible to manage by Mozilla's people (as I see that's the only
limitation - this is not a software issue).
Best regards,
João Miguel Neves
Giacomo Magnini
> That is one technical way we could achieve the goal of shipping
> different sets of certs with different builds, yes. But the question is
> not about whether it's technically possible. :-)
I'll add that you can supply more certs with a langpack, for example, or
with localized builds. Think about the de-AT build with the cert for
Vienna...
Having a common set of certs (as someone else has stated) is
fundamental, but specific certs like the ones for Andorra, Catalan or
Vienna are not something a user from Brasil or China should bother
getting on their PCs... They should be optional, as an addon.
While on the subject, please remove the useless DOMI translations (that
would make space for all of the certs you want, btw).
Ciao, Giacomo.
Toni Hermoso Pulido
> Gervase Markham ha scritto:
> > That is one technical way we could achieve the goal of shipping
> > different sets of certs with different builds, yes. But the question is
> > not about whether it's technically possible. :-)
>
> I'll add that you can supply more certs with a langpack, for example, or
> with localized builds. Think about the de-AT build with the cert for
> Vienna...
AFAIK, there is not a "de-AT" build, but a "de" one. Take a look at
the example of the state of Main.
> Having a common set of certs (as someone else has stated) is
> fundamental, but specific certs like the ones for Andorra, Catalan or
> Vienna are not something a user from Brasil or China should bother
> getting on their PCs... They should be optional, as an addon.
> While on the subject, please remove the useless DOMI translations (that
> would make space for all of the certs you want, btw).
> Ciao, Giacomo.
Currently, I dare to say that many of the CA included are mostly en-US
based; so they may be of little use to most of the non-American users.
Nonetheless, despite they are included, I don't think they will ever
be a nuisance to anyone...
David E. Ross
Perhaps this is an argument in favor of implementing bug #333272 with a
fourth category: local root certificates. A secure Web listing of those
certificates on a Mozilla server would provide a reliable source from
which users could download approved local certificates for installation.
These would then not have to be installed by Mozilla in its products.
Approvals of local certificates will likely not have as high a priority
as approvals of "universal" certificates. On the other hand, listing
them on a page that is SSL-secure (using a certificate signed by a root
that is already installed) would give users the ability to obtain
certificates immediately upon approval, without waiting for the next
version of the product. This would also be true of an approved
"universal" certificate still listed in the pending category while
waiting for a new product version in which it can be installed.
See <https://bugzilla.mozilla.org/show_bug.cgi?id=333272>.
Benjamin Smedberg
> We are, at this time, uncertain as to where and how to draw the line,
> and so are putting the issue here for discussion. Options include, but
> are not limited to, excluding all CAs serving less than a country,
> including all CAs who apply, and shipping some certs in some builds and
> not in others. Thoughts?
>
> Please respect the Followup-To header.
I don't have an answer, but I firmly believe that "shipping some certs in
some builds and not in others" would be a disaster. Admittedly users of an
English Firefox are less likely to visit a website in Vienna than users of a
German build, but I myself have done business with Viennese websites on at
least one occasion, and I don't know German.
Explaining to a user that they would need to install a German Firefox (or
install a German language pack) to visit a Viennese website is a serious
support burden. Just as we try very hard to support the same set of gecko
features in all gecko-based apps (e.g. SVG/canvas/mathml), we should support
the same set of root certificates.
--BDS
Frank Hecker
> Currently, I dare to say that many of the CA included are mostly en-US
> based; so they may be of little use to most of the non-American users.
Note that for at least the past year almost all of the new requests have
come from CAs outside the US.
Looking through the list that Nicholas Bebout compiled at
http://www.mozilla.org/projects/security/pki/nss/ca-certificates/cacertlist.csv
there appear to be about 30 or so different organizations running CAs
(some with multiple roots), and at least one third of those are not
US-based. Also, all of the government-run CAs included in Mozilla are
outside the US.
Michael Ströder
>
> Currently my preference would be to see these as part of the most
> specific language pack for that region (in some cases people can
> download a localized product instead of an xpi as well).
I'd strongly recommend to not make this a localization issue! I think
this would confuse users who might use different localized builds but
are accessing the same secured regional web sites.
IMHO the organizations are concerned about getting their CA certs in to
be able to issue automatically accepted SSL server certs for their
systems since commercial CAs are expensive.
Ciao, Michael.
Michael Ströder
> What about including a "minimal" list in the distribution, and then
> supply an extension with the rest (or even more than one)?
I think it's not appropriate to pack more CA certs into an extension.
Ciao, Michael.
Michael Ströder
> [..] if our users have to
> switch to IE to pay their taxes to the government or if Firefox can't be
> used by companies/administrations in Spain because it does not include a
> major regional CA we are doing something wrong, aren't we ?
So you propose a policy to include all CA certs which are pre-installed
with MS IE? Is the CA cert of Catalonia pre-installed in IE? ;-)
Ciao, Michael.
Michael Ströder
>
> Devil's advocate, then:
>
> - How would you choose which languages to include it in? All languages
> spoken in the region in question? There are quite a lot of expat English
> speakers in Catalonia... If not all, you would end up with Jose's
> browser having the CA, but Fred, who lives next door, not having it.
>
> - Would this mean we wouldn't mind about the excess baggage for people
> half a world away who speak the same language? E.g. if we included a CA
> for the state of Maine, USA, in the en-US build then currently that CA
> would also go to Australians, as there's no en-AU.
That's exactly the point. It's definitely not subject for localization.
>> In any case, the installation of new root certificates is not overly
>> difficult for users.
>
> Perhaps not. But it's not something we really want to encourage them to
> do, because it's too easy for them to shoot themselves in the foot.
I'd like to remind everybody that self-signed root CA certs are trust
anchors. One cannot revoke self-signed root CA certs. What's really
missing in this discussion is how to evaluate how trust-worthy a CA is
operating the certification service. IMHO this should be an important
criteria. Because certs are for security...
For this reason I think that Follow-up: mozilla.dev.tech.crypto would
have been more appropriate.
Ciao, Michael.
Ricardo Palomares Martinez
> First: Do these CAs and the other government-run CAs issue certs only to
> memebers of the organization (employees etc.) or so the citizens? I
> think that makes a big difference: In the former case, it's just a CA
> internal to an organization (even if large org). If the latter, the
> government practically acts as CA for their citizens and replaces normal
> CAs, so I think they have a good argument to be in.
Yes, this kind of CAs issue certs to citizens; they don't probably
replace commercial CAs, but provide a service that commercial CAs
can't give, since their certs are used for tax payment and other
administrative transactions.
> * Catalonia is an "autonomous community". I don't know whether
> there's a delicate political dimension to it. Compare ETA, which
> fights for independence of the Basque communities/regions.
As a spanish citizen, and to put it in a bit of context, I can assure
they don't have anything to do. Catalonia is an administrative
division inside Spain, like other 16 (including Euskadi / Basque
Country). At the very least, both Euskadi and Catalonia (and probably
other regions in Spain, too) have more competencies transferred from
central government since long ago than Northern Ireland have nowadays.
This shift of competencies from central government to autonomies means
that these latter have choice/need to establish their own CAs (BTW,
one of most important spanish central government CAs, FNMT, is not
shipped by default, AFAIK). FWIW, if this whole issue of shipped CAs
were resolved as David E. Ross suggests: implementing local root
certificates that can be shipped exclusively by one or some langpacks,
I would be willing to see CatCert CA, like many others autonomic CAs,
shipped in es-ES.
Regarding en-US shipping USA CAs that won't be used by australians,
that could be easily solved if enough people are interested in it,
just by creating an en-AU team. Well, it would depend on how local
root certificates solution is implemented, but I think that localizers
should help mozilla.org's security staff to decide which CAs are
really truthful and useful.
Ricardo.
--
If it's true that we are here to help others,
then what exactly are the OTHERS here for?
Michael Ströder
Almost all of my german customers do not install the german version of
software packages. They choose the "international" (say US) version to
downsize their support efforts.
Ciao, Michael.
David E. Ross
Having very little experience with IE, how would I check the existence
of any root certificate installed for that browser? I have IE 7 with
WindowsXP, but I use it only to download Windows updates.
pascal
included:
http://support.microsoft.com/?scid=kb%3Ben-us%3B931125&x=16&y=15
Pascal
Axel Hecht
To make a British parliament vote, yay yay.
Can we just for the sake of the argument put numbers on the cost of
certificates?
Like, is there a working set cost, start up time, shipping size? How
much is a cert after 7zip compression?
And is there a maintainance cost in a cert, or is it just a setup cost?
Axel
Jonas Sicking
in some builds but not in others is a really bad idea which will
increase the number builds we do by a lot. We'd essentially have to have
one build per country per language, for example i'd have to use a
english-for-sweden build since I prefer to have my browser in english,
but I do like to visit swedish sites, but I'd also have to have an
english-for-US build since I live in the US and visit US sites.
I don't think having regional CAs will scale. If we start allowing them
we open the floodgates for any region to set up their own CA and we'll
get swamped with requests.
All my humble opinion of course :)
/ Jonas
Gervase Markham wrote:
> The mozilla.org CA certificate policy[0] states, in part:
>
> "We require that all CAs whose certificates are distributed with our
> software products provide some service relevant to typical users of our
> software products."
>
> We have interpreted this to include standard commercial CAs, other CAs
> who sell certificates to anyone or almost anyone, and government-run
> CAs. We have interpreted it to exclude CAs which are internal to a
> business or organisation.
>
> We have two outstanding applications for inclusion from CAs who
> represent not a national government, but a regional government. They are
> from the regional government of Catalonia, Spain[1] and the city
> government of Vienna, Austria[2].
>
> The inclusion of a CA incurs a cost - in time to evaluate the request
> (and we do have a backlog), in download size, and in marginally
> increased risk of a failure of the system by e.g. private key
> compromise. We have to balance that against the expected usefulness of
> the root certificate to our users.
>
> We are, at this time, uncertain as to where and how to draw the line,
> and so are putting the issue here for discussion. Options include, but
> are not limited to, excluding all CAs serving less than a country,
> including all CAs who apply, and shipping some certs in some builds and
> not in others. Thoughts?
>
> Please respect the Followup-To header.
>
Frank Hecker
> I'd like to remind everybody that self-signed root CA certs are trust
> anchors. One cannot revoke self-signed root CA certs. What's really
> missing in this discussion is how to evaluate how trust-worthy a CA is
> operating the certification service. IMHO this should be an important
> criteria. Because certs are for security...
Just to be clear on this point: We already have an established policy
for evaluating CAs and deciding whether they are "trust-worthy" enough
to include in Mozilla-based products. We are *not* proposing to relax
that policy for regional CAs. Rather what we want to discuss is how to
handle CAs that are perfectly good CAs but that operate only in specific
geographical areas.
> For this reason I think that Follow-up: mozilla.dev.tech.crypto would
> have been more appropriate.
Our interest was specifically in looking at CAs in the context of
localized versions, which is why we thought m.d.l10n was the best group
for followup. The folks in m.d.t.crypto are not necessarily familar with
the CA situation in various countries and regions around the world.
Frank Hecker
> Can we just for the sake of the argument put numbers on the cost of
> certificates?
>
> Like, is there a working set cost, start up time, shipping size? How
> much is a cert after 7zip compression?
All pre-loaded CA certificates are stored in a shared library. For Mac
OS X this library is libnssckbi.dylib; I think the corresponding
libraries for Windows and Linux/Unix are libnssckbi.dll and
libnssckbi.so. On OS X this library contains on the order of 100
certificates and is about 500KB installed and under 200KB compressed. (I
don't have any figures on working set sizes.)
There's undoubtedly some overhead in this library, so the actual
per-cert size is less. However on the other hand CA certificates are
growing larger over time, as CAs replace their existing key pairs with
longer ones (for increased security). So I think it's reasonable to
assume certificates have a cost of about 5KB per cert installed and
about 2KB per cert downloaded.
Finally, note that most CAs actually have multiple root CAs and thus
multiple root CA certificates; typical numbers are around 2-4
certificates per CA. So adding a new CA typically would expand the
certificate list by 10-20KB as installed and 4-8KB as downloaded.
> And is there a maintainance cost in a cert, or is it just a setup cost?
The setup cost for certificates is predominantly the time required to
evaluate each CA, plus the time to add new certificates to the NSS code
base. I'd estimate this as 1-2 person-days per CA. (The time per
certificate is less, since as noted above most CAs have more than one
certificate being included.)
There's effectively no maintenance cost for CAs and certificates today,
since once a CA has been added we don't go back and re-evaluate it.
However we really should be doing this, preferably on a yearly basis.
This cost would likely be on the order of 0.5-1 person-days per CA.
(You may be thinking, that's a lot of time to spend dealing with CAs and
certificates. If so, you're right. By way of comparison, note that
Microsoft has a full-time person whose primary responsibility is doing
CA-related stuff.)
David E. Ross
By the way, I'm not advocating that Mozilla actually have the local root
certificates on its server. The "local root certificates" Web page
would merely contain links to the certificate authorities from which a
user could then download and import the certificates. The purpose of
the page would be to provide those links in a secure environment where a
user could rely on the authenticity of those links.
It might even be possible to create such a Web page without even
approving the local certificates. After verifying the links and other
data that would be on the Web page, an entry could be made without
verifying the existence of a WebTrust or equivalent audit. Of course,
a prominent warning would then have to appear on such a page, advising
users that they (and not Mozilla) are responsible for any consequences
from trusting the certificate authorities listed there.
Gervase Markham
Yes, as is the one of the city of Vienna. But I believe these are the
only two sub-governmental regional CAs they have.
http://support.microsoft.com/kb/931125
Gerv
Gervase Markham
> See <https://bugzilla.mozilla.org/show_bug.cgi?id=333272>.
I don't really believe this bug solves much. Even if we had a the time
and money to design a really secure system (imagine what would happen if
it broke - someone could insert their own CA and MITM everyone), it
would still involve getting people to install their own roots, which is
something we want to avoid.
Gerv
Gervase Markham
> I think bug 342503 sums this up pretty well. I think shipping some certs
> in some builds but not in others is a really bad idea which will
> increase the number builds we do by a lot. We'd essentially have to have
> one build per country per language, for example i'd have to use a
> english-for-sweden build since I prefer to have my browser in english,
> but I do like to visit swedish sites, but I'd also have to have an
> english-for-US build since I live in the US and visit US sites.
I don't think anyone is suggesting we increase the numbers of builds we
do. The suggestion would be that certain already-existing builds acquire
some extra certificates.
> I don't think having regional CAs will scale. If we start allowing them
> we open the floodgates for any region to set up their own CA and we'll
> get swamped with requests.
Just because we allow them now doesn't mean we have to allow them later.
We could just close the door at any point.
Gerv
Toni Hermoso Pulido
Hash: SHA1
En/na Gervase Markham ha escrit:
As you can understand, Microsoft people can wittily state with this that
is better to deploy Internet Explorer in those administrations. (sic)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFyxBW3O471rZ7Q9wRAmyRAKCDHt/gicK2uWke0Xih0JM7LcuTzwCfRet5
xPjhV/Iz2Yk4gOINPDPiGRc=
=s1KK
-----END PGP SIGNATURE-----
David E. Ross
While I see the CatCert certificate listed on the cited MS Web site, I
do not see the Vienna certificate.
Each certificate on the MS Web page is listed with a URL. According to
bug #342503, the Web site for the Vienna CA is
<http://www.wien.gv.at/ma14/zertifikate.html>. The root certificate is
at <https://www.wien.gv.at/ca-top-2035/ext/cacert/cacert.crt>. Nowhere
on the MS Web page is "Vienna", "www.wien.gv.at", or even merely "wien".
David E. Ross
Whatever resolution is made, be sure it does not run afoul of separatist
politics.
Ibon Igartua
In that list I can also see Izenpe (http://www.izenpe.com).
Izenpe is the CA authority created by the Basque Government to handle
all the certificates with the Basque administration.
We could compare this with the Catalonia case.
I'll try to contact some people from Izenpe.
regards,
ibon - Basque lang. l10n (eu)
Frank Hecker
> In that list I can also see Izenpe (http://www.izenpe.com).
>
> Izenpe is the CA authority created by the Basque Government to handle
> all the certificates with the Basque administration.
>
> We could compare this with the Catalonia case.
>
> I'll try to contact some people from Izenpe.
Note that we now have bug 361957 open for Izenpe, thanks to Gerv.
Frank Hecker
> I don't think having regional CAs will scale. If we start allowing them
> we open the floodgates for any region to set up their own CA and we'll
> get swamped with requests.
This is indeed a concern. However it's also worth noting that thus far
we've gotten only a few requests for such regional CAs, and it's not
clear how many will apply in future.
It's probably worth doing a "worst case" scenario. Based on a quick look
at the US, Canada, and various countries in Europe and Asia, there are
probably on the order of three hundred or so regional governments in the
world that might be candidates to have CAs. Some of these countries
don't have true federal systems, and thus any government CAs are likely
to be national in scope (e.g., France, which recently submitted a
request for a French national CA). In other countries that do have
federal systems we haven't seen any region-level PKI initiatives emerge
yet (e.g., for states in the US). Thus in practice the number of
regional CAs and CA certificates we'll ever see for these countries will
likely be considerably less than three hundred, perhaps just a few dozen
at most. (By way of comparison, we currently have thirty or so CAs and a
hundred or so CA certificates in the default list.)
Based on this (admittedly rough) analysis, I'm not sure there's any
danger of being swamped with requests from regional government CAs, at
least in the near to mid term. I'm beginning to think that the best
approach may be to allow regional government CAs to apply for inclusion,
and then just make some reasonable judgments on a case by case basis as
to whether to include a particular CA. This is admittedly subjective,
but I don't think we can necessarily come up with a strict set of
criteria that would be applicable in all cases.
Gervase Markham
> While I see the CatCert certificate listed on the cited MS Web site, I
> do not see the Vienna certificate.
They are listed as "Arge Daten", three from the top.
The URL given in the Microsoft list is the same one as in the URL field
of the bug.
https://bugzilla.mozilla.org/show_bug.cgi?id=342503
Gerv
Gervase Markham
> In that list I can also see Izenpe (http://www.izenpe.com).
>
> Izenpe is the CA authority created by the Basque Government to handle
> all the certificates with the Basque administration.
>
> We could compare this with the Catalonia case.
Good point. As Frank says, we have a bug open for Izenpe; I didn't
realise they were also a regional CA. I've put that bug on hold also
with the same message as Vienna and Catalonia.
Gerv
Axel Hecht
I agree, we should take those certs that benefit our users, and make the
painful cut where it is becoming to painful for us.
I think we should try to pair this with some strong lobbying in the
other direction, too. Like, what are CAs good for, if users can't use
them securely. I bet that having their own CA is sexy and groovy for a
politician, and might make the regional ego proud, but it's going to be
disappointing for them to then get ignored.
Do we have contacts with the MS guy, and/or Opera here?
I don't know if there is a way to enable regional governments to use
certs without growing the CAs ad absurdum.
Target areas for that lobby work might be the US, EU, India, China, Russia.
Sounds like an worthwhile thing to spend some quality foundation
resources on, both on raising awareness of the problem, and proposing a
solution.
Axel
Christian Biesinger
> They are listed as "Arge Daten", three from the top.
>
> The URL given in the Microsoft list is the same one as in the URL field
> of the bug.
> https://bugzilla.mozilla.org/show_bug.cgi?id=342503
Arge Daten is not the same as the city of Vienna. The URL is also
different - one is /wien.html, the other is /argedaten.html.
David E. Ross
My German is quite rusty. However, it appears that the Web site for
Arge Daten is for the Austrian nation, not for the city of Vienna. The
complete title is "Arge Daten - Österreichische Gesellschaft für
Datenschutz (Verein)". "Gesellschaft" means "association" (possibly in
the context of a trade association and could indicate a for-profit
business) and thus might not even be a government agency. "Verein" also
means "association" but often in the context of people.
Bug #342503 has the URL
<http://www.signatur.rtr.at/de/providers/providers/wien.html>, which
matches what I see in the bug description. Arge Daten in the Microsoft
Web page has the URL
<http://www.signatur.rtr.at/de/providers/providers/argedaten.html>.
The domain <www.signatur.rtr.at> is for Aufsichtsstelle für
elektronische Signaturen (Supervisory Authority for Electronic
Signatures), an Austrian government agency that oversees certificate
authorities in that nation. At that domain, I found a page listing 13
active (aktiv) Austrian CAs, plus several others (including an active
German CA that is not supervised by the Aufsichtsstelle. Arge Daten is
one of the supervised, active CAs. Magistrat der Stadt Wien (Magistrate
of the City of Vienna) is another, but quite distinct; this one is the
subject of bug #342503.
To conclude, IE does NOT have the Vienna root certificate listed on its
Web page.
Robert Kaiser
> My German is quite rusty. However, it appears that the Web site for
> Arge Daten is for the Austrian nation, not for the city of Vienna. The
> complete title is "Arge Daten - Österreichische Gesellschaft für
> Datenschutz (Verein)". "Gesellschaft" means "association" (possibly in
> the context of a trade association and could indicate a for-profit
> business) and thus might not even be a government agency. "Verein" also
> means "association" but often in the context of people.
As you said, ARGE Daten is something different from the City of Vienna.
ARGE Daten itself is a non-profit non-governmental organization for
preserving privacy (verbatim translation of "Datenschutz" would be "data
protection", we're using it for security/privacy means in many cases).
See also
http://www2.argedaten.at/php/cms_monitor.php?q=PUB-TEXT-ARGEDATEN&s=15048tpb
(English page about "Who is ARGE Daten?")
Robert Kaiser
Gervase Markham
> As you said, ARGE Daten is something different from the City of Vienna.
>
> ARGE Daten itself is a non-profit non-governmental organization for
> preserving privacy (verbatim translation of "Datenschutz" would be "data
> protection", we're using it for security/privacy means in many cases).
OK - thanks for the clarification. I assumed because they were on the
same website, they'd be the same CA.
Gerv
Gervase Markham
> I think we should try to pair this with some strong lobbying in the
> other direction, too. Like, what are CAs good for, if users can't use
> them securely. I bet that having their own CA is sexy and groovy for a
> politician, and might make the regional ego proud, but it's going to be
> disappointing for them to then get ignored.
>
> Do we have contacts with the MS guy, and/or Opera here?
>
> I don't know if there is a way to enable regional governments to use
> certs without growing the CAs ad absurdum.
>
> Target areas for that lobby work might be the US, EU, India, China, Russia.
I don't quite follow. You want us to spend time lobbying regional
governments to have their own CAs?
Gerv
Axel Hecht
To do the opposite, but to focus on regions where there would be a high
probability of politicians trying to do so.
Let's try to make a non-relational statement for once, take regional CAs
as appropriate, paired with lobbying with regions to not create regional
CAs.
Axel
Toni Hermoso Pulido
I think that Mozilla should not involve in this kind of issues,
because it's beyond what we should care about... and anyway, I agree
with Frank Hecker explanations about fearing a rush of requests.
Mozilla should simply promote these certificates to be fully
compatible with our products. I don't think we should suggest, let's
say, an hypothetical future Andalusian Certificate Authority not to
use their own, and use Spanish ones instead...
Gervase Markham
>> I don't quite follow. You want us to spend time lobbying regional
>> governments to have their own CAs?
>
> To do the opposite, but to focus on regions where there would be a high
> probability of politicians trying to do so.
Do you think our lobbying would have any effect on whether regional
governments established CAs or not?
How would we come up with such a list of target regions?
I'm afraid the whole thing seems like a big waste of time to me, given
all the other things we could be doing :-(
Gerv
Axel Hecht
> Axel Hecht wrote:
>>> I don't quite follow. You want us to spend time lobbying regional
>>> governments to have their own CAs?
>>
>> To do the opposite, but to focus on regions where there would be a
>> high probability of politicians trying to do so.
>
> Do you think our lobbying would have any effect on whether regional
> governments established CAs or not?
That depends on who's doing what, I guess.
> How would we come up with such a list of target regions?
Educated guess and opportunity. Tristan may be able to shed a light on
EU or at least France, I guess John and Mitchell may be able to ask
questions about this to their China-contacts. There are some
institutional localizers in India, too.
Axel
Nelson Bolyard
> I'd recommend that all builds should include the same set of
> pre-installed CA certs.
I second that recommendation. I have two reasons, one weak, one stronger.
1. (weak) It is not an easy thing to implement regional Root CA lists.
Today the process of adding a CA cert to the built-in module is highly
automated. The c code that gets compiled in is programmatically generated.
I think that automation might have to be reworked, a lot. Today it has no
concept of any conditional compilation.
The NSS development team is resource limited and has a backlog of large
projects now. I think the sponsors of NSS development are likely to not
place high priority on implementing regional CA lists.
2. (stronger) While the regional CA may only issue certs to local / regional
Subjects, the relying parties may be world wide.
I think most of the certs to be issued by those regional CAs will not
be SSL server certs but rather will be individual email signature and
encryption certs. If a citizen of Vienna or Catalonia sends me a signed
email, signed with his local CA issued cert, I am very likely to take that
to be authentic, even though I live in California.
So, think in terms of the location of the relying parties (the people whose
browsers and email clients verify the certs received from remote peers),
rather than the location of the subjects (the parties named in the issued
certs).
When asking if a CA's certs are useful to most FF/TB users, think of them
as relying parties, not as subjects. I think that, on that basis, all
CAs certs that we approve for inclusion (by whatever constraints we impose)
should go into all our products, all our builds.
/Nelson
Gervase Markham
> We are, at this time, uncertain as to where and how to draw the line,
> and so are putting the issue here for discussion. Options include, but
> are not limited to, excluding all CAs serving less than a country,
> including all CAs who apply, and shipping some certs in some builds and
> not in others. Thoughts?
Several respected project contributors have expressed the opinion that,
for various excellent reasons, we should not ship different certs with
different builds. So that option is out.
There are currently four applicants which fall into this category (ACCV,
CATCert, Izenpe and the City of Vienna). There may be more in the
future. Frank estimates that each new CA costs us about 4-8K in download
size. However, I am going to assert that bandwidth is going to increase
faster than the number of CAs, and so we should not be concerned with
certificate root store download size for the Firefox product. If the
Firefox developers want to argue with that suggestion, please do.
If that is accepted, then the only constraint on including these CAs is
evaluation time. I think it's reasonable to place them at the back of
the queue but, once everyone else has been done, I intend to evaluate
them for inclusion as I would any other CA. Note that this means we will
still evaluate each CA to judge the extent of its relevance to users.
Adopting this proposed policy on regional government CAs does *not* mean
that they will be automatically included if they meet the technical
requirements; it simply means that we will not automatically eliminate
them from consideration based solely on their regional nature.
However, we reserve our right to change the policy in future and accept
no more CAs in this category - and even, although I think this would be
very unlikely, remove existing CAs to match the new policy. (Note that
the CA certificate policy already states that we may remove CAs for any
reason, so this is not a change.)
Gerv
Axel Hecht
> Gervase Markham wrote:
>> We are, at this time, uncertain as to where and how to draw the line,
>> and so are putting the issue here for discussion. Options include, but
>> are not limited to, excluding all CAs serving less than a country,
>> including all CAs who apply, and shipping some certs in some builds
>> and not in others. Thoughts?
>
> Several respected project contributors have expressed the opinion that,
> for various excellent reasons, we should not ship different certs with
> different builds. So that option is out.
>
> There are currently four applicants which fall into this category (ACCV,
> CATCert, Izenpe and the City of Vienna). There may be more in the
> future. Frank estimates that each new CA costs us about 4-8K in download
> size. However, I am going to assert that bandwidth is going to increase
> faster than the number of CAs, and so we should not be concerned with
> certificate root store download size for the Firefox product. If the
> Firefox developers want to argue with that suggestion, please do.
Cross-posting this to m.d.a.firefox, so that they actually know. .l10n
is a dead end for that part.
Axel
Channy Yun
three opinions.
[1] Restrict of requests from regional level CAs. (Only open to global level
CA verified by WebTrust)
[2] Allow to regional level CAs, but distributed to only localized version.
[3] Allow to all requests from regional level CAs.
I think it's very important user's scale and uses by regional CAs. In Korea,
the governmental root CA limits their service to korean citizens and
financial and governmental transaction by a law of digital signature. It's
not allow to SSL server certificate and email signature right now. But,
Microsoft has offered Korean governmental root CA in IE since 2005. So they
want to expand their function to global scale services for foreign users.
I suggests some of options to regional CAs for offering pre-installed CAs
1) If your uses are limited to local services. - The national level CAs is
[2], city level CAs is [1]
2) If your uses expand to global services. - The national level CAs is [3],
city level CAs is [2]
Most of city level CAs don't have CPS in english. Localizers can help to
verify their CPS in local language. If the national level CAs want to expand
to global services, it needs to require WebTrust. I think this guideline
with other browser vendoers in CAForum.
Channy Yun
On 2/7/07, Gervase Markham <ge...@mozilla.org> wrote:
>
> The mozilla.org CA certificate policy[0] states, in part:
>
> "We require that all CAs whose certificates are distributed with our
> software products provide some service relevant to typical users of our
> software products."
>
> We have interpreted this to include standard commercial CAs, other CAs
> who sell certificates to anyone or almost anyone, and government-run
> CAs. We have interpreted it to exclude CAs which are internal to a
> business or organisation.
>
> We have two outstanding applications for inclusion from CAs who
> represent not a national government, but a regional government. They are
> from the regional government of Catalonia, Spain[1] and the city
> government of Vienna, Austria[2].
>
> The inclusion of a CA incurs a cost - in time to evaluate the request
> (and we do have a backlog), in download size, and in marginally
> increased risk of a failure of the system by e.g. private key
> compromise. We have to balance that against the expected usefulness of
> the root certificate to our users.
>
> We are, at this time, uncertain as to where and how to draw the line,
> and so are putting the issue here for discussion. Options include, but
> are not limited to, excluding all CAs serving less than a country,
> including all CAs who apply, and shipping some certs in some builds and
> not in others. Thoughts?
>
> Please respect the Followup-To header.
>
> Gerv
>
> [0]
>
> http://www.mozilla.org/projects/security/pki/nss/ca-certificates/policy.html
> [1] https://bugzilla.mozilla.org/show_bug.cgi?id=295474
> [2] https://bugzilla.mozilla.org/show_bug.cgi?id=295474
> _______________________________________________
> dev-l10n mailing list
> dev-...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-l10n
>
Frank Hecker
> Looking through the list that Nicholas Bebout compiled at
>
> http://www.mozilla.org/projects/security/pki/nss/ca-certificates/cacertlist.csv
Nelson Bolyard reminded me that this list has moved; the new URL is
http://www.mozilla.org/projects/security/certs/cacertlist.csv
Note that this list is just a temporary "scratch" document; Gerv is
working on putting together official lists of CAs, as described in bug
333272.
Anand Kumria
Hi Gervase,
Sorry to respond to a message from so long ago - but I'd written a reply
and then forgetton to send it.
On Tue, 06 Feb 2007 16:39:48 +0000, Gervase Markham wrote:
> The mozilla.org CA certificate policy[0] states, in part:
>
> "We require that all CAs whose certificates are distributed with our
> software products provide some service relevant to typical users of our
> software products."
>
> We have interpreted this to include standard commercial CAs, other CAs
> who sell certificates to anyone or almost anyone, and government-run
> CAs. We have interpreted it to exclude CAs which are internal to a
> business or organisation.
I think that whilst that policy was good for a first iteration
Use case:
- When joining a company, you are enrolled into the certificate
system
- The company allows you to connect to various services both
internally and externally
- When you connect externally, the service has an attached SSL
certificate
- However, when you connect to the service you are prompted to
validate the certificate
- This can be worked around, at your home, by adding the
certificate to your own personal certificate store
- However, if you find yourself at a friend's computer; an
Internet café, or somewhere where you have not had a chance to install the
certificate how can you determine if there is a man in the middle?
Mozilla can help here.
> We are, at this time, uncertain as to where and how to draw the line,
> and so are putting the issue here for discussion. Options include, but
> are not limited to, excluding all CAs serving less than a country,
> including all CAs who apply, and shipping some certs in some builds and
> not in others. Thoughts?
I think you need to have three types of CAs:
- those which are included in the browser
You already have requirements (WebTrust audit, policy explained, etc.)
- those which require user-interaction before they can be used
These certificates which are expired, or wish to be used on pages where
there is a mixture of content. They are also not part of the scheme I
describe below
- those which can be dynamically verified and installed into a
specific browser session _without_ user interaction
Here I would recommend that a dynamically verified certificate is never
permanently installed into the certificate store.
The goal here is remove the possibility of man-in-the-middle attacks.
This doesn't mean that the full validation chrome needs to be used (but it
shouldn't be too different that users can not feel some confidence in the
website they are interacting with).
I can evisage a few ways to do this:
- have a Mozilla Foundation certificate included into every
browser; prospective CAs or self-signed certificates would be signed by
this certificate.
Whilst this might be the simplest way forward, there is certainly the
possibility that a number of CAs would see this as the Mozilla Foundation
effectively taking over their business.
Plus, this places the burden of doing verification onto Mozilla Foundation
- which could stretch their resources.
- Perform DNS CERT (RFC2538) lookups of the target server, and if
there is a CERT record assume that whomever controls the DNS has put in a
good certificate.
Obviously, standard tests (expirations, mixture of secure/non-secure
content) would be done. With time, you can also utilise DNSSEC records to
validate the entire chain from root to the DNS entry in question.
A key decision is what kind of chrome changes would need to be done if a
DNS CERT was used rather than using a built-in CAs to validate the
certificate.
Thoughts?
Anand