Fwd: RE : Firefox bug 328346: Certificates with keyusage nonRepudiation _only_ can be used for SSL
Martin Paljak
(This mail bounced from bon...@mozilla.org, a mail address i found
from http://wiki.mozilla.org/Firefox2/Goals People in the original
message To and Cc were also included)
I'm forwarding this message for background information on the bug
#328346 and why we consider this a real blocker for smart cards in
Firefox.
We already have to say that the current functionality in FF 1.5 is
not because of 'broken smart card software that does not support FF
1.5 as it was working perfectly in FF 1.0' but because it is a
regression in FF 1.5.
I also represent a whole country on this topic (Estonia, http://
www.opensc-project.org/opensc/wiki/EstonianEid).
Also, I think there should be more collaboration between smart card
projects like OpenSC (that already bring together many open source
smart card people under a common umbrella) and Firefox, for the
benefit of real users who just want to do banking and give signatures
and don't care about certificates and pkcs#11 modules.
Thanks,
Martin Paljak
consultant
Begin forwarded message:
> From: "Libon Olivier" <Olivie...@fedict.be>
> Date: 2 september 2006 2:36:34 GMT+07:00
> To: "Marc Stern" <mst...@csc.com>, <nel...@bolyard.com>
> Cc: <libr...@nss.bugs>, <Stef....@zetes.com>, "Martin Paljak"
> <martin...@gmail.com>
> Subject: RE : Firefox bug 328346: Certificates with keyusage
> nonRepudiation _only_ can be used for SSL
>
> Dear Mr Bolyard,
> As official representative of the Belgian government as well as
> permanent representative of the Security Expert Group of the
> European Commission, I'm strongly supporting Marc's suggestion.
>
> Indeed the Qualified Certificate Profile (derived from the european
> directive about electronic signature aiming at enforcing the legal
> equivalence between a handwritten signature and an electronic
> signature based on a qualified certificate profile as described in
> RFC3039), explicitely suggest the NR bit to be set exclusively in
> case of legaly binding electronic signature. This is a common
> understanding at the european level
>
> The current FF implementation is unfortunately accepting qualified
> certificate (and any certificate having the NR bit set only) for
> authentification purposes which could lead to serious security and
> liability issues.
>
> Please let me know if you need some more official statement from
> european representatives in order to have this issue treated at the
> appropriate level and adequate priority.
>
> With my best regards,
>
> Olivier LIBON
>
> Olivier LIBON
> Security Architect
>
>
> Fedict – Federale Overheidsdienst ICT
> Fedict – Service Public Fédéral ICT
> Maria-Theresiastraat 1/3 Rue Marie-Thérèse
> Brussel 1000 Bruxelles
> Tel: +32 2 212 96 55 GSM: +32 476 26 63 32
> Fax: +32 2 212 96 99
> olivie...@fedict.be
>
> http://www.belgium.be/fedict
>
>
>
>
>
>
> De: Marc Stern [mailto:mst...@csc.com]
> Date: ven. 1/09/2006 9:22
> À: nel...@bolyard.com
> Cc: libr...@nss.bugs; Libon Olivier; Stef....@zetes.com;
> Martin Paljak
> Objet : Firefox bug 328346: Certificates with keyusage
> nonRepudiation _only_ can be used for SSL
>
>
> Nelson,
>
> This bug is known for 6 month, and is still present in FF 2.0 beta.
> This may have a huge impact on users, especially in the case of
> national or corporation (lawyers, notaries, ...) PKI - as
> implemented, or being implemented, in most European countries -
> where the NR cert has a highly critical legal value.
> Can I ask you to let it fixed before the official release of FF
> 2.0, as it would really be seen as a major problem by national
> bodies, which would lead to recommend to use IE as browser instead
> of FF :-(
>
> Thanks a lot,
>
> Marc Stern
> CSC Computer Sciences Corporation Belgium
> Security Solutions Group Manager / Network and System Architect
> mobile: +32 (0)475 68 29 10 - Phone: +32 (0)2 714 74 91
> e-mail: mst...@csc.com - fax: +32 (0)2 714 71 01
> Hippokrateslaan,14 - B-1932 Sint-Stevens-Woluwe - Belgium
>
> ----------------------------------------------------------------------
> ------------------
> This is a PRIVATE message. If you are not the intended recipient,
> please delete without copying and kindly advise us by e-mail of the
> mistake in delivery. NOTE: Regardless of content, this e-mail shall
> not operate to bind CSC to any order or other contract unless
> pursuant to explicit written agreement or government initiative
> expressly permitting the use of e-mail for such purpose.
> ----------------------------------------------------------------------
> ------------------
--
Martin Paljak / mar...@paljak.pri.ee
+372 515 64 95