Re: Improper SSL certificate issuing by CAs

[Eddy Nigg]

> On 04/01/2010 10:35 AM, ssladmin...@portugalmail.pt:
>> Kurt Seifried here:
>>
>> So I picked a webmail provider at random (sorry portugalmail.pt!) and
>> filled in the account form, taking ssladministrator as the email
>> name. Using this I was then able to buy a secure web certificate for
>> portugalmail.pt since the verification process is so weak. Here are
>> the five emails I received from RapidSSL, the only things I have
>> removed is my phone number and the last four digits of the credit
>> card, as you can see the process isn't that hard.
>
> Is this another 1st of April joke? At least your timing is a bit
> questionable ;-)
>

Oh, and this fantastic news lines up nicely with your other thread "how
to report stolen/compromised certificate?" at
the mozilla.dev.security.policy mailing list. The irony that you can
request to have your certificate revoked, but the owner of the domain
portugalmail.pt can not.

I suggest to add another item to the Mozilla CA Policies that:

A) CAs are required to accept revocation requests by third parties and
investigate any request
B) CAs are required to revoked certificates upon key comprise and
wrongful issuance

--
Regards

Signer: Eddy Nigg, StartCom Ltd.
XMPP: star...@startcom.org
Blog: http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg

[Jean-Marc Desperrier]

Eddy Nigg wrote:
>> So I picked a webmail provider at random (sorry portugalmail.pt!) and
>> filled in the account form, taking ssladministrator as the email name.

>> [...]

>
> Is this another 1st of April joke? At least your timing is a bit
> questionable ;-)

And, you're still certain that on the other hand the procedure for code
signing cert is totally sure ?

From you other message :
> Verisign was supposed to disable those email addresses. We've been
> discussion this issue to death already and Verisign committed to it.
> Apparently they haven't done so, despite their commitment.

If there was such a commitment, then Mozilla should take action.

[Eddy Nigg]

On 04/01/2010 09:03 PM, Jean-Marc Desperrier:

>
> If there was such a commitment, then Mozilla should take action.

Apparently Verisign did perform that action and the certificate in
question was obtained at the 18th of February.

[Jean-Marc Desperrier]

Eddy Nigg wrote:
> Apparently Verisign did perform that action and the certificate in
> question was obtained at the 18th of February.

Verisign did what ? They removed support for such generic addresses
since the 18th ?

[Eddy Nigg]

On 04/02/2010 10:28 AM, Jean-Marc Desperrier:

No, apparently the removed some of those addresses since the 6th of
March. The certificate was obtained at the 18th of February. See bug 556468

[Jean-Marc Desperrier]

Kurt Seifried wrote:
>> Is this another 1st of April joke? At least your timing is a bit
>> > questionable;-)

> No this is not an April fools joke. The PDF at Linux Magazine is what
> will be in the print copy (due out in 3 weeks I believe)

Kurt, the best group for sending this and also to continue the
discussion would be mozilla.dev.security.policy

From a cryptographic point of view, nothing was broken. It's the policy
that's bad.

[Jean-Marc Desperrier]

Eddy Nigg wrote:
>> Verisign did what ? They removed support for such generic addresses
>> since the 18th ?
>
> No, apparently the removed some of those addresses since the 6th of
> March. The certificate was obtained at the 18th of February. See bug 556468

Yes, I saw that and also the following in-between :

https://bugzilla.mozilla.org/show_bug.cgi?id=477783
Gervase Markham [:gerv] 2009-04-06 04:28:40 PDT
I agree that it would be good for CAs to come to agreement on a
limited set of addresses to be used.
Gervase Markham [:gerv] 2009-04-07 04:26:20 PDT
Give me a couple of weeks to get consensus on a list :-)

It wasn't good, it was required.

One point the people complaining CNNIC was accepted don't get is "can we
objectively claim it's certain that the occidental CAs respect a higher
standard than CNNIC ?"

[Eddy Nigg]

On 04/02/2010 04:38 PM, Jean-Marc Desperrier:

> It wasn't good, it was required.

I've been fighting for various improvements during the last few years
and I believe I was proven right again and again. Unfortunately it's
many times only AFTER something happens, not BEFORE.

> One point the people complaining CNNIC was accepted don't get is "can
> we objectively claim it's certain that the occidental CAs respect a
> higher standard than CNNIC ?"

I suggest not to mix the two issues, which are entirely different. And
you can expect that there are various different problems which have to
be addressed, one problem doesn't legitimate another. We should stay
clearly focused on the different tasks we have.

[citpcommunity]

On Apr 2, 9:38 am, Jean-Marc Desperrier <jmd...@gmail.com> wrote:
> One point the people complaining CNNIC was accepted don't get is "can we
> objectively claim it's certain that the occidental CAs respect a higher
> standard than CNNIC ?"

I don't know what you mean by "occidental CAs" but if you mean "all
the other CAs" then you have missed the point. It is not a question
of whether we simply hold all CAs to the same standard, but whether
our standard is sufficient. It may well be that both the CNNIC
approval *and* other prior approvals do not meet a sufficient level of
trust to be accepted. Examining CNNIC should not be dismissed simply
because we may have made the same mistakes elsewhere.

In any case, Eddy is right... these are really two different issues.

[Stephen Schultze]

Sorry, that was me... juggling too many different google accounts.