Section B.2.(b) of the Draft EV Guidelines also states that the EV
proposal only secondarily addresses phishing. It seems EV is neither
proposed to have, nor believed to have, a major impact on the phishing
problem as it exists today.
Change to a primary user interface widget in the browser, such as the
Address bar, is a major change. Unless the proposed change promises
immediate and dramatic improvement, I don't see why there should be
any rush to adoption. Surely we have time for user studies and other
debate over the impact of the change. This particular bucket of water
is not aimed at the fires that concern us most.
Given the serious problems with browser security, such as phishing and
XSS, I don't understand why the EV proposal is consuming any of
Mozilla's precious development resources or affecting any release
plans. Shouldn't the EV proposal be developing as just another addon,
like any other low-to-mid priority change? Why is it jumping straight
to consideration by Mozilla for inclusion in the mainline code?
Tyler
--
The web-calculus is the union of REST and capability-based security:
http://www.waterken.com/dev/Web/
Name your trusted sites to distinguish them from phishing sites.
https://addons.mozilla.org/firefox/957/
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
> Given the serious problems with browser security, such as phishing and
> XSS, I don't understand why the EV proposal is consuming any of
> Mozilla's precious development resources or affecting any release
> plans. Shouldn't the EV proposal be developing as just another addon,
> like any other low-to-mid priority change? Why is it jumping straight
> to consideration by Mozilla for inclusion in the mainline code?
Well Gerv publicly said other people's code didn't get into the mainline
code because the researchers didn't help with fixing other bugs for 6
months, so Verisign and others on this forum must have supplied coders
to help with bug fixes for 6 months...
--
Best regards,
Duane
http://www.cacert.org - Free Security Certificates
http://www.nodedb.com - Think globally, network locally
http://www.sydneywireless.com - Telecommunications Freedom
http://e164.org - Because e164.arpa is a tax on VoIP
"In the long run the pessimist may be proved right,
but the optimist has a better time on the trip."
Please don't.
Gerv started this discussion so that the Mozilla community could
discuss its position on EV certificates, and so that Gerv could
report that position to the CA/Browser Forum, where browser makers
and CAs discuss these issues.
So far most of the posts in the thread have been by CA
representatives (and Gerv's responses to those posts). While
occasional comments from CAs may be useful in the thread for
purposes of clarification, I certainly don't welcome such attempts
to dominate the discussion. Given the existance of the CA/Browser
Forum, I think discussion between CAs and Mozilla is more
appropriate there.
I'd like to see the Mozilla community be able to discuss what is
best for Mozilla's users without having that discussion drowned out
by people who have strong business interests (on one side or the
other) in seeing a particular solution.
-David
--
L. David Baron <URL: http://dbaron.org/ >
Technical Lead, Layout & CSS, Mozilla Corporation
So I represent a certification authority, I am also a user, a Linux
vendor and supporter of Open Source in general! Except the initial
questions and suggestions which were CA related and about which Gerv
either provided sufficient information or promised to take care of, my
proposals, suggestions and ideas were strictly related to the UI
behavior and handling of digital certificates in general by the current
Mozilla/Firefox browser.
In order to give the current thread a better meaning and take it out of
the current locked situation, I made a serious proposal how to solve
this better. As a matter of fact I proposed to form a group of
interested parties and individuals (which makes up the Mozilla
community), which should continue the discussion and return with results
(i.e. defined proposals and recommendations) to the original thread.
You may call this domination, but I'm prepared (and perhaps others) to
invest time and effort in order to make the handling of digital
certificates by Mozilla/Firefox better. Obviously the current situation
isn't sufficient (perhaps taken over and never changed since Netscape
times) and therefore I feel it important enough to make this
contribution. This has nothing to do with CA dominance, but perhaps with
some knowledge on the subject, being it as a CA, Linux distributer and
with lots of contact with user/clients of such certificates. I hope ,
that this changes your impression!
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
> ------------------------------------------------------------------------
>
> _______________________________________________
> dev-security mailing list
> dev-se...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security
>
Duane, I must confess you are trying my patience. That is absolutely not
what I said or meant, and you know it. I'm also getting somewhat tired
of your sarcastic attitude. Other people manage to make points in a
constructive fashion.
Shape up or shut up. Please.
Gerv
> Duane, I must confess you are trying my patience. That is absolutely
> not what I said or meant, and you know it. I'm also getting somewhat
> tired of your sarcastic attitude. Other people manage to make points
> in a constructive fashion.
>
> Shape up or shut up. Please.
Here is the exact quote from another emailed you penned....
> Hey, here's a thought: if some of these people with cool ideas had
> sat down for six months and fixed a bunch of bugs in the existing
> code, they might have some currency to play with when it comes to
> determining how other coders spend their time. But please don't treat
> that as an "xyz hoop".
So does this mean Verisign and or others offered help with general code
for 6 months or not, and if not why do they get special treatment over
other peoples suggestions?
Again you have failed to answer my questions on how much research and
studies have been conducted to prove this has a clear advantage over
current or alternate schemes.
So I guess you just want me to shut up because you can't answer
definitively and am hoping I just go away because you know how lame this
really is with use security?
I agree completely. I will henceforth be prioritising my time to
facilitate discussion among Mozilla community members.
Gerv
Indeed. And your quotation of it out of context made it seem exactly
like an "xyz hoop" (a term defined by you in an earlier bit of the email
that you didn't quote), which is precisely what I said it wasn't.
My point was that people who contribute code and fixes and become part
of the community normally have more say over the direction of the
project and what gets done. This is true of any free software project.
> So does this mean Verisign and or others offered help with general code
> for 6 months or not, and if not why do they get special treatment over
> other peoples suggestions?
You are treating it as an "xyz hoop".
Gerv
But what you are not, Eddy, is a member of the Mozilla community - or,
at least, not until about a week ago and not in any context apart from
this one.
> You may call this domination, but I'm prepared (and perhaps others) to
> invest time and effort in order to make the handling of digital
> certificates by Mozilla/Firefox better.
That's great. Would you be willing to hire someone to help write code to
implement whatever UI design our UI design group picks, even if it's not
the one you want?
> Obviously the current situation
> isn't sufficient (perhaps taken over and never changed since Netscape
> times) and therefore I feel it important enough to make this
> contribution.
Why did you not feel it was so important, say, a month ago? (This is a
fair question, I think.)
Gerv
You seem to keep avoiding my questions about research and studies, so
I'm left with the assumption that no research or studies on EV
certificates exist, or are planned, or were even thought of?
So it seems you are only after opinions on what people think will work,
and not hard facts on what will actually make people safe...
>> No! But you don't answer on what I said...did you realize what you
>> actually proposed? Sincerely? You actually suggested, that StartCom (or
>> other smaller CA's) could be kicked out for a mistake, but Verisign will
>> stay there, no matter what, because of market share.
>
> No, I didn't propose that. Where did I propose that?
>From your post on the Mon, Nov 6 2006 4:57 pm:
but we have never contemplated
using it - because removing e.g. Verisign would break half the SSL sites
on the web.
>
>> Except that, the
>> StartCom CA strifes for 100 % adherence to the CA policy (which is the
>> promise we give to the subscriber and relying party) and beyond!
>
> As I'm sure Verisign does also.
Sure, however issuing a Class 3 certificate to a company or individual
called "CLICK YES TO CONTINUE" simply shows something extremely broken.
This is not a "domain validated" cert, but Class 3 code signing! And
this didn't happen in the nineties, but just recently...I don't
know....Verisign is not my business, but if somebody would have looked
even once at this request, before CERTIFYING, this simply could not have
happened! So much about that...
>
>> There can be various audit schemes, however I would like to see
>> alternatives to the WebTrust auditors which is in my opinion an
>> expensive monopoly. There are valuable alternatives and perhaps
>> definitions available, which would create also some competition in this
>> field!
>
> Then suggest an alternative that I can propose!
As suggested previously, the Mozilla CA policy would provide such
alternatives.
>
> But again, this request is probably best made directly to the Forum.
We'll certainly try to do that, however if Mozilla would support that
together with other browser vendors (perhaps KDE), than the chances will
be higher to having that implemented in the specifications. Provided
that this is Mozillas view as well.
>
> Oh, I see - you mean many _CA_ businesses will have difficulty
> complying. Because clearly, a site visit is not particularly
> problematic for the customer.
Right, it's a CA related challenge...Obviously I'm looking at it, how a
CA (including us) is going to comply with it...And what if there is no
trustworthy agent available in that region? Quite obvious the CA must
send somebody in to do this job. However this drives the costs upwards,
which the client has to pay. In such a case, the client might prefer not
to make the deal and the CA is going to loose business...or being very
attempted to skip this requirement! I'm very skeptical about this one,
because if a standard is set too high, it will be circumvented when not
convenient! Simply as that...
>> Yes! A new idea for this would be, on a first visit at an SSL enabled
>> site to present the user with a window with important and informative
>> details. Not a warning popup, but a friendly message, displaying the
>> most critical information the CA has bothered to include in the
>> certificate.
>
> Right. Straight away, you've distracted the user from their primary
> task (buying something) to make them read a bunch of what they see as
> irrelevant information. How many of these do you think it'll take for
> them to just start closing them without reading, and how many more for
> them to get really annoyed and switch to IE?
It's an idea. There can be other, perhaps better suggestions as well. As
proposed earlier, perhaps there need to be some work done in order to
provide something better. I didn't say, this is the only solution, it
might be one of them...Obviously making the user aware, that he is
visiting a secured site and knows the details with whom he is going to
make business is certainly not distracting the user, but quite the
opposite. It's a service the browser should provide, not hide.
>
>> Otherwise why should a CA bother to include this and other
>> information, if you have to click through 5 buttons in order to get a
>> clue about the subscriber.
>
> Because a user actually only needs this information extremely rarely -
> when they've got a problem with the site.
Really? Are you buying anywhere without checking from whom and what you
get? What are the guaranties you receive? What if you don't receive the
goods? I don't think, that your argument is correct...
>
>> No! Because YOU can't decide what's safe for ME and any other user.
>
> Oh, yes I can. I've decided that 56-bit keys are not safe but 128-bit
> are. I've decided that SSL2 is broken and shouldn't be supported. I
> decide a load of things.
This are technical, crypto related decisions. However you seem to
decide, which verification is good and which not, without taking into
consideration, other, most likely valid procedures?
>
>> Otherwise if this is what you are saying, I can sue YOU, if you are
>> going to take the decision for ME and something happens!
>
> Perhaps the US legal system is now so broken that this might happen, I
> don't know. I doubt it. But certainly not in any other country.
I'm not sure about that. Perhaps check...
>
> Security UI is opinion. Informed opinion, but nevertheless opinion.
> Just like a certificate.
A digital certificate is certainly NOT an opinion....A CA certifies
according to the expected procedures and does not provide
opinions....Did you think about what you just said? ;-)
>
>> Huuu? So why are the decision makers not involved in this discussion? I
>> mean, we spend time and effort in order to help and shape an important
>> part of a security related component (mainly policy wise), if after all
>> any of our inputs aren't being considered seriously?!? Can you clarify
>> the decision making process and use of this thread perhaps?
>
> There is no concrete process. This is as clear as it gets :-)
OK, perhaps define a process so we know, if and how to invest our time?
Trust me, I know exactly what you think.
>> No, I didn't propose that. Where did I propose that?
>>From your post on the Mon, Nov 6 2006 4:57 pm:
>
> but we have never contemplated
> using it - because removing e.g. Verisign would break half the SSL sites
> on the web.
Indeed. That's merely a statement of fact. And I'm sure removing
Startcom as a CA would break some proportion of sites as well. The fact
that we only have this "nuclear option" as a sanction is definitely a
problem - and one that EV can help solve.
>> As I'm sure Verisign does also.
> Sure, however issuing a Class 3 certificate to a company or individual
> called "CLICK YES TO CONTINUE" simply shows something extremely broken.
> This is not a "domain validated" cert, but Class 3 code signing! And
> this didn't happen in the nineties, but just recently...I don't
> know....Verisign is not my business, but if somebody would have looked
> even once at this request, before CERTIFYING, this simply could not have
> happened! So much about that...
So it seems we need standards for who one issues a cert to, not just how
one does it. Hang on, didn't we just write some of those?
BTW, code-signing is next on the list of issues for the CA/Browser Forum
to tackle.
>>> There can be various audit schemes, however I would like to see
>>> alternatives to the WebTrust auditors which is in my opinion an
>>> expensive monopoly. There are valuable alternatives and perhaps
>>> definitions available, which would create also some competition in this
>>> field!
>> Then suggest an alternative that I can propose!
> As suggested previously, the Mozilla CA policy would provide such
> alternatives.
We are going round in circles here. WebTrust are writing new guidelines
for auditing EV. If you want some alternative audit criteria, you need
to name them specifically (if they exist already) or suggest who should
write them. The Mozilla CA policy is not a set of EV audit criteria,
it's a CA policy for a browser manufacturer.
> Right, it's a CA related challenge...Obviously I'm looking at it, how a
> CA (including us) is going to comply with it...And what if there is no
> trustworthy agent available in that region? Quite obvious the CA must
> send somebody in to do this job. However this drives the costs upwards,
> which the client has to pay. In such a case, the client might prefer not
> to make the deal and the CA is going to loose business...or being very
> attempted to skip this requirement! I'm very skeptical about this one,
> because if a standard is set too high, it will be circumvented when not
> convenient! Simply as that...
...and the CA may well fail its audit.
>> Because a user actually only needs this information extremely rarely -
>> when they've got a problem with the site.
> Really? Are you buying anywhere without checking from whom and what you
> get? What are the guaranties you receive? What if you don't receive the
> goods? I don't think, that your argument is correct...
So when you visit an SSL site to buy something, you read all the
certificate contents before proceeding with the purchase? Every time?
Gerv
Gervase Markham wrote:
> Indeed. That's merely a statement of fact. And I'm sure removing
> Startcom as a CA would break some proportion of sites as well. The
> fact that we only have this "nuclear option" as a sanction is
> definitely a problem - and one that EV can help solve.
I agree with you, that this is a problem. However the option should
exist - and considered - if needed...even if it's ABC CA with 99% of
market share...
>>> As I'm sure Verisign does also.
>> Sure, however issuing a Class 3 certificate to a company or individual
>> called "CLICK YES TO CONTINUE" simply shows something extremely broken.
>> This is not a "domain validated" cert, but Class 3 code signing! And
>> this didn't happen in the nineties, but just recently...I don't
>> know....Verisign is not my business, but if somebody would have looked
>> even once at this request, before CERTIFYING, this simply could not have
>> happened! So much about that...
>
> So it seems we need standards for who one issues a cert to, not just
> how one does it. Hang on, didn't we just write some of those?
Well, if you really believe, that there indeed was a company called
"CLICK YES TO CONTINUE", then I can't help you... :-)
>> As suggested previously, the Mozilla CA policy would provide such
>> alternatives.
>
> We are going round in circles here. WebTrust are writing new
> guidelines for auditing EV. If you want some alternative audit
> criteria, you need to name them specifically (if they exist already)
> or suggest who should write them. The Mozilla CA policy is not a set
> of EV audit criteria, it's a CA policy for a browser manufacturer.
Sorry, perhaps I didn't made myself clear enough...The new guidelines
for auditing EV by WebTrust might be just perfect, but the problem is
the monopoly of authorized auditors by WebTrust. This is, where the
Mozilla CA policy provides alternatives, which is from our point of view
very important.
>
>> Right, it's a CA related challenge...Obviously I'm looking at it, how a
>> CA (including us) is going to comply with it...And what if there is no
>> trustworthy agent available in that region? Quite obvious the CA must
>> send somebody in to do this job. However this drives the costs upwards,
>> which the client has to pay. In such a case, the client might prefer not
>> to make the deal and the CA is going to loose business...or being very
>> attempted to skip this requirement! I'm very skeptical about this one,
>> because if a standard is set too high, it will be circumvented when not
>> convenient! Simply as that...
>
> ...and the CA may well fail its audit.
I'm not sure about this one! An audit is a current snapshot of the
conduction of the CA business and its practices and procedures in place.
It can't say anything about the "Before" and "After". Therefore a policy
and/or standard has to be realistic in order to be adhered to, otherwise
as I indicated, it might be circumvented when convenient....Most likely
you will not know when this happens 99 % of the time...A risk a CA might
take in order to make better business...
>> Really? Are you buying anywhere without checking from whom and what you
>> get? What are the guaranties you receive? What if you don't receive the
>> goods? I don't think, that your argument is correct...
>
> So when you visit an SSL site to buy something, you read all the
> certificate contents before proceeding with the purchase? Every time?
Well, personally I'm not a good example really...I'm not that objective
as a manager of a CA. However it depends on the nature of the site
(e-commerce or not) and indeed one should be bothered at least once with
the details of subscriber. As I suggested, this should be either easy to
reach and/or in a pleasant and informative manner.
>> http://www.benedelman.org/news/020305-1.html
>> http://www.benedelman.org/spyware/images/installers-020305.html
>
> While these are misleading, and probably undesirable, I don't think
> they could be called bogus. (Unless, perhaps, there isn't a company
> called "Click Yes to Continue" - but why couldn't there be?)
> Otherwise, all of them show the name of the company concerned.
>
> The fact that the dialog presentation sucks is an IE UI issue.
Well, I meant the company called "CLICK YES TO CONTINUE", not the rest....
Actually, I am almost certain that you could register a company with
that name in the US. I remember reading, many years ago, that there were
companies called "Whatever", "I don't care", "The cheapest" and similar
weird names. Weird, that is, until you realized that they were long
distance phone companies. The way that named worked was that a user
would call an operator to make a long distance phone call, and the
operator would ask which long distance company the caller wanted...
> Sorry, perhaps I didn't made myself clear enough...The new guidelines
> for auditing EV by WebTrust might be just perfect, but the problem is
> the monopoly of authorized auditors by WebTrust. This is, where the
> Mozilla CA policy provides alternatives, which is from our point of view
> very important.
The EV draft states auditing by WebTrust *or equivalent*.
>> So when you visit an SSL site to buy something, you read all the
>> certificate contents before proceeding with the purchase? Every time?
> Well, personally I'm not a good example really...I'm not that objective
> as a manager of a CA. However it depends on the nature of the site
> (e-commerce or not) and indeed one should be bothered at least once with
> the details of subscriber. As I suggested, this should be either easy to
> reach and/or in a pleasant and informative manner.
The identity of the CA would add value only if the user had any way of
actually being informed what it meant and how trustworthy they are in
their business. Even if Verisign started issuing 10% of their certs to
obvious, known criminals, it would be unlikely to reach most people who
use web browsers.
Some requirements for that to happen would be for major news outlets
reporting that, and writing in the non-tech section explaining what
people should be doing to avoid being bitten by that. I just don't see
that happening, because the major news item of the day is Britney's
divorce instead...
--
Heikki Toivonen
Copied from the *Mozilla CA Certificate Policy (Version 1.0)* at
http://www.mozilla.org/projects/security/pki/nss/ca-certificates/policy.html
without permission.
*Proposal:*
1. Equivalent means to provide attestation of their conformance to
the stated verification requirements and other operational
criteria by a competent independent party or parties with access
to details of the CA's internal operations.
2. By "competent party" we mean a person or other entity who is
authorized to perform audits according to the stated criteria
(e.g., by the organization responsible for the criteria or by a
relevant government agency) /or/ for whom there is sufficient
public information available to determine that the party is
competent to judge the CA's conformance to the stated criteria. In
the latter case the "public information" referred to should
include information regarding the party's
* knowledge of CA-related technical issues such as public key
cryptography and related standards;
* experience in performing security-related audits,
evaluations, or risk analyses; /and/
* honesty and objectivity.
3. By "independent party" we mean a person or other entity who is not
affiliated with the CA as an employee or director /and/ for whom
at least one of the following statements is true:
* the party is not financially compensated by the CA;
* the nature and amount of the party's financial compensation
by the CA is publicly disclosed; /or/
* the party is bound by law, government regulation, and/or a
professional code of ethics to render an honest and
objective judgement regarding the CA.
4. We reserve the right to designate our own representative(s) to act
as the competent independent party or parties described above,
should that prove to be necessary and appropriate.
5. The burden is on the CA to prove that it has met the above
requirements. However the CA may request a preliminary
determination from us regarding the acceptability of the criteria
and/or the competent independent party or parties by which it
proposes to meet the requirements of this policy.
Most users have no idea. *I* have no idea what kind of checks CAs do to
issue most certificates. (I know domain validation, and I've seen what
documentation some CAs ask when issuing a personal email certificate.)
Suppose I look at cert details and I see Persona verified by StartCom. I
don't know what StartCom would do to verify Persona.
I can just about guarantee that that most people won't understand what
subscriber and issuer mean in this context. I can assure you my parents
don't know what domain means (they know a web address and email address,
though).
I wouldn't go so far as to call users stupid, but it is obviously out of
most people's area of familiarity and interests.
>> Some requirements for that to happen would be for major news outlets
>> reporting that, and writing in the non-tech section explaining what
>> people should be doing to avoid being bitten by that. I just don't see
>> that happening, because the major news item of the day is Britney's
>> divorce instead...
>>
> I think you paint the casual user just too "stupid". If he knows to
> operate a computer and browser, than he knows to read the certificate
> details. Otherwise lets just omit them perhaps? If the user gets burned
> by a web site, how does he know what to do, if he is indeed so helpless
> and uneducated?
Not stupid, but this is an area that they know nothing about and which
is not obvious at a glance. If we required "internet driving licenses"
before people went on the net then understanding this could be a
requirement (one can dream).
I do think it makes sense to show some additional information from the
certificate about the site the user is trying to access, like company
name etc. But information beyond that gets into area that most people
just don't know about.
People that are the victim of a crime go to the police.
--
Heikki Toivonen
"CA/Browser Forum members shall meet at least one of the following criteria.
"1. The member organization operates a certification authority
that has a current and successful WebTrust for CAs audit report (or
equivalent) and that actively issues certificates to Web servers that
are openly accessible from the Internet using any one of the mainstream
browsers.
"2. The member organization operates a certification authority
that has a current and successful WebTrust for CAs audit report (or
equivalent) and that actively issues certificates to subordinate CAs
that, in turn, actively issue certificates to Web servers that are
openly accessible from the Internet using any one of the mainstream
browsers.
"3. The member organization produces a software product intended for use
by the general public for browsing the Web securely using SSL."
Our application for membership was rejected because of their
interpretation of *equivalent*, as expected! There is no *equivalent!
*They obviously must be very afraid of StartCom, since this request was
a bout membership, not issuance of EV certificates. It is interesting to
note, that three out o four browser vendors accepted StartCom as a
trustworthy certification authority (This is Mozilla and KDE, with Opera
only depending on a down payment, which is a policy Opera intended to
revise or are in the process of revising). Needless to say, that
StartCom fulfills all the required criteria above with the word
*equivalent *depending interpretation only*! *
We hope, that Mozilla has the ability to change that decision taken by
the CA/Browser Forum and get rid of the WebTust monopole which Microsoft
and perhaps other CA's maintain.