Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Including regional CA root certs

26 views
Skip to first unread message

Gervase Markham

unread,
Feb 6, 2007, 11:39:48 AM2/6/07
to
The mozilla.org CA certificate policy[0] states, in part:

"We require that all CAs whose certificates are distributed with our
software products provide some service relevant to typical users of our
software products."

We have interpreted this to include standard commercial CAs, other CAs
who sell certificates to anyone or almost anyone, and government-run
CAs. We have interpreted it to exclude CAs which are internal to a
business or organisation.

We have two outstanding applications for inclusion from CAs who
represent not a national government, but a regional government. They are
from the regional government of Catalonia, Spain[1] and the city
government of Vienna, Austria[2].

The inclusion of a CA incurs a cost - in time to evaluate the request
(and we do have a backlog), in download size, and in marginally
increased risk of a failure of the system by e.g. private key
compromise. We have to balance that against the expected usefulness of
the root certificate to our users.

We are, at this time, uncertain as to where and how to draw the line,
and so are putting the issue here for discussion. Options include, but
are not limited to, excluding all CAs serving less than a country,
including all CAs who apply, and shipping some certs in some builds and
not in others. Thoughts?

Please respect the Followup-To header.

Gerv

[0]
http://www.mozilla.org/projects/security/pki/nss/ca-certificates/policy.html
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=295474
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=295474

Giacomo Magnini

unread,
Feb 6, 2007, 12:17:57 PM2/6/07
to
What about including a "minimal" list in the distribution, and then
supply an extension with the rest (or even more than one)?
Ciao, Giacomo.

Ben Bucksch

unread,
Feb 6, 2007, 1:22:37 PM2/6/07
to Gervase Markham
Gervase Markham wrote:
> The mozilla.org CA certificate policy[0] states, in part:
>
> "We require that all CAs whose certificates are distributed with our
> software products provide some service relevant to typical users of
> our software products."
>
> We have interpreted this to include standard commercial CAs, other CAs
> who sell certificates to anyone or almost anyone, and government-run
> CAs. We have interpreted it to exclude CAs which are internal to a
> business or organisation.
>
> We have two outstanding applications for inclusion from CAs who
> represent not a national government, but a regional government. They
> are from the regional government of Catalonia, Spain[1] and the city
> government of Vienna, Austria[2].

First: Do these CAs and the other government-run CAs issue certs only to
memebers of the organization (employees etc.) or so the citizens? I
think that makes a big difference: In the former case, it's just a CA
internal to an organization (even if large org). If the latter, the
government practically acts as CA for their citizens and replaces normal
CAs, so I think they have a good argument to be in.

These new applications are the same on a smaller scale. I don't have a
strong opinion here.

However, the 2 particular cases are maybe special, each:

* Catalonia is an "autonomous community". I don't know whether
there's a delicate political dimension to it. Compare ETA, which
fights for independence of the Basque communities/regions.
* Vienna - like Munich - is switching to Linux, OpenOffice and
Mozilla, and making news. Maybe we want to give them special support.

Toni Hermoso Pulido

unread,
Feb 6, 2007, 3:07:37 PM2/6/07
to Mozilla l10n
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

En/na Ben Bucksch ha escrit:

> * Catalonia is an "autonomous community". I don't know whether
> there's a delicate political dimension to it. Compare ETA, which

For sake of clarity, without entering in political considerations, an
Autonomous Community is a Spanish political division, which regarding
competences (which may actually vary highly depending on the Autonomous
Community) is roughly something between a German land and a French région.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFyOAI3O471rZ7Q9wRAsstAKCf7/aTe22GSg8HSoLNmQWNCDplawCePmub
YlOHh0a0AFz3NAxQCHcRTS8=
=Smso
-----END PGP SIGNATURE-----

Heikki Toivonen

unread,
Feb 6, 2007, 3:55:55 PM2/6/07
to
Gervase Markham wrote:
> We are, at this time, uncertain as to where and how to draw the line,
> and so are putting the issue here for discussion. Options include, but
> are not limited to, excluding all CAs serving less than a country,
> including all CAs who apply, and shipping some certs in some builds and
> not in others. Thoughts?

I would not like to see regional (less than a country) CAs included in
the mainline products distributed by Mozilla.

Currently my preference would be to see these as part of the most
specific language pack for that region (in some cases people can
download a localized product instead of an xpi as well).

--
Heikki Toivonen

Toni Hermoso Pulido

unread,
Feb 6, 2007, 4:31:28 PM2/6/07
to dev-...@lists.mozilla.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

En/na Heikki Toivonen ha escrit:


> Gervase Markham wrote:
>> We are, at this time, uncertain as to where and how to draw the line,
>> and so are putting the issue here for discussion. Options include, but
>> are not limited to, excluding all CAs serving less than a country,
>> including all CAs who apply, and shipping some certs in some builds and
>> not in others. Thoughts?
>
> I would not like to see regional (less than a country) CAs included in
> the mainline products distributed by Mozilla.
>

- From what I can understand according to that criterion: a public CA from
Andorra (with less than 70.000 inhabitants and with no current public CA
nowadays) would be accepted, but the Autonomous Community of Catalonia
with more than 7.000.000 inhabitants and a current public CA submitted
as a bug since 2 years ago, wouldn't.
As a matter of a fact, a public Spanish certificate may be useless for
Catalonian users except for state's transactions, which are less
frequent than regional and local ones, where CatCert is being used.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFyPOw3O471rZ7Q9wRAhBdAJ90GQzfW0tnYGaUEfrBhXnOpQE/XACfeSFz
tLgLoBp+L7g7HQlyS1gCAcM=
=8W29
-----END PGP SIGNATURE-----

Frank Hecker

unread,
Feb 6, 2007, 5:23:16 PM2/6/07
to
Ben Bucksch wrote:
> First: Do these CAs and the other government-run CAs issue certs only to
> memebers of the organization (employees etc.) or so the citizens?

In (I think) all the cases we're concerned with, the government-run CAs
do in fact issue certificates to individual citizens and/or to
corporations or other non-governmental organizations. However note that
if a government CA issues certificates only to government departments
then it might still be relevant to typical Mozilla users; for example,
the government CA might issue SSL certificates for servers used to
provide government services to citizens, businesses, etc.

> I think that makes a big difference: In the former case, it's just a CA
> internal to an organization (even if large org).

I agree that if certificates are used solely for internal government use
then there's no justification for including such a CA in the default
Mozilla list.

Frank

--
Frank Hecker
hec...@mozillafoundation.org

Frank Hecker

unread,
Feb 6, 2007, 5:45:01 PM2/6/07
to
Toni Hermoso Pulido wrote:
> - From what I can understand according to that criterion: a public CA from
> Andorra (with less than 70.000 inhabitants and with no current public CA
> nowadays) would be accepted, but the Autonomous Community of Catalonia
> with more than 7.000.000 inhabitants and a current public CA submitted
> as a bug since 2 years ago, wouldn't.

Yes, examples like this are exactly why we're soliciting opinions on
whether we should modify our policy.

Incidentally, note also that there are different possible definitions of
what constitutes a "country" (or more formally, a "sovereign state").
For example, Andorra is a United Nations member state, but Taiwan
(Republic of China) is not; however we've already approved a government
root CA for Taiwan. There are other interesting edge cases of entities
that have ISO 3166-1 country codes but are not necessarily considered
full sovereign states. Wikipedia has some interesting background on the
complexities of this question:

http://en.wikipedia.org/wiki/List_of_sovereign_states

David E. Ross

unread,
Feb 6, 2007, 7:02:36 PM2/6/07
to

The policy should be revised to permit (not mandate) localized root
certificates in localized Mozilla products. Catalan is listed at
<http://www.mozilla.org/projects/l10n/mlp_status.html> as a target
language for localization of Mozilla products. With such a policy
revision, Bug 295474 could left to the localizers to address if they so
choose.

The wrong bug number is cited for the Vienna certificate. It's #342503
at <https://bugzilla.mozilla.org/show_bug.cgi?id=342503>. Since German
is also a target language for localization, this too could be addressed
by such policy change.

In any case, the installation of new root certificates is not overly
difficult for users. Thus, I don't understand the constant harping by
those who insist that Mozilla must install certificates contrary to its
policy (especially contrary to the last bullet under Section 6).

--

David E. Ross
<http://www.rossde.com/>

Concerned about someone (e.g., Pres. Bush) snooping
into your E-mail? Use PGP.
See my <http://www.rossde.com/PGP/>

pascal

unread,
Feb 6, 2007, 8:31:51 PM2/6/07
to
Frank Hecker a écrit :

> Toni Hermoso Pulido wrote:
>> - From what I can understand according to that criterion: a public CA
>> from
>> Andorra (with less than 70.000 inhabitants and with no current public CA
>> nowadays) would be accepted, but the Autonomous Community of Catalonia
>> with more than 7.000.000 inhabitants and a current public CA submitted
>> as a bug since 2 years ago, wouldn't.
>
> Yes, examples like this are exactly why we're soliciting opinions on
> whether we should modify our policy.

We definitely should, it would not make sense to allow the Vatican (a
800 people "state" ;-) ) to have a public CA included in Mozilla while
refusing Catalonia to have one. In the end, the purpose of including CAs
is to give the right service to our users and if our users have to
switch to IE to pay their taxes to the government or if Firefox can't be
used by companies/administrations in Spain because it does not include a
major regional CA we are doing something wrong, aren't we ?

>
> Incidentally, note also that there are different possible definitions of
> what constitutes a "country" (or more formally, a "sovereign state").
> For example, Andorra is a United Nations member state, but Taiwan
> (Republic of China) is not; however we've already approved a government
> root CA for Taiwan. There are other interesting edge cases of entities
> that have ISO 3166-1 country codes but are not necessarily considered
> full sovereign states. Wikipedia has some interesting background on the
> complexities of this question:
>

Then if the state of Washington would need its own CA for its citizens
we would refuse it because Washington is not a United Nations member
state ? If the answer is no, we would accept their CA, then you have
your answer for the specific case of Catalonia because the legal
background is the same: two regional states in a federal nation whose
independance and rights are protected by a constitution.

Then you have the Vienna case, which is indeed more tricky ;)

Pascal

Michael Ströder

unread,
Feb 7, 2007, 4:48:30 AM2/7/07
to
Gervase Markham wrote:
>
> We have two outstanding applications for inclusion from CAs who
> represent not a national government, but a regional government. They are
> from the regional government of Catalonia, Spain[1] and the city
> government of Vienna, Austria[2].
> [..]

> We are, at this time, uncertain as to where and how to draw the line,
> and so are putting the issue here for discussion. Options include, but
> are not limited to, excluding all CAs serving less than a country,
> including all CAs who apply, and shipping some certs in some builds and
> not in others. Thoughts?

I'd recommend that all builds should include the same set of
pre-installed CA certs.

Ciao, Michael.

Gervase Markham

unread,
Feb 7, 2007, 6:45:46 AM2/7/07
to
Giacomo Magnini wrote:
> What about including a "minimal" list in the distribution, and then
> supply an extension with the rest (or even more than one)?

That is one technical way we could achieve the goal of shipping
different sets of certs with different builds, yes. But the question is
not about whether it's technically possible. :-)

Gerv

Gervase Markham

unread,
Feb 7, 2007, 6:51:16 AM2/7/07
to
Toni Hermoso Pulido wrote:
> - From what I can understand according to that criterion: a public CA from
> Andorra (with less than 70.000 inhabitants and with no current public CA
> nowadays) would be accepted, but the Autonomous Community of Catalonia
> with more than 7.000.000 inhabitants and a current public CA submitted
> as a bug since 2 years ago, wouldn't.

That would be correct. This is one of the side-effects you get from
drawing the line at the country level.

But if you said "we'll allow any CA which serves a constituency of
5,000,000 people or more", then you may get legitimate complaints from
the governments of up to 80 countries!

Gerv

Gervase Markham

unread,
Feb 7, 2007, 6:53:04 AM2/7/07
to
Michael Ströder wrote:
> I'd recommend that all builds should include the same set of
> pre-installed CA certs.

Asserting an opinion is fine, but it will carry more weight if backed up
with a justification :-)

Gerv

Gervase Markham

unread,
Feb 7, 2007, 6:58:43 AM2/7/07
to
Toni Hermoso Pulido wrote:
> For sake of clarity, without entering in political considerations, an
> Autonomous Community is a Spanish political division, which regarding
> competences (which may actually vary highly depending on the Autonomous
> Community) is roughly something between a German land and a French région.

Very tactfully put :-)

Gerv

Gervase Markham

unread,
Feb 7, 2007, 6:59:02 AM2/7/07
to
David E. Ross wrote:
> The policy should be revised to permit (not mandate) localized root
> certificates in localized Mozilla products. Catalan is listed at
> <http://www.mozilla.org/projects/l10n/mlp_status.html> as a target
> language for localization of Mozilla products. With such a policy
> revision, Bug 295474 could left to the localizers to address if they so
> choose.

Devil's advocate, then:

- How would you choose which languages to include it in? All languages
spoken in the region in question? There are quite a lot of expat English
speakers in Catalonia... If not all, you would end up with Jose's
browser having the CA, but Fred, who lives next door, not having it.

- Would this mean we wouldn't mind about the excess baggage for people
half a world away who speak the same language? E.g. if we included a CA
for the state of Maine, USA, in the en-US build then currently that CA
would also go to Australians, as there's no en-AU.

> In any case, the installation of new root certificates is not overly
> difficult for users.

Perhaps not. But it's not something we really want to encourage them to
do, because it's too easy for them to shoot themselves in the foot.

Gerv

João Miguel Neves

unread,
Feb 7, 2007, 9:26:01 AM2/7/07
to Gervase Markham, dev-...@lists.mozilla.org
Qua, 2007-02-07 às 11:59 +0000, Gervase Markham escreveu:

> David E. Ross wrote:
> > In any case, the installation of new root certificates is not overly
> > difficult for users.
>
> Perhaps not. But it's not something we really want to encourage them to
> do, because it's too easy for them to shoot themselves in the foot.
>
I would also add that it's almost impossible to get most users to add a
root certificate securely (as in making sure it comes from a reliable
source).

Getting normal users used to adding root certificates to Firefox is,
IMHO, a security issue. If adding a root certificate becomes usual, and
even only a small part of the users don't check correctly the origin of
the certificates, SSL will provide no extra security (they can be caught
in man-in-the-middle attack).

For this I'd say that any public service (let's say used by more than
100.000 firefox users - calculated by browser quota times users with
internet access in the country) should have its root CA in Firefox, in
order to protect Firefox users.

The number above should be adjusted to whatever number of CAs is
possible to manage by Mozilla's people (as I see that's the only
limitation - this is not a software issue).

Best regards,
João Miguel Neves

signature.asc

Giacomo Magnini

unread,
Feb 7, 2007, 10:44:39 AM2/7/07
to
Gervase Markham ha scritto:

> That is one technical way we could achieve the goal of shipping
> different sets of certs with different builds, yes. But the question is
> not about whether it's technically possible. :-)

I'll add that you can supply more certs with a langpack, for example, or
with localized builds. Think about the de-AT build with the cert for
Vienna...
Having a common set of certs (as someone else has stated) is
fundamental, but specific certs like the ones for Andorra, Catalan or
Vienna are not something a user from Brasil or China should bother
getting on their PCs... They should be optional, as an addon.
While on the subject, please remove the useless DOMI translations (that
would make space for all of the certs you want, btw).
Ciao, Giacomo.

Toni Hermoso Pulido

unread,
Feb 7, 2007, 11:07:08 AM2/7/07
to Giacomo Magnini, dev-...@lists.mozilla.org
2007/2/7, Giacomo Magnini <giacomo....@spamportalis.it>:

> Gervase Markham ha scritto:
> > That is one technical way we could achieve the goal of shipping
> > different sets of certs with different builds, yes. But the question is
> > not about whether it's technically possible. :-)
>
> I'll add that you can supply more certs with a langpack, for example, or
> with localized builds. Think about the de-AT build with the cert for
> Vienna...

AFAIK, there is not a "de-AT" build, but a "de" one. Take a look at
the example of the state of Main.

> Having a common set of certs (as someone else has stated) is
> fundamental, but specific certs like the ones for Andorra, Catalan or
> Vienna are not something a user from Brasil or China should bother
> getting on their PCs... They should be optional, as an addon.
> While on the subject, please remove the useless DOMI translations (that
> would make space for all of the certs you want, btw).
> Ciao, Giacomo.

Currently, I dare to say that many of the CA included are mostly en-US
based; so they may be of little use to most of the non-American users.
Nonetheless, despite they are included, I don't think they will ever
be a nuisance to anyone...

David E. Ross

unread,
Feb 7, 2007, 11:31:34 AM2/7/07
to

Perhaps this is an argument in favor of implementing bug #333272 with a
fourth category: local root certificates. A secure Web listing of those
certificates on a Mozilla server would provide a reliable source from
which users could download approved local certificates for installation.
These would then not have to be installed by Mozilla in its products.

Approvals of local certificates will likely not have as high a priority
as approvals of "universal" certificates. On the other hand, listing
them on a page that is SSL-secure (using a certificate signed by a root
that is already installed) would give users the ability to obtain
certificates immediately upon approval, without waiting for the next
version of the product. This would also be true of an approved
"universal" certificate still listed in the pending category while
waiting for a new product version in which it can be installed.

See <https://bugzilla.mozilla.org/show_bug.cgi?id=333272>.

Benjamin Smedberg

unread,
Feb 7, 2007, 1:55:34 PM2/7/07
to
Gervase Markham wrote:

> We are, at this time, uncertain as to where and how to draw the line,
> and so are putting the issue here for discussion. Options include, but
> are not limited to, excluding all CAs serving less than a country,
> including all CAs who apply, and shipping some certs in some builds and
> not in others. Thoughts?
>
> Please respect the Followup-To header.

I don't have an answer, but I firmly believe that "shipping some certs in
some builds and not in others" would be a disaster. Admittedly users of an
English Firefox are less likely to visit a website in Vienna than users of a
German build, but I myself have done business with Viennese websites on at
least one occasion, and I don't know German.

Explaining to a user that they would need to install a German Firefox (or
install a German language pack) to visit a Viennese website is a serious
support burden. Just as we try very hard to support the same set of gecko
features in all gecko-based apps (e.g. SVG/canvas/mathml), we should support
the same set of root certificates.

--BDS

Frank Hecker

unread,
Feb 7, 2007, 2:08:20 PM2/7/07
to
Toni Hermoso Pulido wrote:
> Currently, I dare to say that many of the CA included are mostly en-US
> based; so they may be of little use to most of the non-American users.

Note that for at least the past year almost all of the new requests have
come from CAs outside the US.

Looking through the list that Nicholas Bebout compiled at

http://www.mozilla.org/projects/security/pki/nss/ca-certificates/cacertlist.csv

there appear to be about 30 or so different organizations running CAs
(some with multiple roots), and at least one third of those are not
US-based. Also, all of the government-run CAs included in Mozilla are
outside the US.

Michael Ströder

unread,
Feb 7, 2007, 2:47:24 PM2/7/07
to
Heikki Toivonen wrote:
>
> Currently my preference would be to see these as part of the most
> specific language pack for that region (in some cases people can
> download a localized product instead of an xpi as well).

I'd strongly recommend to not make this a localization issue! I think
this would confuse users who might use different localized builds but
are accessing the same secured regional web sites.

IMHO the organizations are concerned about getting their CA certs in to
be able to issue automatically accepted SSL server certs for their
systems since commercial CAs are expensive.

Ciao, Michael.

Michael Ströder

unread,
Feb 7, 2007, 2:40:18 PM2/7/07
to
Giacomo Magnini wrote:
> What about including a "minimal" list in the distribution, and then
> supply an extension with the rest (or even more than one)?

I think it's not appropriate to pack more CA certs into an extension.

Ciao, Michael.

Michael Ströder

unread,
Feb 7, 2007, 2:51:23 PM2/7/07
to
pascal wrote:
> [..] if our users have to

> switch to IE to pay their taxes to the government or if Firefox can't be
> used by companies/administrations in Spain because it does not include a
> major regional CA we are doing something wrong, aren't we ?

So you propose a policy to include all CA certs which are pre-installed
with MS IE? Is the CA cert of Catalonia pre-installed in IE? ;-)

Ciao, Michael.

Michael Ströder

unread,
Feb 7, 2007, 2:59:13 PM2/7/07
to
Gervase Markham wrote:
>
> Devil's advocate, then:
>
> - How would you choose which languages to include it in? All languages
> spoken in the region in question? There are quite a lot of expat English
> speakers in Catalonia... If not all, you would end up with Jose's
> browser having the CA, but Fred, who lives next door, not having it.
>
> - Would this mean we wouldn't mind about the excess baggage for people
> half a world away who speak the same language? E.g. if we included a CA
> for the state of Maine, USA, in the en-US build then currently that CA
> would also go to Australians, as there's no en-AU.

That's exactly the point. It's definitely not subject for localization.

>> In any case, the installation of new root certificates is not overly
>> difficult for users.
>
> Perhaps not. But it's not something we really want to encourage them to
> do, because it's too easy for them to shoot themselves in the foot.

I'd like to remind everybody that self-signed root CA certs are trust
anchors. One cannot revoke self-signed root CA certs. What's really
missing in this discussion is how to evaluate how trust-worthy a CA is
operating the certification service. IMHO this should be an important
criteria. Because certs are for security...

For this reason I think that Follow-up: mozilla.dev.tech.crypto would
have been more appropriate.

Ciao, Michael.

Ricardo Palomares Martinez

unread,
Feb 7, 2007, 2:34:22 PM2/7/07
to
Ben Bucksch escribió:

> First: Do these CAs and the other government-run CAs issue certs only to
> memebers of the organization (employees etc.) or so the citizens? I
> think that makes a big difference: In the former case, it's just a CA
> internal to an organization (even if large org). If the latter, the
> government practically acts as CA for their citizens and replaces normal
> CAs, so I think they have a good argument to be in.


Yes, this kind of CAs issue certs to citizens; they don't probably
replace commercial CAs, but provide a service that commercial CAs
can't give, since their certs are used for tax payment and other
administrative transactions.


> * Catalonia is an "autonomous community". I don't know whether
> there's a delicate political dimension to it. Compare ETA, which
> fights for independence of the Basque communities/regions.


As a spanish citizen, and to put it in a bit of context, I can assure
they don't have anything to do. Catalonia is an administrative
division inside Spain, like other 16 (including Euskadi / Basque
Country). At the very least, both Euskadi and Catalonia (and probably
other regions in Spain, too) have more competencies transferred from
central government since long ago than Northern Ireland have nowadays.

This shift of competencies from central government to autonomies means
that these latter have choice/need to establish their own CAs (BTW,
one of most important spanish central government CAs, FNMT, is not
shipped by default, AFAIK). FWIW, if this whole issue of shipped CAs
were resolved as David E. Ross suggests: implementing local root
certificates that can be shipped exclusively by one or some langpacks,
I would be willing to see CatCert CA, like many others autonomic CAs,
shipped in es-ES.

Regarding en-US shipping USA CAs that won't be used by australians,
that could be easily solved if enough people are interested in it,
just by creating an en-AU team. Well, it would depend on how local
root certificates solution is implemented, but I think that localizers
should help mozilla.org's security staff to decide which CAs are
really truthful and useful.

Ricardo.

--
If it's true that we are here to help others,
then what exactly are the OTHERS here for?

Michael Ströder

unread,
Feb 7, 2007, 3:03:51 PM2/7/07
to

Almost all of my german customers do not install the german version of
software packages. They choose the "international" (say US) version to
downsize their support efforts.

Ciao, Michael.

David E. Ross

unread,
Feb 7, 2007, 3:58:26 PM2/7/07
to

Having very little experience with IE, how would I check the existence
of any root certificate installed for that browser? I have IE 7 with
WindowsXP, but I use it only to download Windows updates.

pascal

unread,
Feb 7, 2007, 4:45:39 PM2/7/07
to
Michael Ströder a écrit :

included:
http://support.microsoft.com/?scid=kb%3Ben-us%3B931125&x=16&y=15

Pascal

Axel Hecht

unread,
Feb 7, 2007, 6:06:39 PM2/7/07
to

To make a British parliament vote, yay yay.

Can we just for the sake of the argument put numbers on the cost of
certificates?

Like, is there a working set cost, start up time, shipping size? How
much is a cert after 7zip compression?

And is there a maintainance cost in a cert, or is it just a setup cost?

Axel

Jonas Sicking

unread,
Feb 7, 2007, 6:28:54 PM2/7/07
to
I think bug 342503 sums this up pretty well. I think shipping some certs
in some builds but not in others is a really bad idea which will
increase the number builds we do by a lot. We'd essentially have to have
one build per country per language, for example i'd have to use a
english-for-sweden build since I prefer to have my browser in english,
but I do like to visit swedish sites, but I'd also have to have an
english-for-US build since I live in the US and visit US sites.

I don't think having regional CAs will scale. If we start allowing them
we open the floodgates for any region to set up their own CA and we'll
get swamped with requests.

All my humble opinion of course :)

/ Jonas

Gervase Markham wrote:
> The mozilla.org CA certificate policy[0] states, in part:
>
> "We require that all CAs whose certificates are distributed with our
> software products provide some service relevant to typical users of our
> software products."
>
> We have interpreted this to include standard commercial CAs, other CAs
> who sell certificates to anyone or almost anyone, and government-run
> CAs. We have interpreted it to exclude CAs which are internal to a
> business or organisation.
>

> We have two outstanding applications for inclusion from CAs who
> represent not a national government, but a regional government. They are
> from the regional government of Catalonia, Spain[1] and the city
> government of Vienna, Austria[2].
>

> The inclusion of a CA incurs a cost - in time to evaluate the request
> (and we do have a backlog), in download size, and in marginally
> increased risk of a failure of the system by e.g. private key
> compromise. We have to balance that against the expected usefulness of
> the root certificate to our users.
>

> We are, at this time, uncertain as to where and how to draw the line,
> and so are putting the issue here for discussion. Options include, but
> are not limited to, excluding all CAs serving less than a country,
> including all CAs who apply, and shipping some certs in some builds and
> not in others. Thoughts?
>
> Please respect the Followup-To header.
>

Frank Hecker

unread,
Feb 7, 2007, 8:46:49 PM2/7/07
to
Michael Ströder wrote:
> I'd like to remind everybody that self-signed root CA certs are trust
> anchors. One cannot revoke self-signed root CA certs. What's really
> missing in this discussion is how to evaluate how trust-worthy a CA is
> operating the certification service. IMHO this should be an important
> criteria. Because certs are for security...

Just to be clear on this point: We already have an established policy
for evaluating CAs and deciding whether they are "trust-worthy" enough
to include in Mozilla-based products. We are *not* proposing to relax
that policy for regional CAs. Rather what we want to discuss is how to
handle CAs that are perfectly good CAs but that operate only in specific
geographical areas.

> For this reason I think that Follow-up: mozilla.dev.tech.crypto would
> have been more appropriate.

Our interest was specifically in looking at CAs in the context of
localized versions, which is why we thought m.d.l10n was the best group
for followup. The folks in m.d.t.crypto are not necessarily familar with
the CA situation in various countries and regions around the world.

Frank Hecker

unread,
Feb 7, 2007, 10:03:34 PM2/7/07
to
Axel Hecht wrote:
> Can we just for the sake of the argument put numbers on the cost of
> certificates?
>
> Like, is there a working set cost, start up time, shipping size? How
> much is a cert after 7zip compression?

All pre-loaded CA certificates are stored in a shared library. For Mac
OS X this library is libnssckbi.dylib; I think the corresponding
libraries for Windows and Linux/Unix are libnssckbi.dll and
libnssckbi.so. On OS X this library contains on the order of 100
certificates and is about 500KB installed and under 200KB compressed. (I
don't have any figures on working set sizes.)

There's undoubtedly some overhead in this library, so the actual
per-cert size is less. However on the other hand CA certificates are
growing larger over time, as CAs replace their existing key pairs with
longer ones (for increased security). So I think it's reasonable to
assume certificates have a cost of about 5KB per cert installed and
about 2KB per cert downloaded.

Finally, note that most CAs actually have multiple root CAs and thus
multiple root CA certificates; typical numbers are around 2-4
certificates per CA. So adding a new CA typically would expand the
certificate list by 10-20KB as installed and 4-8KB as downloaded.

> And is there a maintainance cost in a cert, or is it just a setup cost?

The setup cost for certificates is predominantly the time required to
evaluate each CA, plus the time to add new certificates to the NSS code
base. I'd estimate this as 1-2 person-days per CA. (The time per
certificate is less, since as noted above most CAs have more than one
certificate being included.)

There's effectively no maintenance cost for CAs and certificates today,
since once a CA has been added we don't go back and re-evaluate it.
However we really should be doing this, preferably on a yearly basis.
This cost would likely be on the order of 0.5-1 person-days per CA.

(You may be thinking, that's a lot of time to spend dealing with CAs and
certificates. If so, you're right. By way of comparison, note that
Microsoft has a full-time person whose primary responsibility is doing
CA-related stuff.)

David E. Ross

unread,
Feb 7, 2007, 10:56:32 PM2/7/07
to

By the way, I'm not advocating that Mozilla actually have the local root
certificates on its server. The "local root certificates" Web page
would merely contain links to the certificate authorities from which a
user could then download and import the certificates. The purpose of
the page would be to provide those links in a secure environment where a
user could rely on the authenticity of those links.

It might even be possible to create such a Web page without even
approving the local certificates. After verifying the links and other
data that would be on the Web page, an entry could be made without
verifying the existence of a WebTrust or equivalent audit. Of course,
a prominent warning would then have to appear on such a page, advising
users that they (and not Mozilla) are responsible for any consequences
from trusting the certificate authorities listed there.

Gervase Markham

unread,
Feb 8, 2007, 6:10:56 AM2/8/07
to

Yes, as is the one of the city of Vienna. But I believe these are the
only two sub-governmental regional CAs they have.
http://support.microsoft.com/kb/931125

Gerv

Gervase Markham

unread,
Feb 8, 2007, 6:13:16 AM2/8/07
to
David E. Ross wrote:
> See <https://bugzilla.mozilla.org/show_bug.cgi?id=333272>.

I don't really believe this bug solves much. Even if we had a the time
and money to design a really secure system (imagine what would happen if
it broke - someone could insert their own CA and MITM everyone), it
would still involve getting people to install their own roots, which is
something we want to avoid.

Gerv

Gervase Markham

unread,
Feb 8, 2007, 6:19:02 AM2/8/07
to
Jonas Sicking wrote:
> I think bug 342503 sums this up pretty well. I think shipping some certs
> in some builds but not in others is a really bad idea which will
> increase the number builds we do by a lot. We'd essentially have to have
> one build per country per language, for example i'd have to use a
> english-for-sweden build since I prefer to have my browser in english,
> but I do like to visit swedish sites, but I'd also have to have an
> english-for-US build since I live in the US and visit US sites.

I don't think anyone is suggesting we increase the numbers of builds we
do. The suggestion would be that certain already-existing builds acquire
some extra certificates.

> I don't think having regional CAs will scale. If we start allowing them
> we open the floodgates for any region to set up their own CA and we'll
> get swamped with requests.

Just because we allow them now doesn't mean we have to allow them later.
We could just close the door at any point.

Gerv

Toni Hermoso Pulido

unread,
Feb 8, 2007, 6:58:35 AM2/8/07
to Mozilla l10n
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

En/na Gervase Markham ha escrit:

As you can understand, Microsoft people can wittily state with this that
is better to deploy Internet Explorer in those administrations. (sic)


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFyxBW3O471rZ7Q9wRAmyRAKCDHt/gicK2uWke0Xih0JM7LcuTzwCfRet5
xPjhV/Iz2Yk4gOINPDPiGRc=
=s1KK
-----END PGP SIGNATURE-----

David E. Ross

unread,
Feb 8, 2007, 10:58:08 AM2/8/07
to

While I see the CatCert certificate listed on the cited MS Web site, I
do not see the Vienna certificate.

Each certificate on the MS Web page is listed with a URL. According to
bug #342503, the Web site for the Vienna CA is
<http://www.wien.gv.at/ma14/zertifikate.html>. The root certificate is
at <https://www.wien.gv.at/ca-top-2035/ext/cacert/cacert.crt>. Nowhere
on the MS Web page is "Vienna", "www.wien.gv.at", or even merely "wien".

David E. Ross

unread,
Feb 8, 2007, 11:00:43 AM2/8/07
to

Whatever resolution is made, be sure it does not run afoul of separatist
politics.

Ibon Igartua

unread,
Feb 8, 2007, 12:19:09 PM2/8/07
to Gervase Markham, Mozilla l10n Zerrenda
Gervase Markham(e)k dio:

In that list I can also see Izenpe (http://www.izenpe.com).

Izenpe is the CA authority created by the Basque Government to handle
all the certificates with the Basque administration.

We could compare this with the Catalonia case.

I'll try to contact some people from Izenpe.

regards,

ibon - Basque lang. l10n (eu)

Frank Hecker

unread,
Feb 8, 2007, 12:57:20 PM2/8/07
to
Ibon Igartua wrote:
> In that list I can also see Izenpe (http://www.izenpe.com).
>
> Izenpe is the CA authority created by the Basque Government to handle
> all the certificates with the Basque administration.
>
> We could compare this with the Catalonia case.
>
> I'll try to contact some people from Izenpe.

Note that we now have bug 361957 open for Izenpe, thanks to Gerv.

Frank Hecker

unread,
Feb 8, 2007, 3:20:20 PM2/8/07
to
Jonas Sicking wrote:
> I don't think having regional CAs will scale. If we start allowing them
> we open the floodgates for any region to set up their own CA and we'll
> get swamped with requests.

This is indeed a concern. However it's also worth noting that thus far
we've gotten only a few requests for such regional CAs, and it's not
clear how many will apply in future.

It's probably worth doing a "worst case" scenario. Based on a quick look
at the US, Canada, and various countries in Europe and Asia, there are
probably on the order of three hundred or so regional governments in the
world that might be candidates to have CAs. Some of these countries
don't have true federal systems, and thus any government CAs are likely
to be national in scope (e.g., France, which recently submitted a
request for a French national CA). In other countries that do have
federal systems we haven't seen any region-level PKI initiatives emerge
yet (e.g., for states in the US). Thus in practice the number of
regional CAs and CA certificates we'll ever see for these countries will
likely be considerably less than three hundred, perhaps just a few dozen
at most. (By way of comparison, we currently have thirty or so CAs and a
hundred or so CA certificates in the default list.)

Based on this (admittedly rough) analysis, I'm not sure there's any
danger of being swamped with requests from regional government CAs, at
least in the near to mid term. I'm beginning to think that the best
approach may be to allow regional government CAs to apply for inclusion,
and then just make some reasonable judgments on a case by case basis as
to whether to include a particular CA. This is admittedly subjective,
but I don't think we can necessarily come up with a strict set of
criteria that would be applicable in all cases.

Gervase Markham

unread,
Feb 9, 2007, 5:23:20 AM2/9/07
to
David E. Ross wrote:
> While I see the CatCert certificate listed on the cited MS Web site, I
> do not see the Vienna certificate.

They are listed as "Arge Daten", three from the top.

The URL given in the Microsoft list is the same one as in the URL field
of the bug.
https://bugzilla.mozilla.org/show_bug.cgi?id=342503

Gerv

Gervase Markham

unread,
Feb 9, 2007, 5:24:55 AM2/9/07
to
Ibon Igartua wrote:
> In that list I can also see Izenpe (http://www.izenpe.com).
>
> Izenpe is the CA authority created by the Basque Government to handle
> all the certificates with the Basque administration.
>
> We could compare this with the Catalonia case.

Good point. As Frank says, we have a bug open for Izenpe; I didn't
realise they were also a regional CA. I've put that bug on hold also
with the same message as Vienna and Catalonia.

Gerv

Axel Hecht

unread,
Feb 9, 2007, 6:17:31 AM2/9/07
to

I agree, we should take those certs that benefit our users, and make the
painful cut where it is becoming to painful for us.

I think we should try to pair this with some strong lobbying in the
other direction, too. Like, what are CAs good for, if users can't use
them securely. I bet that having their own CA is sexy and groovy for a
politician, and might make the regional ego proud, but it's going to be
disappointing for them to then get ignored.

Do we have contacts with the MS guy, and/or Opera here?

I don't know if there is a way to enable regional governments to use
certs without growing the CAs ad absurdum.

Target areas for that lobby work might be the US, EU, India, China, Russia.

Sounds like an worthwhile thing to spend some quality foundation
resources on, both on raising awareness of the problem, and proposing a
solution.

Axel

Christian Biesinger

unread,
Feb 9, 2007, 9:18:21 AM2/9/07
to
Gervase Markham wrote:
> They are listed as "Arge Daten", three from the top.
>
> The URL given in the Microsoft list is the same one as in the URL field
> of the bug.
> https://bugzilla.mozilla.org/show_bug.cgi?id=342503

Arge Daten is not the same as the city of Vienna. The URL is also
different - one is /wien.html, the other is /argedaten.html.

David E. Ross

unread,
Feb 9, 2007, 7:34:49 PM2/9/07