"SSL" "Mail" and "Code"

Does anybody know of any discussions taking place within Mozilla regarding
these 3 bits in the certificate manager?  Perhaps I've missed something in
the discussions here.

In any case, I think a new mechanism for indicating trust w/in the Mozilla
apps are needed.  Take for example the "StartCom Certification Authority"
root.  The Certificate Manager (I'm using Firefox on Windows) says it can
identify web sites, email users, and code yet the cert itself says it can
only be used for signing other certs (essentially, that is).  At a minimum
this is confusing but I have to wonder if the Mozilla code base would ever
use the cert for servers/email/code?

The reason I ask is that I would expect that any and all root certificates
are only used to validate subsequent certificates.  To my mind, there is no
justification for using a root cert alone--without any intermediate or
end-point certs.  So which will way will Mozilla code operate, and how will
I necessarily know?

Thanks.
0
Peter
1/31/2012 1:10:11 AM
mozilla.dev.security.policy 1337 articles. 2 followers. Post Follow

5 Replies
1402 Views

Similar Articles

[PageSpeed] 54

On 01/31/2012 03:10 AM, From Peter Kurrasch:
> In any case, I think a new mechanism for indicating trust w/in the Mozilla
> apps are needed.  Take for example the "StartCom Certification Authority"
> root.  The Certificate Manager (I'm using Firefox on Windows) says it can
> identify web sites, email users, and code yet the cert itself says it can
> only be used for signing other certs (essentially, that is).  At a minimum
> this is confusing but I have to wonder if the Mozilla code base would ever
> use the cert for servers/email/code?

Hi Peter,

Actually it does - let say if the email trust bit isn't enabled, S/MIME 
client certificates wouldn't be valid. The intermediate CAs inherit the 
trust settings from the root OR the software goes all the way back to 
the root to check if it's enabled.

Of course the root isn't used to sign email, but can issue S/MIME 
certificates (better the intermediate CA certificates thereof).

-- 
Regards

Signer:  Eddy Nigg, StartCom Ltd.
XMPP:    startcom@startcom.org
Blog:  	 http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg

0
Eddy
1/31/2012 1:16:02 AM
Hi Eddy--thanks for the answer.  But....

I guess I don't see the point of this inheritance thing.  Either the
end-point cert says to use it for email or it doesn't, right?  The root and
intermediates should only serve to say "I can vouch for the next cert in
the chain" but if the end cert doesn't say it can be used for email it
shouldn't be used for email.  Mozilla code must be driven by that cert
alone, I would think?

And completing that thought, I suppose, the user should not be allowed to
over-ride that end certificate.


On Mon, Jan 30, 2012 at 7:16 PM, Eddy Nigg <eddy_nigg@startcom.org> wrote:

> On 01/31/2012 03:10 AM, From Peter Kurrasch:
>
>> In any case, I think a new mechanism for indicating trust w/in the Mozilla
>> apps are needed.  Take for example the "StartCom Certification Authority"
>> root.  The Certificate Manager (I'm using Firefox on Windows) says it can
>> identify web sites, email users, and code yet the cert itself says it can
>> only be used for signing other certs (essentially, that is).  At a minimum
>> this is confusing but I have to wonder if the Mozilla code base would ever
>> use the cert for servers/email/code?
>>
>
> Hi Peter,
>
> Actually it does - let say if the email trust bit isn't enabled, S/MIME
> client certificates wouldn't be valid. The intermediate CAs inherit the
> trust settings from the root OR the software goes all the way back to the
> root to check if it's enabled.
>
> Of course the root isn't used to sign email, but can issue S/MIME
> certificates (better the intermediate CA certificates thereof).
>
> --
> Regards
>
> Signer:  Eddy Nigg, StartCom Ltd.
> XMPP:    startcom@startcom.org
> Blog:    http://blog.startcom.org/
> Twitter: http://twitter.com/eddy_nigg
>
> ______________________________**_________________
> dev-security-policy mailing list
> dev-security-policy@lists.**mozilla.org<dev-security-policy@lists.mozilla.org>
> https://lists.mozilla.org/**listinfo/dev-security-policy<https://lists.mozilla.org/listinfo/dev-security-policy>
>
0
Peter
1/31/2012 1:26:55 AM
On 01/31/2012 03:26 AM, From Peter Kurrasch:
> Hi Eddy--thanks for the answer.  But....
>
> I guess I don't see the point of this inheritance thing.  Either the
> end-point cert says to use it for email or it doesn't, right?

Yes, but....what if Mozilla decided not to enable the SS (server) bit? 
Those certificates will not be valid for web sites even if the 
end-entity certificates says it is. At least for Mozilla software.

-- 
Regards

Signer:  Eddy Nigg, StartCom Ltd.
XMPP:    startcom@startcom.org
Blog:  	 http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg

0
Eddy
1/31/2012 1:29:11 AM
On Mon, Jan 30, 2012 at 7:29 PM, Eddy Nigg <eddy_nigg@startcom.org> wrote:

> On 01/31/2012 03:26 AM, From Peter Kurrasch:
>
>> Hi Eddy--thanks for the answer.  But....
>>
>> I guess I don't see the point of this inheritance thing.  Either the
>> end-point cert says to use it for email or it doesn't, right?
>>
>
> Yes, but....what if Mozilla decided not to enable the SS (server) bit?
> Those certificates will not be valid for web sites even if the end-entity
> certificates says it is. At least for Mozilla software.


I'm trying to imagine a case where that would happen--and if so, why it
should be allowed.  From my perspective, either a certificate is allowed to
stand on its own or it isn't.  If Mozilla wants to revoke a cert--for
example, it's known to be a forgery or it has "DigiNotar" in the name--it
needs to be completely revoked.  If it's not revoked, the cert extensions
stand.

Partially acknowledging what's in a cert doesn't make sense to me.  And
either way, I would suggest the UI could be improved so that revoked certs
are clearly identified as revoked or no longer trusted.  I was looking
through the cert manager today and spent maybe 20 minutes trying to
understand why I now have a cert named "MD5 Collisions Inc." in there that
expired in 2004!  I got it figured out now but this "is it using the cert
or isn't it" interface is for the birds.
0
Peter
1/31/2012 1:47:57 AM
On 01/31/2012 03:47 AM, From Peter Kurrasch:
> On Mon, Jan 30, 2012 at 7:29 PM, Eddy Nigg<eddy_nigg@startcom.org>  wrote:
>
>>
>> Yes, but....what if Mozilla decided not to enable the SS (server) bit?
>> Those certificates will not be valid for web sites even if the end-entity
>> certificates says it is. At least for Mozilla software.
>
> I'm trying to imagine a case where that would happen--and if so, why it
> should be allowed.

Some CAs don't issue Server or S/MIME or Code certificates. Some don't 
comply to the requirements of Mozilla to issue such certificates. In 
such a case, one or more of those trust bits wouldn't be enabled. Some 
would be enabled, for which the CA has been approved.

Today I believe it's also used to explicitly distrust a root 
certificate, but that's more of a hack really.

-- 
Regards

Signer:  Eddy Nigg, StartCom Ltd.
XMPP:    startcom@startcom.org
Blog:  	 http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg

0
Eddy
1/31/2012 1:58:57 AM
Reply:

Similar Artilces:

.ALLCOL("%COLUMN%", " ", ", ", ", ")
Do you know anyway for me to exclude a subset of columns returned by this function. We have two columns (rec_user and rec_datetime) which are in all of our tables, but when generating triggers I want automatically generate a script which does not include those two columns but does include all other columns in that table. Bruce I should add that I am using PD 9.0.0.580. Bruce "Bruce Lamb" <lamb.bruce@mayo.edu> wrote in message news:6HgI315nCHA.155@forums.sybase.com... > Do you know anyway for me to exclude a subset of columns returned by this > function. ...

Precedence of "where" ("of", "is", "will")?
Nobody on #perl6 today could answer this one. Is: Str | Int where { $_ } the same as: (Str | Int) where { $_ } or: Str | (Int where { $_ }) ? Followup questions, Mr. President: What kind of operators are "where", "of", "is", and "will"? Is there a reason that S03 doesn't list them? What are their precedence(s)? -- Chip Salzenberg - a.k.a. - <chip@pobox.com> Open Source is not an excuse to write fun code then leave the actual work to others. Chip Salzenberg writes: &...

quotes, quotes, quotes...
I am getting this error and I know what is causing it, but I have no idea how to fix it, any help would be great. The script steps through the /var/log/messages file on a linux server and puts The entries into a mysql database. However when it gets to the 'hlt' line in the messages file it just barfs. The single quotes are freaking it out. I know about quotes but not how to use in this situation. Thanks, Paul Error: May 27 17:53:00 localhost kernel: Checking 'hlt' instruction... OK. <----- doesn't like this in the messages file DBD::mysql::st exec...

double quote
hello there...  i tried everything of think but not working the way i wanted to be... not sure what i'm missing...i'm generating a <span> in code behind and then using in javascript.... here is what i'm doing code behind: int i=0string _keywordID = "keyword";string _name = row["visit_info_nm"].ToString().Trim(); String _getElementByID = String.Format("<span id='{0}' OnClick = \"document.getElementById('{1}').value='{2}';\">{3}</span><br>", i, _keywordID, _name, _name); here is what it generate : <span id='1' OnClick = \"document.getElementById('keyword')...

"-" not "_"
I wrote a SQL statement in the data tab. I wrote a bunch of alaises as example ' word-type ' but when I hit the layout tab it converts the "-" to "_". So now my field name is ' word_type '. Is there any way to prevent this? CardGunner Don' use a hypen ( - ).  It isn't a valid character for column names.   See http://searchsqlserver.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid87_gci1188931,00.html   Here's an excerpt about column names: Letters as defined in the Unicode Standard 2.0 Decimal numbers from either B...

replace the "." with a ","
Oi.... I need to build a small programm in ASP.NET and chose to use C# for it.Now i got everything working but there's one little problem.the first textbox is a double. I need to make it so that when someone enters a "." then it gets replaced by a ","any ideas?Ghan  string blah = "4.2.2.2";blah = blah.Replace(".", ",");Ryan Ryan OlshanASPInsider | Microsoft MVP, ASP.NEThttp://ryanolshan.comHow to ask a question...

"Using" or "With"
Hi all Please can someone enlighten to me as regards the difference with the "Using" and "With" statement when accessing data - which is better, what are the limitations and/or any pointers. Many thanks. Regards DaveDavid WinchesterPlease mark as answer if this is the solution.  using gives you the ability to use the connection and it closes the connection directlly after you finish using it. and there is no need to try- cach - finaly. there is no limitation on using USING keywordMuhanad YOUNISMCSD.NETMy Blog || My Photos || LinkedIn I have a dataobject the re...

Using "+" or "||"
Using SQLAnywhere 5.5.04, I've gotten into the habit of using "||" in ISQL to indicate a string concatenation. I needed to paste my SQL statement into the PowerBuilder script painter for some embedded SQL, and PB didn't like the "||" very much at all. I changed it to "+" and it seems to be ok. Do these two operators indicate ~exactly~ the same thing? moin, afaik these two's are not the same! if you're using "||" and any term is NULL then in the resultstring the term will be ignored if you use "+" then the resu...

Replacing "\\" with "\"
Hi all I'm getting this value from a CheckBoxList control - a location of file, i have to remove "\\" and replace it with "\" and pass it to Query, how to do it, i tried with Replace, but coud'nt suceed. "\\\\Blaze10xp\\BLZ_SFS_07\\Sample Excel Files\\Excel Files\\report2.xls" thank's in advance - Prakash.C you tried Replace like this? string newstring = oldstring.Replace(@"\\",@"\");Plese, do not forget to click "Mark as Answer" on the post that helped you. Thanx!My blog: Scenes From A Developer Memory yes i tr...

"To" and "From" missing
When I print emails, the words "To" and "From" are blank, even though the "To" name and "From name (addresser, addressee) do show up. This is not a problem for other users on my system. Suggestions In mailbox right click, view. On the message window, right click and choose print options. Make sure print header is checked. -- Barry Merchant NSC Volunteer SysOp *** no email unless requested please!! *** > In mailbox right click, view. On the message window, right click and > choose print options. Make sure prin...

"Me" is better than "You"
Yes I know, strings are frozen. But let me talk about it, I really can't get through the idea of a PC talkin to me. I consider my PC as an extension of myself, not a dumb companion who addresses Me as You. Yes there are times when I get angry with Him while I work and get wrong calculations etc.., but it really is my fault, Me using wrong istructions and eventually wanting to find someone else to blame, but it's Me. And yes, I consider Thunderbird my mail program, reading my mail on my PC as Me. So I personally like to have Me in the header bar as a compact address ...

Regular Expression to remove "/", "\", "<", ">" and "="
Can anyone please show me the regular expression to reject a string ("<blue", "right>" etc.) which has the following expression in it: "/", "\", "<", ">" and "="  hi, It may Help u.. it is in Class file u may use this expressin in validation controls also. Regex objReg = new Regex(@"^[^,.?/\~|`;:'<>]*$", RegexOptions.Singleline); Regex objReg = new Regex(@"^[^,][^.][^?][^/][^\][^~|][^`][^;][^:][^'][[^<][^>]$", RegexOptions.IgnoreCase);Thanks &...

"JROC" / "JROK" / "JROCK" / "JROQ"
I just started a new contract and the tech lead told me that he wanted me to become familiar with something called "JROC" (among some other tools). I've been searching the web and I haven't found any dev tool called "JROC." Based on the name of the tool, it sounds like it encapsulates some javascript functionality. I have tried searching for different spellings - "JROK" / "JROCK" / "JROQ" but I haven't found any matches. Have you ever heard of a dev tool by this name?...

Get "Mail"/"Get "News" / "Write"/"Post" buttons?
If the "Get Mail" button text changed to "Get News", and "Write" changed to "Post" when TB's in the news-reading mode, it would save me and probably others from constantly forgetting to make the change before proceeding. :-) Or is there an extension to do this which I don't know about? Thanks! Bob Bob P wrote: > If the "Get Mail" button text changed to "Get News", and "Write" > changed to "Post" when TB's in the news-reading mode, it would save me > and probably others...

Web resources about - "SSL" "Mail" and "Code" - mozilla.dev.security.policy

Resources last updated: 12/10/2015 6:56:14 PM