Eddy Nigg (StartCom Ltd.) wrote:
Following discussions both in private and at the dev-security mailing
list of Mozilla with various participants, we decided to put forward the
following initial proposal of a framework for the handling of SSL/TLS
and S/MIME digital certificates in Mozilla products.
Just to be clear: this is, at heart, a UI proposal, isn't it? You want
the UI to differentiate between these four levels, rather than just the
one level (as now) or two levels (as IE 7 does with EV)?
The Mozilla Corporation has just hired Jonathan Nightingale from IBM to
work specifically on security UI for Firefox 3. I'm sure he will take
your proposal on board.
Currently all digital certificates are treated in the same way in todays
software. A certificate is considered as valid if:
1.) The certificate is found to be issued by a CA which is in the NSS
certificate root store
2.) The certificate is not expired (Within valid boundaries of the from
/ to dates)
3.) The CN resp. emailAddress field matches the web site address, resp.
email address
I'm sorry, but I can't work it out - what does the abbreviation "resp."
stand for?
We propose to define four different validation levels or classes
according to which existing and future verification procedures of CAs
can be treated.
You explain the levels well in terms of the validation performed.
However, as this is at heart a UI proposal, how do you suggest (in terms
of concepts, rather than in terms of pixels) these levels should be
presented to the user?
For example, my mother is considering using her credit card at a shop,
and the UI indicates (in some way) that it is level 2 secured. Should
she shop there?
I've visited a site that I think is my bank, and it has a level 4
certificate. Should I be concerned, given that level 4 is normally for
individuals? How concerned?
The levels could be according to the list below, however
it's only a suggestion and should be adjusted and refined after thorough
discussion by the community:
Why four levels, rather than six? Or two? Or ten?
The identity is validated by various means, such as verification of the
identity via scanned, photocopied or photographed photo ID documents
(passport, identity card, driving license) and company registry, which
is then further verified by a lookup at a third party source, such as
phone directories and phone call or sending of a registered mail to the
address found in the documents provided by the subscriber. This kind of
verification is not done in person. Ownership of the domain name, resp.
email account is performed according to Level 1. The certificate must
state the subscriber name/organization name, locality, state (where
applicable) and country.
So for individuals, the certificate contains address information which
is unverified?
*Implementation:*
The Mozilla CA policy will be extended to include the above described
definitions. Levels can be assigned by the CA within the subscriber
certificate with a specially defined OID by using for example the
Mozilla OID space. In this proposal we suggest to leave the definition
of levels to the CA, as in any case the CA defines its verification
procedures in its own policies.
How does your proposal ensure that the CAs stick to what they have
promised - i.e. that the OID they put in the certificates corresponds to
the level of validation done? Do we just have to trust them?
Gerv
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
