On Wed, Dec 24, 2008 at 1:46 PM, Nelson B Bolyard <nel...@bolyard.me> wrote: > Paul Hoffman wrote, On 2008-12-24 09:55: >> At 9:14 AM -0800 12/24/08, Kyle Hamilton wrote: >>> I'd like to see an extension that allows other certificates (for the >>> same public key) to be included in a certificate (self-signed or not). >> >> Are you asking for a Mozilla extension or a PKIX extension? If the >> latter, none is needed: it is already inherent in PKIX. In fact, I am not >> sure that anything needs to be done by Mozilla. The following should >> theoretically work: >> >> - Remove all trust anchors one-by-one >> - Add your single trust anchor >> - Sign the certs of any CA you want >> - Add those signed certs to the pre-loaded validation path (not root) >> cert list >> >> I haven't tried this myself, but it should work. I have been told that >> something very similar to it works fine in XP/Vista for IE. > > Of course, that is COMPLETELY equivalent to simply setting trust flags on > the CA certs you want to trust, and removing those flags from the ones you > don't want to trust, which is already a part of Mozilla browsers (and > Netscape browsers, before them) for over 14 years.
To be honest, Mozilla doesn't distribute keytool with Firefox, which means that I have to try to go into the (unbatchable) interface and remove the flags one. by. one. by. one. and then select the next certificate and remove those trust flags, and the next, and the next, and the next... ...for all hundred or so certs that Firefox includes. And then, once I DO manage to do that, then with the "new and improved" user interface updates, I then have to click at least six times to try to figure out what's going on, and then when I do find a site that's protected by an unknown CA certificate (OR that I've removed the trust bits on), I have to do the following: 1) Click 'add an exception' 2) click 'get certificate' (why I should have to do this is beyond me, since firefox obviously already has the certificate downloaded since it told me 'sec_error_untrusted_issuer', which it couldn't have known without the certificate in its possession ANYWAY) 3) click 'view' 4) get the name of the Issuer 5) hope to all the gods that there's enough information in the chain to figure out what root it's supposed to be going to 6) close the window 7) go into Preferences 8) click Advanced 9) click Encryption 10) click 'View Certificates' 11) Scroll through the list, with each click giving me approximately 0.6 useful results (given the preponderance of 'section headings by root owner', which by the way doesn't work at all with the Addtrust AB stuff since those are Comodo roots) 12) find the appropriate root and re-enable it for identification of websites 13) refresh the page. How 'bout this, Nelson (and I invite Frank and the entire security UI team to do this, as well): YOU do it. Create a new profile and manually remove the trust on every CA. Then, browse around, and see which CAs are actually used by you in your day-to-day browsing, reenabling them manually (since you're trying to emulate not having keytool around). Furthermore, even when keytool IS available, it's entirely likely that its name conflicts with Java's keytool. (especially on Mac OSX.) This is completely unworkable, and discourages users that want to from taking their security into their own hands. -Kyle H _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
