Hi Anders Thank you very much, this really help alot:) We won't let end-users use that tool, instead, we put it in a installer, and let the installer do the dirty work. btw, Since this certutil.exe is downloaded from microsoft.com, I'm a little worried about whether this certutil.exe is the same certutil.exe in NSS?
On Thu, Jul 22, 2010 at 12:14 AM, Anders Rundgren <anders.rundg...@telia.com > wrote: > On 2010-07-21 17:57, Amax Guan wrote: > > Hi Anders > > > > Thanks for your information. Do you know where I can download a > windows binary of certutil.exe? > > Hi Amax, > Try this SDK which is supposed to contain certutil.exe as well: > > > http://www.microsoft.com/downloads/details.aspx?FamilyID=860ee43a-a843-462f-abb5-ff88ea5896f6&displaylang=en > > But I can't imagine end-users dealing with such a horrible tool. > > This is for *cryptopgraphers* only. > > Making a Chinese Firefox distribution should be a more workable solution. > > Anders > > > > > On Wed, Jul 21, 2010 at 11:32 PM, Anders Rundgren < > anders.rundg...@telia.com <mailto:anders.rundg...@telia.com>> wrote: > > > > On 2010-07-21 16:26, Amax Guan wrote: > > > Thank you very much, it's very helpful. I put most of the replies > inline. > > > > > > > > > On Wed, Jul 21, 2010 at 8:30 AM, Gervase Markham > > <g...@mozilla.org<mailto: > g...@mozilla.org> <mailto:g...@mozilla.org <mailto:g...@mozilla.org>>> > wrote: > > > > > > On 20/07/10 04:23, Amax Guan wrote: > > > > > > I've got a problem help China Construction Bank(CCB for > short) > > > support Firefox. CCB has its own CA root, used to issue > certificate to > > > his users, and they issued some server cert using this > cert. > > > > > > > > > Do you know why they cannot buy a cert from a trusted CA, like > every other business (including most banks)? > > > > > > > > > I think basically it's because they have too much Cert to issue > (One for each user), it cost too much money, and they do not want anyone > else to know how many users they have, and their names, > > > including the CA. > > > > Absolutely. It would be extremely inconvenient also- > > > > >Kai mentioned that it's OK to use a untrusted CA signed user > certificate in Firefox to sign, But they are not only using this cert in > signing, they also use the cert for two-way SSL, > > > and they periodically renew the cert. But if you generate a user > Certificate that's issued by a untrusted CA, there will be an alert popup. > > > > If that's really true I would call it a bug. I guess it is renewal > that really is the > > problem? <keygen> doesn't support renewals. > > > > Few if any end-user banks certificates have their root in browsers. > > > > > The server cert I don't know why, but I guess maybe it's because > they already have this CA system, they just want to save some money and > time? I mean not every cert on their website is signed by > > > themselves, they have verisign certificates on most of their > webpages, but on some specific server, they use cert issued by their own CA. > The server using their own CA is in the certificate > > generation > > > process, I wonder is it related to two-way SSL or something? > > > > > > And btw, every bank in China has its own CA System, to generate > user certificate. > > > > Yes, and that is how it should be, SSL certificates is another > (hopefully unrelated) topic. > > > > Anyway, Chinese banks will some day get a solution in Firefox that > actually > > addresses consumers (rather than cryptographers), but it will take > some > > time to get it out of the door: > > > > http://webpki.org/auth-token-4-the-cloud.html > > > > Since US banks and Government Agencies do not use certificates for > consumers > > and citizens this is primarily a European/Asian issue and we cannot > expect to > > get any support from Mozilla except maybe a "Good luck" or so :-) > > > > Regards > > Anders Rundgren > > > > > > > > > > > And they > > > want to put their CA Root certificate into Firefox, so that > there will > > > be no alert popup in the certificate generate process and > no security > > > alert when users access their website. And here comes the > questions > > > > > > > > > Can you be more specific about the errors that people who bank > with CCB encounter in "the certificate generate process"? > > > > > > > > > They use keygen tag to generate the user certificate (They need to > renew the certificate periodically), and the form is submitted to a cert > page with contentType=x509/certificate or something like > > > that. Firefox will automatically save the certificate to where it's > corresponding key is, and after that popup an alert saying the cert is > download successfully. AND THEN, if the CA of the cert is > > > untrusted, Firefox will pop up another alert talking about "Cannot > import the certificate, the issuer of the cert is unknown, the cert is > invalid or ...." > > > > > > > > > 1. Right now, we are trying to use certutil.exe in > their USB-Key > > > driver installer to do that. However, one of my colleague > seems to have > > > some problem build the certutil.exe in visual studio 2005. > And > > > sometimes, it fails to run on some machine. I tried to find > a stable > > > version of that tool through google, but I failed. Is there > any stable > > > version of certutil I can download, that will work on most > version of > > > windows? Or why is it so hard to build, is there some way > to make it better? > > > > > > > > > I don't know the answer to this particular question. > > > > > > > > > Unlucky for me:( Because according to several emails I made > yesterday, this way seems to be the most doable and effective way. > > > > > > > > > > > > 2. Since the certutil.exe solution did not went very > well, we think > > > maybe we could embed their CA cert in our Firefox China > Edition. > > > According to my knowledge, at least half of the population > in China are > > > CCB bank users, and cannot access online bank is our major > problem in > > > China, so we think this make sense. We can make an addon to > do that, but > > > it occurred to us that an addon is so open, that anyone > that knows where > > > it is can change the cert, or do something else dangerous. > So, is there > > > a better way to put the cert in? Maybe through a binary > XPCOM is better? > > > > > > > > > The Mozilla project does not issue copies of Firefox that trust > new CAs without those CAs going through the official process, as described > below. Even when we do go through the process, people > > > still object - see the CNNIC case. There is absolutely no > chance of any official Firefox being released which trusts a cert belonging > to another Chinese company, or any company, without it going > > > through the trust checking process. Many of our users in China, > as well as those elsewhere, would not like it. > > > > > > CCB may, of course, create their own addon to add the cert > (assuming that's technically possible). But all their customers would need > to install it individually. It is no more or less > > dangerous to > > > use an addon than any other method. > > > > > > What is the current procedure for people who bank with CCB who > use IE, Safari or Chrome? Do those browsers trust the CCB certificate? > > > > > > > > > CCB only works in IE right now, and online banking sure is our > top priority in China now. In IE,there is a concept of trust zone, and in > their installer, they put themselves in the trust > > zone, and > > > put their CA cert in the windows Cert DB through CSP. > > > Btw: They are talking with MS to put their CA root in windows. > > > > > > > > > 3. Is it possible to put the bank's CA cert in > firefox's default > > > cert db? So that we don't need to worry about security > problems... > > > > > > > > > It is certainly possible. There is a process for this: > > > https://wiki.mozilla.org/CA:How_to_apply > > > However, it can take many months. > > > > > > Got it. > > > > > > > > > I hope that's helpful :-) > > > > > > It sure is, thank you very much for your help > > > > > > > > > Gerv > > > > > > > > > > > > > > >
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto