Ubuntu
ca-certificates package

Bug #310999
Comment #11

Comment 11 for bug 310999

Revision history for this message

In Mozilla Bugzilla #470897, Nelson-bolyard (nelson-bolyard) wrote on 2008-12-23:

#11

Presently, there is no combination of trust flag settings that can be set
through PSM to cause a subordinate CA cert to be actively distrusted when
that cert is issued by a superior CA that is trusted. IOW, there's no
"Distrust this cert, regardless of its issuer" trust flag now usable in
Mozilla products. (There is one partially implemented in NSS, but it is
not presently usable, and even if it was, there's no UI for it in PSM.)

However, it is possible to effectively cause an individual subordinate CA
to be treated by NSS as invalid, thereby causing all certs that were
issued by (subordinate to) that CA to be treated as invalid. This can be
done by downloading a replacement cert for that subordinate CA into one's
browser, a replacement that is invalid but which effectively supersedes
the existing valid subordinate CA cert.

Such a replacement cert can be used in any of several ways.

a) End users who wish to no longer trust a particular subordinate CA, but
who do not wish to remove all trust from the root issuer for that CA, may
download a replacement cert, thereby achieving their desired effect.
If, at some later time, the user wishes to reverse his decision, he only
needs to delete the replacement cert to do so.

b) Mozilla could (if it so chose) add such a replacement cert to its
"built in" list of CA certs. That is is commonly called the list of
"trusted CA certs", but in this case, the cert would not be trusted.

There are pros and cons to this idea. Here are some additional considerations:

- A replacement cert could be made available TODAY for download.
- A replacement cert in the "built in" list of CA certs could not be
deleted by the user.
- A replacement cert in the "built in" list could be marked as trusted by
the user, if the user wished to continue to trust certs issued by that CA.
- A replacement cert is (in some sense) an (intentionally bad) forgery,
and might receive a hostile reaction from the superior CA(s) who issued
the cert(s) being replaced. (Robin: care to comment on that?)
- A replacement cert could be issued in a way that allows a superior CA
to issue a new cert that replaces the replacement.

Comments?

Presently, there is no combination of trust flag settings that can be set 
through PSM to cause a subordinate CA cert to be actively distrusted when 
that cert is issued by a superior CA that is trusted.  IOW, there's no 
"Distrust this cert, regardless of its issuer" trust flag now usable in 
Mozilla products.  (There is one partially implemented in NSS, but it is 
not presently usable, and even if it was, there's no UI for it in PSM.)

However, it is possible to effectively cause an individual subordinate CA
to be treated by NSS as invalid, thereby causing all certs that were 
issued by (subordinate to) that CA to be treated as invalid.  This can be
done by downloading a replacement cert for that subordinate CA into one's 
browser, a replacement that is invalid but which effectively supersedes 
the existing valid subordinate CA cert.

Such a replacement cert can be used in any of several ways.

b) Mozilla could (if it so chose) add such a replacement cert to its 
"built in" list of CA certs.  That is is commonly called the list of 
"trusted CA certs", but in this case, the cert would not be trusted.

There are pros and cons to this idea. Here are some additional considerations:

- A replacement cert could be made available TODAY for download.
- A replacement cert in the "built in" list of CA certs could not be
deleted by the user.
- A replacement cert in the "built in" list could be marked as trusted by 
the user, if the user wished to continue to trust certs issued by that CA.
- A replacement cert is (in some sense) an (intentionally bad) forgery,
and might receive a hostile reaction from the superior CA(s) who issued 
the cert(s) being replaced.   (Robin: care to comment on that?)
- A replacement cert could be issued in a way that allows a superior CA 
to issue a new cert that replaces the replacement.

Comments?

Ubuntuca-certificates package

Comment 11 for bug 310999

Ubuntu
ca-certificates package