Ubuntu
ca-certificates package

Bug #310999
Comment #18

Comment 18 for bug 310999

Revision history for this message

In Mozilla Bugzilla #470897, Phr-mozilla (phr-mozilla) wrote on 2008-12-23:

#18

Nelson (comment #11): unfortunately in this instance there is no subsidiary CA associated with StarCert to shut off. Eddy's cert is signed directly by Comodo and as you've mentioned, a lot of other Comodo certs would stop working. It would be good to have a way to shut off just the StarCert-approved certificates but that would require considerably different policy and CA procedures than are now in place..

Paul (comment #12): Mozilla in my opinion should stay out of the PKI business. See some of the discussion including Nelson's comments (and mine) at bug #215243. The acceptance criterion is 3rd party audit of prospective CA's. I would hope that the audit includes verification of significant liability insurance coverage in case of a breach (like this one) but I have the impression that it does not, sigh.

I would like to know whether Eddy's mozilla.com certificate works in MSIE. Can someone try? I know that an old Comodo cert that I used to use years ago, worked in MSIE. It was one of their free certs and I still had to fax my drivers' license to them, so clearly we've been seeing a race to the bottom.

Anyway though, we've all always known that "domain control" authentication (spoofable by intercepting just one email at a time of the attacker's choosing) is basically crap and there are always sure to be some bogus certs in use even when CA procedures are followed properly, just like there are fake drivers' licenses floating around despite the efforts of the DMV. We simply shouldn't use such certs for high-assurance purposes. That's also why EV certs exist, plus managed PKI, hardware tokens with client certs, etc. I think we should not get overwhelmed with panic or FUD because of this incident. The Debian ssh security hole earlier this year was much worse, Verisign famously signed a microsoft.com code signing key for some attacker years ago, etc. This is looking to be yet another incident, where Mofo should work with Comodo to figure out what to do with reasonable speed but with thoughtfulness.

Also, Eddy's contributions to this topic are valuable and appreciated, but at the same time we all understand that as a competitor to Comodo he is a player in the game, and some of his posts come across somewhat differently when read in the light of that self-interest. I hope he can pay more attention to appearances and tone down the protestations a little.

Nelson (comment #11): unfortunately in this instance there is no subsidiary CA associated with StarCert to shut off.  Eddy's cert is signed directly by Comodo and as you've mentioned, a lot of other Comodo certs would stop working.  It would be good to have a way to shut off just the StarCert-approved certificates but that would require considerably different policy and CA procedures than are now in place..

Paul (comment #12): Mozilla in my opinion should stay out of the PKI business.  See some of the discussion including Nelson's comments (and mine) at bug #215243.  The acceptance criterion is 3rd party audit of prospective CA's.  I would hope that the audit includes verification of significant liability insurance coverage in case of a breach (like this one) but I have the impression that it does not, sigh.

I would like to know whether Eddy's mozilla.com certificate works in MSIE.  Can someone try?  I know that an old Comodo cert that I used to use years ago, worked in MSIE.  It was one of their free certs and I still had to fax my drivers' license to them, so clearly we've been seeing a race to the bottom.

Anyway though, we've all always known that "domain control" authentication (spoofable by intercepting just one email at a time of the attacker's choosing) is basically crap and there are always sure to be some bogus certs in use even when CA procedures are followed properly, just like there are fake drivers' licenses floating around despite the efforts of the DMV.  We simply shouldn't use such certs for high-assurance purposes.  That's also why EV certs exist, plus managed PKI, hardware tokens with client certs, etc.  I think we should not get overwhelmed with panic or FUD because of this incident.  The Debian ssh security hole earlier this year was much worse, Verisign famously signed a microsoft.com code signing key for some attacker years ago, etc.  This is looking to be yet another incident, where Mofo should work with Comodo to figure out what to do with reasonable speed but with thoughtfulness.

Also, Eddy's contributions to this topic are valuable and appreciated, but at the same time we all understand that as a competitor to Comodo he is a player in the game, and some of his posts come across somewhat differently when read in the light of that self-interest.  I hope he can pay more attention to appearances and tone down the protestations a little.

Ubuntuca-certificates package

Comment 18 for bug 310999

Ubuntu
ca-certificates package