Closed
Bug 208323
Opened 21 years ago
Closed 19 years ago
Add DoD root CA
Categories
(CA Program :: CA Certificate Root Program, task)
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: william.jon.mccann, Assigned: hecker)
Details
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3) Gecko/20030313 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3) Gecko/20030313 I'm not affiliated with the US Department of Defense but it seems that the DoD root CA should be trusted in the Mozilla database. I think that adding this would help mozilla browser acceptance in US government work. The Cert. Hierarchy looks like this: DoD Class 3 Root CA DOD Class 3 Email CA-3 LAST.FIRST.23452762 where the user's name is FIRST LAST. Reproducible: Always Steps to Reproduce: 1. 2. 3.
Comment 1•21 years ago
|
||
PSM
Severity: normal → enhancement
Component: Daemon → Client Library
OS: Linux → All
QA Contact: junruh → bmartin
Updated•21 years ago
|
Assignee: ssaux → wchang0222
Component: Client Library → Libraries
Product: PSM → NSS
QA Contact: bmartin → bishakhabanerjee
Comment 2•20 years ago
|
||
where does one find this root CA cert?
Assignee | ||
Comment 3•20 years ago
|
||
(In reply to comment #2) > where does one find this root CA cert? I think this is the one at http://dodpki.c3pki.chamb.disa.mil/rootca.html But note that this is not a WebTrust-audited CA :-) Nelson/Wan-Teh: If you'd like I can accept this bug.
Comment 4•20 years ago
|
||
Yes, Frank, please take this enhancement request and add it to the list of candidates for your consideration. Thanks.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Updated•20 years ago
|
Assignee: wchang0222 → hecker
Component: Libraries → CA Certificates
Product: NSS → mozilla.org
QA Contact: bishakhabanerjee
Version: unspecified → other
Assignee | ||
Comment 5•20 years ago
|
||
Accepting this bug. My initial comments: The last time I dealt with the issue of the DoD PKI it was essentially a DoD-internal PKI for the use of U.S. military personnel (active or retired), DoD civilian employees, DoD contractors, and (maybe) allied forces (e.g., NATO). It was *not* intended for the use of the general public (whether U.S. citizens or not), and I'm not aware that members of the general public would ever be in a situation where they would encounter SSL-enabled web servers, S/MIME email, or signed code that used DoD-issued certificates. Based on that I would consider this an "intranet" CA (albeit for a very large intranet) and based on my previous "meta-policy" comments I would recommend *not* including this in Mozilla et.al. I'll leave this bug open for a period of public comments, and then I'll close it with "WONTFIX" unless someone can provide compelling reasons why I should do otherwise.
Status: NEW → ASSIGNED
Reporter | ||
Comment 6•20 years ago
|
||
Hi Frank, Thanks for taking this bug. I opened it after I received a signed email, certified by this CA, from someone in the DoD. Anyone ever receiving a signed email from any one of the groups you mentioned (whether they are in one of those groups or are, like me, a civilian) would have a use for this addition.
Assignee | ||
Comment 7•20 years ago
|
||
Right, but your argument would apply to any possible private PKI: E.g., if Acme Widgets sets up an internal PKI to issue email certs to their employees, and then those employees send email to people outside the company, the recipients will have an issue if they don't recognize and trust the Acme root CA cert. So does that mean that the Acme root CA cert should be added to Mozilla et.al? I don't think so. My position would be that if Acme employees want to use their certs for external correspondence then they need to work with potential recipients to ensure that their certs are recognized.
Reporter | ||
Comment 8•20 years ago
|
||
The last part of my argument could apply to any Root CA. I was merely arguing against your assertion that the "general public" would have no use for this. I think it is entirely reasonable to expect and require that the commercial sector use WebTrust-audited CAs. The same goes for the private and most of the public sector. I am not sure it is reasonable to require that some parts of national goverments, or NATO, or the UN, to have a dependency on these external resources. I think there is an implicit trust in these bodies. And then there is the market potential to consider. If Firefox/Thunderbird Just Work with DoD web sites and signed emails it makes it that much easier to promote adoption with anyone working in or with the DoD (a pretty huge market). Currently, these certs have to be configured on every client on every system they ever use. This means that someone has to write documentation for this. And perform testing. This is a lot more work than doing nothing. This means that by default new browsers won't be supported - as a policy.
Comment 9•20 years ago
|
||
William, The government organizations are in no way required to use the built-in roots of the Mozilla products. They can install their own roots in their cert database for internal computers if they like, through trusted means other than downloading the binaries from mozilla.org . The problem only exists for interoperability between the internal DoD PKI and the outside world, primarily for S/MIME e-mails . This case perhaps needs a different solution, involving cross-certification of the DoD root CA by one of the public included in Mozilla . Cross-certification isn't supported currently by NSS/PSM/Mozilla, but is being worked on for NSS .
Assignee | ||
Comment 10•19 years ago
|
||
I'm resolving this bug as WONTFIX. For reasons stated in my previous comments, it's not clear that the DoD PKI meets our policy requirements as being a CA for use by the general public or otherwise "[providing] some service relevant to typical users of our software products" (as the draft certificate policy puts it). We can revisit this issue later if desired. Note that I'm not averse to including government CAs in the pre-loaded CA certificate list; it's just that IMO this is most justifiable in the case of of PKI-enabled applications like secure government communications to/from ordinary citizens (e.g., using S/MIME email) or government web sites used by ordinary citizens. I don't see this as the case with the DoD PKI, which to my knowledge is oriented primarily toward DoD services and agencies, DoD contractors, and those doing business with the aforementioned groups.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → WONTFIX
Comment 11•17 years ago
|
||
I would like to see this bug reconsidered. With the addition of the annoying SSL error page in Firefox 3, it becomes a much greater issue. From my perspective, all US Army personnel use AKO (Army Knowledge Online). It is a portal site and includes things like web mail and more that all soldiers must use. This is a pretty large demographic, and as far as I know the other services have similar sites.
Comment 12•17 years ago
|
||
for people unfamiliar with that, it's: http://www.us.army.mil/ which redirects to: https://www.us.army.mil/suite/login/welcome.html which fails instantly. the second hit is: http://www.army.mil/ako/ which is a gateway. the first three primary links fail with the same error for the same reason: https://www.us.army.mil/ https://webmail.us.army.mil/ https://help.us.army.mil/ contact information seems to be present here: http://www.army.mil/ako/ContactForm/index.html interestingly, one of those links is: AKO browser/mail certificate problems Installing the DoD root certificate <https://help.us.army.mil/cgi-bin/akohd.cfg/php/enduser/std_adp.php?p_faqid=50> Which is of course blocked. What is the DoD root certificate, and do I need it? Question What is the DoD root certificate, and do I need it? Answer A certificate is a digital document providing the identity of a web site or individuals. The Army Portal uses a certificate to identify itself to its users and to enable secure connections. If you are receiving a warning that this site is untrusted/insecure, you will need to install the "DoD Certificate." To download the DoD Certificates, please go to https://eportal.ctnosc.army.mil/. Enter your AKO username & password. Select the link labeled DoD Root Certificate at the top. Click the link for InstallRoot V2.18.A and save the file to your desktop. After the file has completely downloaded, go to your desktop and follow the directions on the page. NOTE: This is not a CAC certificate nor does this certificate have any association with a Common Access Card (CAC). This certificate is only used to ensure that the security of the AKO/DKO website is verified by the DoD. https://eportal.ctnosc.army.mil fails https://fportal.ctnosc.army.mil fails https://fsso.ctnosc.army.mil fails Which has: NOTE: If you area Firefox user, click here to download the DoD add-on for CAC authentication. Please read and follow the setup instructions carefully. https://addons.mozilla.org/en-US/firefox/addon/3182 This is *VERY* strange. It took me around 4-5 exemptions and probably 15-20 clicks in order to get to this point. And by now if I was actually being phished, I'd have accepted someone's root CA blindly. For reference, the official bits seem to come from: http://dodpki.c3pki.chamb.disa.mil/ http://dodpki.c3pki.chamb.disa.mil/rootca.html And require JavaScript enabled (I'm using NoScript and one time temporary grants in order to navigate this maze). I think someone should contact them and ask. This whole experience is strange, but it should be noted that right now they're clearly trying to reconfigure Firefox beyond merely adding a CA certificate. One further note: the addon has a prelicense which claims to be GPL, I can't figure out why.
Comment 13•17 years ago
|
||
Making a root CA cert available for download ONLY from an https (SSL) server whose own cert depends on that same root CA cert is just silly.
Updated•7 years ago
|
Product: mozilla.org → NSS
Updated•2 years ago
|
Product: NSS → CA Program
You need to log in
before you can comment on or make changes to this bug.
Description
•