Closed Bug 208323 Opened 21 years ago Closed 19 years ago

Add DoD root CA

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Platform:
x86
All
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: william.jon.mccann, Assigned: hecker)

Details

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3) Gecko/20030313
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3) Gecko/20030313

I'm not affiliated with the US Department of Defense but it seems that the DoD
root CA should be trusted in the Mozilla database.

I think that adding this would help mozilla browser acceptance in US government
work.

The Cert. Hierarchy looks like this:

DoD Class 3 Root CA
    DOD Class 3 Email CA-3
         LAST.FIRST.23452762 

where the user's name is FIRST LAST.

Reproducible: Always

Steps to Reproduce:
1.
2.
3.
PSM
Severity: normal → enhancement
Component: Daemon → Client Library
OS: Linux → All
QA Contact: junruh → bmartin
Assignee: ssaux → wchang0222
Component: Client Library → Libraries
Product: PSM → NSS
QA Contact: bmartin → bishakhabanerjee
where does one find this root CA cert?
(In reply to comment #2)
> where does one find this root CA cert?

I think this is the one at

  http://dodpki.c3pki.chamb.disa.mil/rootca.html

But note that this is not a WebTrust-audited CA :-)

Nelson/Wan-Teh: If you'd like I can accept this bug.
Yes, Frank, please take this enhancement request and add it to the list of
candidates for your consideration.  Thanks.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assignee: wchang0222 → hecker
Component: Libraries → CA Certificates
Product: NSS → mozilla.org
QA Contact: bishakhabanerjee
Version: unspecified → other
Accepting this bug. My initial comments: The last time I dealt with the issue of
the DoD PKI it was essentially a DoD-internal PKI for the use of U.S. military
personnel (active or retired), DoD civilian employees, DoD contractors, and
(maybe) allied forces (e.g., NATO). It was *not* intended for the use of the
general public (whether U.S. citizens or not), and I'm not aware that members of
the general public would ever be in a situation where they would encounter
SSL-enabled web servers, S/MIME email, or signed code that used DoD-issued
certificates.

Based on that I would consider this an "intranet" CA (albeit for a very large
intranet) and based on my previous "meta-policy" comments I would recommend
*not* including this in Mozilla et.al. I'll leave this bug open for a period of
public comments, and then I'll close it with "WONTFIX" unless someone can
provide compelling reasons why I should do otherwise.
Status: NEW → ASSIGNED
Hi Frank,

Thanks for taking this bug.  I opened it after I received a signed email,
certified by this CA, from someone in the DoD.  Anyone ever receiving a signed
email from any one of the groups you mentioned (whether they are in one of those
groups or are, like me, a civilian) would have a use for this addition.
Right, but your argument would apply to any possible private PKI: E.g., if Acme
Widgets sets up an internal PKI to issue email certs to their employees, and
then those employees send email to people outside the company, the recipients
will have an issue if they don't recognize and trust the Acme root CA cert. So
does that mean that the Acme root CA cert should be added to Mozilla et.al?

I don't think so. My position would be that if Acme employees want to use their
certs for external correspondence then they need to work with potential
recipients to ensure that their certs are recognized.

The last part of my argument could apply to any Root CA.  I was merely arguing
against your assertion that the "general public" would have no use for this.

I think it is entirely reasonable to expect and require that the commercial
sector use WebTrust-audited CAs.  The same goes for the private and most of the
public sector.

I am not sure it is reasonable to require that some parts of national
goverments,  or NATO, or the UN, to have a dependency on these external
resources.  I think there is an implicit trust in these bodies.

And then there is the market potential to consider.  If Firefox/Thunderbird Just
Work with DoD web sites and signed emails it makes it that much easier to
promote adoption with anyone working in or with the DoD (a pretty huge market).  

Currently, these certs have to be configured on every client on every system
they ever use.  This means that someone has to write documentation for this. 
And perform testing.  This is a lot more work than doing nothing.  This means
that by default new browsers won't be supported - as a policy.
William,

The government organizations are in no way required to use the built-in roots of
the Mozilla products. They can install their own roots in their cert database
for internal computers if they like, through trusted means other than
downloading the binaries from mozilla.org .

The problem only exists for interoperability between the internal DoD PKI and
the outside world, primarily for S/MIME e-mails .

This case perhaps needs a different solution, involving cross-certification of
the DoD root CA by one of the public included in Mozilla . Cross-certification
isn't supported currently by NSS/PSM/Mozilla, but is being worked on for NSS .

I'm resolving this bug as WONTFIX. For reasons stated in my previous comments,
it's not clear that the DoD PKI meets our policy requirements as being a CA for
use by the general public or otherwise "[providing] some service relevant to
typical users of our software products" (as the draft certificate policy puts it). 

We can revisit this issue later if desired. Note that I'm not averse to
including government CAs in the pre-loaded CA certificate list; it's just that
IMO this is most justifiable in the case of of PKI-enabled applications like
secure government communications to/from ordinary citizens (e.g., using S/MIME
email) or government web sites used by ordinary citizens. I don't see this as
the case with the DoD PKI, which to my knowledge is oriented primarily toward
DoD services and agencies, DoD contractors, and those doing business with the
aforementioned groups.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → WONTFIX
I would like to see this bug reconsidered.  With the addition of the annoying SSL error page in Firefox 3, it becomes a much greater issue.

From my perspective, all US Army personnel use AKO (Army Knowledge Online).  It is a portal site and includes things like web mail and more that all soldiers must use.  This is a pretty large demographic, and as far as I know the other services have similar sites.
for people unfamiliar with that, it's:

http://www.us.army.mil/ which redirects to:
https://www.us.army.mil/suite/login/welcome.html

which fails instantly.

the second hit is:
http://www.army.mil/ako/
which is a gateway.

the first three primary links fail with the same error for the same reason:
https://www.us.army.mil/
https://webmail.us.army.mil/
https://help.us.army.mil/

contact information seems to be present here:
http://www.army.mil/ako/ContactForm/index.html

interestingly, one of those links is:
AKO browser/mail certificate problems
Installing the DoD root certificate <https://help.us.army.mil/cgi-bin/akohd.cfg/php/enduser/std_adp.php?p_faqid=50>

Which is of course blocked.

What is the DoD root certificate, and do I need it?
  	Question
  	What is the DoD root certificate, and do I need it?
  	Answer
  	
A certificate is a digital document providing the identity of a web site or individuals. The Army Portal uses a certificate to identify itself to its users and to enable secure connections. If you are receiving a warning that this site is untrusted/insecure, you will need to install the "DoD Certificate." To download the DoD Certificates, please go to https://eportal.ctnosc.army.mil/. Enter your AKO username & password. Select the link labeled DoD Root Certificate at the top. Click the link for InstallRoot V2.18.A and save the file to your desktop. After the file has completely downloaded, go to your desktop and follow the directions on the page.

NOTE: This is not a CAC certificate nor does this certificate have any association with a Common Access Card (CAC). This certificate is only used to ensure that the security of the AKO/DKO website is verified by the DoD. 

https://eportal.ctnosc.army.mil
fails
https://fportal.ctnosc.army.mil
fails
https://fsso.ctnosc.army.mil
fails

Which has:
NOTE: If you area Firefox user, click here to download the DoD add-on for CAC authentication. Please read and follow the setup instructions carefully.

https://addons.mozilla.org/en-US/firefox/addon/3182

This is *VERY* strange. It took me around 4-5 exemptions and probably 15-20 clicks in order to get to this point. And by now if I was actually being phished, I'd have accepted someone's root CA blindly.

For reference, the official bits seem to come from:
http://dodpki.c3pki.chamb.disa.mil/
http://dodpki.c3pki.chamb.disa.mil/rootca.html

And require JavaScript enabled (I'm using NoScript and one time temporary grants in order to navigate this maze).

I think someone should contact them and ask. This whole experience is strange, but it should be noted that right now they're clearly trying to reconfigure Firefox beyond merely adding a CA certificate.

One further note: the addon has a prelicense which claims to be GPL, I can't figure out why.
Making a root CA cert available for download ONLY from an https (SSL) server
whose own cert depends on that same root CA cert is just silly.
Product: mozilla.org → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.