Closed Bug 193894 Opened 22 years ago Closed 19 years ago

mozilla.org should become a CA, issue personal email certs

Categories

(mozilla.org :: Miscellaneous, task)

Product:
mozilla.org
Component:
Miscellaneous
Platform:
x86
Windows XP
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: adamlock, Assigned: hecker)

Details

Mozilla has powerful email features including encryption, signing and authentication capabilities. To promote that capability and drive new users to Mozilla, there should a service on mozilla.org that hands out certificates for personal email use with the minimum of fuss. Mozilla could integrate to this service such that the user is asked when they create a mail/news account if they want a cert. Existing CAs such as Verisign, Thawte etc. are not convenient, are extremely hard to find, laden with confusing jargon, require personal details and even money before they will issue a cert. And the cert expires in 6 months or 12 months requiring the whole process to be repeated. A glance at the small print shows that the certs are worthless anyway, so this inconvenience and effort is not really justified by the 'trust' they bestow and stops people using these features at all.
1. I don't particularily like S/MIME for email, I think that PGP is more secure (no central CA to mess with), so I don't agree with that "promoting". 2. A certificate which only works with Mozilla (try getting mozilla.org's cert into MSIE / OE / Outlook) is not terribly useful, because receiving clients will issue (overly) scaring warnings. 3. Running a CA might have gotchas than you are aware of, see various slashdot discussions. If anything, I think there should be an "open-source" CA (operating on volunteer basis with open-source spirit), but I don't think that mozilla.org is the suitable entity for that. Apart from the fact that mozilla.org is about client software only, it is still legally a department of AOL.
Some thoughts: One does usually want to encrypt when information is intended for a specific person only. Because your data is critical, you must make very sure, that you are using a correct certificate, that really belongs to the intended recipient, and not to any other person. Same goes for signatures. To make sure the signature on a message really belongs to the sender, the ownership relationship between certificate and sender must be verifyable. The behaviour of the organization issueing the CA defines how users will treat the certificates. The very first decision about a CA would have to be: What is the proposed intention of a "Mozilla CA" with regards to the level of trust that end users can assume? If the certs are simply intended for being able to technically use the features, you don't need a Mozilla CA. For example, there is currently a web service that provides free certificates, but without any checking, without any guarantee. See http://jis.mit.edu/bh/ - I think it's not necessary to have another CA issueing this "low level trust" type of certificates. If the intention is to provide certs with a higher quality level of trust, then it should be clear that confirming user identities requires a lot of resources. Adam, which level of verfification do you suggest, to ensure the key owner is really the person named in the certificate? For example, Thawte by default only gives you free certs that list nothing but your email address. If you do a "view cert", you'll see only an email address. Even if you believe the address belongs to a certain person, you can not be sure. If you want a certificate that in addition includes your complete name, Thawte only gives out such a certificate after a thourough indentity check, involving your passport. (See also the Thawte Web Of Trust). Other CAs require that you visit them in person to obtain a cert with your name. Using the services of a CA is a convenience when you have to deal with crypto/signatures. Instead of having to confirm the identities in person, you use the services of a trusted third party. You can use certificate manager to control whether you trust a CA or not. And if trust is not important for you at all, it is technically possible to import black helicopter's root CA.
Kai, I'm thinking something akin to what Thawte gives out now - essentially a no guarantees cert to get people up and running but without the pain and suffering that must put most people off even bothering even if they knew what Thawte was. The cert would be tied to the email address and mozilla.org wouldn't make any claims about the authenticity or otherwise. For most people this is will be just fine and if someone needs more, well there are always the commercial services for that. Ben, 1. I prefer PGP too, but Mozilla still doesn't support it and even if it did, some people would still prefer S/MIME. I suppose if Mozilla ever gets built-in PGP then the UI could ask if the user if they want an S/MIME and/or a PGP key during account creation. 2. There is nothing to say Outlook users can't also get certs, but they'd have to go through a webform if necessary rather than let Mozilla submit the details for them. Obviously IE might not recognize mozilla.org as a root CA but if the idea caught on I don't see why mozilla.org couldn't be added. 3. I'm thinking of one that just hands out certs like candy with big massive disclaimers. I can't think of many other sites in open source land better placed to hand out certs and encourage their adoption.
An interesting idea, but I don't see the Mozilla Foundation having the resources to do this now. Someone would need to appear who was willing to do all the work, devleop all the policies and then we'd have to find resources to support this effort. I just don't see this anywhere in the near future. mitchell
Someone produced http://www.cacert.org/ for this purpose. Perhaps that could be worked in somehow instead. Since raising the bug however, I've been converted to Enigmail (GPG). So I don't consider email certs to be as big a deal as they used to be. As a Netscape employee I just saw the email encryption to be a waste of time since no one except Netscape (+ a handful of other corps) and extremely determined users even bothered with them. With that said, I believe .XPI files *should* be signed. The current situation where untrusted XPI files are the norm isn't acceptable. I don't know how you could remedy this, but handing out certs upon payment of a $100 deposit (non-refundable if the XPI is malicious or the cert must be revoked for other reasons), might be an idea to consider.
CC'ing hecker to see what he thinks about this.
(In reply to comment #6) > CC'ing hecker to see what he thinks about this. The short answer is that I don't think having the Mozilla Foundation operate a CA would be a good idea. Operating a CA is a lot of work, and it would be a major distraction from the main work of the Foundation. (Remember, the Foundation has only one full-time person and two part-time people.) The Corporation has more people, but I think operating a CA would be a distraction for them as well. There are also organizations like CAcert.org; CAcert.org has as its mission issuing no-cost certificates, and has a fairly elaborate process for verifying the identity of certificate holders. If CAcert gets to the point where they can be accepted into the default Mozilla root list then I think they might be a good choice for people looking for free email certificates.
--> CA Certificates
Assignee: mitchell → hecker
Component: Miscellaneous → CA Certificates
QA Contact: mitchell
Back to Misc. :/ Frank: Close this if/when you think it won't ever happen.
Component: CA Certificates → Miscellaneous
QA Contact: mitchell
Resolving as WONTFIX. See my previous comment.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.