Closed Bug 193894 Opened 22 years ago Closed 18 years ago

mozilla.org should become a CA, issue personal email certs

Categories

(mozilla.org :: Miscellaneous, task)

Product:
mozilla.org
Component:
Miscellaneous
Platform:
x86
Windows XP
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: adamlock, Assigned: hecker)

Details

Mozilla has powerful email features including encryption, signing and
authentication capabilities. To promote that capability and drive new users to
Mozilla, there should a service on mozilla.org that hands out certificates for
personal email use with the minimum of fuss. Mozilla could integrate to this
service such that the user is asked when they create a mail/news account if they
want a cert.

Existing CAs such as Verisign, Thawte etc. are not convenient, are extremely
hard to find, laden with confusing jargon, require personal details and even
money before they will issue a cert. And the cert expires in 6 months or 12
months requiring the whole process to be repeated. A glance at the small print
shows that the certs are worthless anyway, so this inconvenience and effort is
not really justified by the 'trust' they bestow and stops people using these
features at all.
1. I don't particularily like S/MIME for email, I think that PGP is more secure
(no central CA to mess with), so I don't agree with that "promoting".
2. A certificate which only works with Mozilla (try getting mozilla.org's cert
into MSIE / OE / Outlook) is not terribly useful, because receiving clients will
issue (overly) scaring warnings.
3. Running a CA might have gotchas than you are aware of, see various slashdot
discussions.

If anything, I think there should be an "open-source" CA (operating on volunteer
basis with open-source spirit), but I don't think that mozilla.org is the
suitable entity for that. Apart from the fact that mozilla.org is about client
software only, it is still legally a department of AOL.
Some thoughts:

One does usually want to encrypt when information is intended for a specific
person only.
Because your data is critical, you must make very sure, that you are using a
correct certificate, that really belongs to the intended recipient, and not to
any other person.

Same goes for signatures. To make sure the signature on a message really belongs
to the sender, the ownership relationship between certificate and sender must be
verifyable.

The behaviour of the organization issueing the CA defines how users will treat
the certificates.

The very first decision about a CA would have to be: What is the proposed
intention of a "Mozilla CA" with regards to the level of trust that end users
can assume?

If the certs are simply intended for being able to technically use the features,
you don't need a Mozilla CA. For example, there is currently a web service that
provides free certificates, but without any checking, without any guarantee. See
 http://jis.mit.edu/bh/ - I think it's not necessary to have another CA issueing
this "low level trust" type of certificates.

If the intention is to provide certs with a higher quality level of trust, then
it should be clear that confirming user identities requires a lot of resources.

Adam, which level of verfification do you suggest, to ensure the key owner is
really the person named in the certificate?

For example, Thawte by default only gives you free certs that list nothing but
your email address. If you do a "view cert", you'll see only an email address.
Even if you believe the address belongs to a certain person, you can not be
sure. If you want a certificate that in addition includes your complete name,
Thawte only gives out such a certificate after a thourough indentity check,
involving your passport. (See also the Thawte Web Of Trust). Other CAs require
that you visit them in person to obtain a cert with your name.

Using the services of a CA is a convenience when you have to deal with
crypto/signatures. Instead of having to confirm the identities in person, you
use the services of a trusted third party. You can use certificate manager to
control whether you trust a CA or not. And if trust is not important for you at
all, it is technically possible to import black helicopter's root CA.

Kai, I'm thinking something akin to what Thawte gives out now - essentially a no
guarantees cert to get people up and running but without the pain and suffering
that must put most people off even bothering even if they knew what Thawte was.
The cert would be tied to the email address and mozilla.org wouldn't make any
claims about the authenticity or otherwise. For most people this is will be just
fine and if someone needs more, well there are always the commercial services
for that.

Ben,

1. I prefer PGP too, but Mozilla still doesn't support it and even if it did,
some people would still prefer S/MIME. I suppose if Mozilla ever gets built-in
PGP then the UI could ask if the user if they want an S/MIME and/or a PGP key
during account creation.
2. There is nothing to say Outlook users can't also get certs, but they'd have
to go through a webform if necessary rather than let Mozilla submit the details
for them. Obviously IE might not recognize mozilla.org as a root CA but if the
idea caught on I don't see why mozilla.org couldn't be added.
3. I'm thinking of one that just hands out certs like candy with big massive
disclaimers. I can't think of many other sites in open source land better placed
to hand out certs and encourage their adoption.
An interesting idea, but I don't see the Mozilla Foundation having the resources
to do this now.  Someone would need to appear who was willing to do all the
work, devleop all the policies and then we'd have to find resources to support
this effort.  I just don't see this anywhere in the near future.  

mitchell
Someone produced http://www.cacert.org/ for this purpose. Perhaps that could be
worked in somehow instead.

Since raising the bug however, I've been converted to Enigmail (GPG). So I don't
consider email certs to be as big a deal as they used to be. As a Netscape
employee I just saw the email encryption to be a waste of time since no one
except Netscape (+ a handful of other corps) and extremely determined users even
bothered with them.

With that said, I believe .XPI files *should* be signed. The current situation
where untrusted XPI files are the norm isn't acceptable. I don't know how you
could remedy this, but handing out certs upon payment of a $100 deposit
(non-refundable if the XPI is malicious or the cert must be revoked for other
reasons), might be an idea to consider.
CC'ing hecker to see what he thinks about this.
(In reply to comment #6)
> CC'ing hecker to see what he thinks about this.

The short answer is that I don't think having the Mozilla Foundation operate a CA would be a good idea. Operating a CA is a lot of work, and it would be a major distraction from the main work of the Foundation. (Remember, the Foundation has only one full-time person and two part-time people.) The Corporation has more people, but I think operating a CA would be a distraction for them as well.

There are also organizations like CAcert.org; CAcert.org has as its mission issuing no-cost certificates, and has a fairly elaborate process for verifying the identity of certificate holders. If CAcert gets to the point where they can be accepted into the default Mozilla root list then I think they might be a good choice for people looking for free email certificates.




--> CA Certificates
Assignee: mitchell → hecker
Component: Miscellaneous → CA Certificates
QA Contact: mitchell
Back to Misc. :/

Frank: Close this if/when you think it won't ever happen.
Component: CA Certificates → Miscellaneous
QA Contact: mitchell
Resolving as WONTFIX. See my previous comment.
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.