User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3) Gecko/20030313 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3) Gecko/20030313 I'm not affiliated with the US Department of Defense but it seems that the DoD root CA should be trusted in the Mozilla database. I think that adding this would help mozilla browser acceptance in US government work. The Cert. Hierarchy looks like this: DoD Class 3 Root CA DOD Class 3 Email CA-3 LAST.FIRST.23452762 where the user's name is FIRST LAST. Reproducible: Always Steps to Reproduce: 1. 2. 3.
where does one find this root CA cert?
(In reply to comment #2) > where does one find this root CA cert? I think this is the one at http://dodpki.c3pki.chamb.disa.mil/rootca.html But note that this is not a WebTrust-audited CA :-) Nelson/Wan-Teh: If you'd like I can accept this bug.
Yes, Frank, please take this enhancement request and add it to the list of candidates for your consideration. Thanks.
Accepting this bug. My initial comments: The last time I dealt with the issue of the DoD PKI it was essentially a DoD-internal PKI for the use of U.S. military personnel (active or retired), DoD civilian employees, DoD contractors, and (maybe) allied forces (e.g., NATO). It was *not* intended for the use of the general public (whether U.S. citizens or not), and I'm not aware that members of the general public would ever be in a situation where they would encounter SSL-enabled web servers, S/MIME email, or signed code that used DoD-issued certificates. Based on that I would consider this an "intranet" CA (albeit for a very large intranet) and based on my previous "meta-policy" comments I would recommend *not* including this in Mozilla et.al. I'll leave this bug open for a period of public comments, and then I'll close it with "WONTFIX" unless someone can provide compelling reasons why I should do otherwise.
Hi Frank, Thanks for taking this bug. I opened it after I received a signed email, certified by this CA, from someone in the DoD. Anyone ever receiving a signed email from any one of the groups you mentioned (whether they are in one of those groups or are, like me, a civilian) would have a use for this addition.
Right, but your argument would apply to any possible private PKI: E.g., if Acme Widgets sets up an internal PKI to issue email certs to their employees, and then those employees send email to people outside the company, the recipients will have an issue if they don't recognize and trust the Acme root CA cert. So does that mean that the Acme root CA cert should be added to Mozilla et.al? I don't think so. My position would be that if Acme employees want to use their certs for external correspondence then they need to work with potential recipients to ensure that their certs are recognized.
The last part of my argument could apply to any Root CA. I was merely arguing against your assertion that the "general public" would have no use for this. I think it is entirely reasonable to expect and require that the commercial sector use WebTrust-audited CAs. The same goes for the private and most of the public sector. I am not sure it is reasonable to require that some parts of national goverments, or NATO, or the UN, to have a dependency on these external resources. I think there is an implicit trust in these bodies. And then there is the market potential to consider. If Firefox/Thunderbird Just Work with DoD web sites and signed emails it makes it that much easier to promote adoption with anyone working in or with the DoD (a pretty huge market). Currently, these certs have to be configured on every client on every system they ever use. This means that someone has to write documentation for this. And perform testing. This is a lot more work than doing nothing. This means that by default new browsers won't be supported - as a policy.
William, The government organizations are in no way required to use the built-in roots of the Mozilla products. They can install their own roots in their cert database for internal computers if they like, through trusted means other than downloading the binaries from mozilla.org . The problem only exists for interoperability between the internal DoD PKI and the outside world, primarily for S/MIME e-mails . This case perhaps needs a different solution, involving cross-certification of the DoD root CA by one of the public included in Mozilla . Cross-certification isn't supported currently by NSS/PSM/Mozilla, but is being worked on for NSS .
I'm resolving this bug as WONTFIX. For reasons stated in my previous comments, it's not clear that the DoD PKI meets our policy requirements as being a CA for use by the general public or otherwise "[providing] some service relevant to typical users of our software products" (as the draft certificate policy puts it). We can revisit this issue later if desired. Note that I'm not averse to including government CAs in the pre-loaded CA certificate list; it's just that IMO this is most justifiable in the case of of PKI-enabled applications like secure government communications to/from ordinary citizens (e.g., using S/MIME email) or government web sites used by ordinary citizens. I don't see this as the case with the DoD PKI, which to my knowledge is oriented primarily toward DoD services and agencies, DoD contractors, and those doing business with the aforementioned groups.
I would like to see this bug reconsidered. With the addition of the annoying SSL error page in Firefox 3, it becomes a much greater issue. From my perspective, all US Army personnel use AKO (Army Knowledge Online). It is a portal site and includes things like web mail and more that all soldiers must use. This is a pretty large demographic, and as far as I know the other services have similar sites.
Making a root CA cert available for download ONLY from an https (SSL) server whose own cert depends on that same root CA cert is just silly.