233458 - Add my root CA cert to mozilla's trusted root CA cert list

Status: RESOLVED WONTFIX

(CA Program :: CA Certificate Root Program, task)

Description

[Nelson Bolyard (seldom reads bugmail)]

I want the root CA cert for my forthcoming public FREE CA service to be 
added to mozilla's list of trusted root CAs.

Among the open sources of NSS, mozilla's crypto security services package, 
is the source to certcgi, a program that implements a root CA server.  
It runs as a CGI script in any ordinary http server that supports cgi.  

A user visits the web page, types in all the info about the names and 
extensions he wants in the certificate, and clicks a button.  His hrowser
generates a key pair, and the CGI program generates and signs the cert, 
signed by the root CA's private key, and downloads it to the browser
immediately.  A user can generate SSL server certs, SMIME email certs, 
and/or object signing certs (for signing code downloads) with this.

I have devised a prototype CA server, based on this software.  

I propose to operate that CA server publicly.  
It will be named free.freefreefreecerts.<something> (haven't decided the TLD).
It will be open to anyone with a browser.  
It will be free Free FREE to use.  (Did I mention that it's FREE?)
It will be not-for-profit.  (How could it make a profit?  It's FREE)
It will not generate or receive any email.
It will not keep any log files, or copies of the certs issued or cert
requests received.  
It will be based on mozilla's own open source software.
It will operate on an old 750 Mhz PC, in a spare bedroom somewhere, using a
cable modem for connectivity.  
It will be accessible as long as 
  - I pay the electric bill and the cable bill, 
  - the cable doesn't go out again, 
  - the dogs don't chew the cords, and 
  - my wife doesn't decide to turn the bedroom into a sewing room.
It will NOT feature any revocation, and will not offer CRLs or OCSP.
It will use a 1024-bit RSA key.  
It will store the private keys in an encrypted key3.db file, and the 
password for that file will be "test".
In the interest of full disclosure, the web server will also run a CGI 
that allows anyone to download ANY file on the local PC's hard drive.  

It's free Free FREE.  And low cost, too!  Did I mention not-for-profit?

Mozilla Foundations's stated criteria for including a root CA cert,
as given in http://bugzilla.mozilla.org/show_bug.cgi?id=215243#c14 are

> MF requires all CAs
>  (a) be root CAs;
>  (b) offer services to the general public;
>  (c) provide public info about CA and
>  (d) its policies and procedures.
> MF may in addition include root CAs that do not provide services to
> the general public (e.g., for an intranet customer).
> MF won't distribute non-CA-certs (e.g., self-signed web server certs). 

free.freefreefreecerts.<something> will meet all those criteria.  
I've stated the public info about the policies and procedures above.

It's FREE!  It uses mozilla source code?  How can mozilla say no?

If you think my CA doesn't qualify, please tell me which selection 
criteria it didn't meet.

Comment 1

[Duane]

I doubt anyone disagrees with the suggestions you pointed out in #233453...

Comment 2

[Nelson Bolyard (seldom reads bugmail)]

This bug is obviously a test case (a "negative test case" in the jargon) 
for the policy of bug 233453.  

But it should not be easily dismissed.  I'm willing, as the CA principal,
to change any aspect of the freefreefreecerts CA, up to and including
relocating it to another country, to adjust to meet the evolving mozilla
requirements.  

certcgi is real.  You can see the common left frame of the page here:
http://lxr.mozilla.org/mozilla/source/security/nss/cmd/certcgi/index.html

and most of the various alternativve right frames of the page here:
http://lxr.mozilla.org/mozilla/source/security/nss/cmd/certcgi/main.html
http://lxr.mozilla.org/mozilla/source/security/nss/cmd/certcgi/ca_form.html

and the source code here:
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/cmd/certcgi/certcgi.c

Comment 3

[Duane]

Ok, since this is the "test" CA, lets start applying your own criteria, and at 
least one thing that immediately spring to mind...

On your death or incapacitation there would be no garentee your CA would 
continue to operate and your nephew could inherite the root certificate.

Comment 4

[David E. Ross]

I would not ask Mozilla users to trust this (or any other certificate authority)
without some assurance (beyond self assertions) that its practices do indeed
meet the standards generally advocated for CAs.    

In this case, the CA does not verify the identity of those obtaining
certificates signed by the CA's root certificate.  This opens the door for all
kinds of fraud.  The Mozilla Foundation, herein notified of this risk, would
thus assume liability for damages to any naive user who is victimized as a result.  

This illustrates the need for a clear policy as requested in bug #233453.  

Comment 5

[Gervase Markham [:gerv]]

Nelson: while this bug report makes me smile every time I read it, and perhaps it should remain open for that reason alone, do you feel that your concerns have been addressed by the CA Certificate Policy version 1.0?
http://www.mozilla.org/projects/security/pki/nss/ca-certificates/policy.html
After all, these criteria are more stringent than those you quote which Frank gave in his original email, and they do require an audit.

If so, perhaps we can resolve this bug as WONTFIX, and free.freefreefreecerts.<something> can go quietly to the grave, having served its purpose. :-)

Gerv

Comment 6

[Nelson Bolyard (seldom reads bugmail)]

Yes, please do resolve this WONTFIX.  I'm pleased to see this day come.
Mozilla's new (?) cert policy is doing the job (and so are you!, thanks).

Comment 7

[Gervase Markham [:gerv]]

Resolving WONTFIX at request of reporter.

Gerv

Comment 8

[Ben Bucksch (:BenB)]

Nelson, I think you'll have better chance being a Comodo "RA" / "partner", see bug 470897, bug 642395 etc..