I want the root CA cert for my forthcoming public FREE CA service to be added to mozilla's list of trusted root CAs. Among the open sources of NSS, mozilla's crypto security services package, is the source to certcgi, a program that implements a root CA server. It runs as a CGI script in any ordinary http server that supports cgi. A user visits the web page, types in all the info about the names and extensions he wants in the certificate, and clicks a button. His hrowser generates a key pair, and the CGI program generates and signs the cert, signed by the root CA's private key, and downloads it to the browser immediately. A user can generate SSL server certs, SMIME email certs, and/or object signing certs (for signing code downloads) with this. I have devised a prototype CA server, based on this software. I propose to operate that CA server publicly. It will be named free.freefreefreecerts.<something> (haven't decided the TLD). It will be open to anyone with a browser. It will be free Free FREE to use. (Did I mention that it's FREE?) It will be not-for-profit. (How could it make a profit? It's FREE) It will not generate or receive any email. It will not keep any log files, or copies of the certs issued or cert requests received. It will be based on mozilla's own open source software. It will operate on an old 750 Mhz PC, in a spare bedroom somewhere, using a cable modem for connectivity. It will be accessible as long as - I pay the electric bill and the cable bill, - the cable doesn't go out again, - the dogs don't chew the cords, and - my wife doesn't decide to turn the bedroom into a sewing room. It will NOT feature any revocation, and will not offer CRLs or OCSP. It will use a 1024-bit RSA key. It will store the private keys in an encrypted key3.db file, and the password for that file will be "test". In the interest of full disclosure, the web server will also run a CGI that allows anyone to download ANY file on the local PC's hard drive. It's free Free FREE. And low cost, too! Did I mention not-for-profit? Mozilla Foundations's stated criteria for including a root CA cert, as given in http://bugzilla.mozilla.org/show_bug.cgi?id=215243#c14 are > MF requires all CAs > (a) be root CAs; > (b) offer services to the general public; > (c) provide public info about CA and > (d) its policies and procedures. > MF may in addition include root CAs that do not provide services to > the general public (e.g., for an intranet customer). > MF won't distribute non-CA-certs (e.g., self-signed web server certs). free.freefreefreecerts.<something> will meet all those criteria. I've stated the public info about the policies and procedures above. It's FREE! It uses mozilla source code? How can mozilla say no? If you think my CA doesn't qualify, please tell me which selection criteria it didn't meet.
I doubt anyone disagrees with the suggestions you pointed out in #233453...
This bug is obviously a test case (a "negative test case" in the jargon) for the policy of bug 233453. But it should not be easily dismissed. I'm willing, as the CA principal, to change any aspect of the freefreefreecerts CA, up to and including relocating it to another country, to adjust to meet the evolving mozilla requirements. certcgi is real. You can see the common left frame of the page here: http://lxr.mozilla.org/mozilla/source/security/nss/cmd/certcgi/index.html and most of the various alternativve right frames of the page here: http://lxr.mozilla.org/mozilla/source/security/nss/cmd/certcgi/main.html http://lxr.mozilla.org/mozilla/source/security/nss/cmd/certcgi/ca_form.html and the source code here: http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/cmd/certcgi/certcgi.c
Ok, since this is the "test" CA, lets start applying your own criteria, and at least one thing that immediately spring to mind... On your death or incapacitation there would be no garentee your CA would continue to operate and your nephew could inherite the root certificate.
I would not ask Mozilla users to trust this (or any other certificate authority) without some assurance (beyond self assertions) that its practices do indeed meet the standards generally advocated for CAs. In this case, the CA does not verify the identity of those obtaining certificates signed by the CA's root certificate. This opens the door for all kinds of fraud. The Mozilla Foundation, herein notified of this risk, would thus assume liability for damages to any naive user who is victimized as a result. This illustrates the need for a clear policy as requested in bug #233453.
Assignee: wchang0222 → hecker
Component: Libraries → CA Certificates
Product: NSS → mozilla.org
Version: 3.9 → other
QA Contact: bishakhabanerjee → ca-certificates
Nelson: while this bug report makes me smile every time I read it, and perhaps it should remain open for that reason alone, do you feel that your concerns have been addressed by the CA Certificate Policy version 1.0? http://www.mozilla.org/projects/security/pki/nss/ca-certificates/policy.html After all, these criteria are more stringent than those you quote which Frank gave in his original email, and they do require an audit. If so, perhaps we can resolve this bug as WONTFIX, and free.freefreefreecerts.<something> can go quietly to the grave, having served its purpose. :-) Gerv
Yes, please do resolve this WONTFIX. I'm pleased to see this day come. Mozilla's new (?) cert policy is doing the job (and so are you!, thanks).
Resolving WONTFIX at request of reporter. Gerv
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → WONTFIX
Nelson, I think you'll have better chance being a Comodo "RA" / "partner", see bug 470897, bug 642395 etc..
You need to log in before you can comment on or make changes to this bug.