User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0 (ax) Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0 (ax) I'd like to suggest to you, the inclusion of the "Free SSL Certification Authority" offered and run by http://cert.startcom.org/ at your KDE browser. The project is hardly a month old and caused quite some interest and "noise" at some news web sites. The StartCom Free SSL Certificate Project aims to be a viable alternative to commercial 128/256 bit SSL certificates and grows currently by almost 80 issued certificates per day. Efforts are being made, for the natural support by major web browsers of the "Free SSL Certification Authority", but also continued development and improvement of the services and certificates, including verification processes etc. We try to get a market share of 1 % during the first 90 - 120 days, with reaching 3 - 5 % at the end of the year. Reproducible: Always Steps to Reproduce:
Summary: tartCom Free SSL Certicate Authority for Mozilla → StartCom Free SSL Certicate Authority for Mozilla
Assignee: dveditz → kaie
Component: Security → Security: PSM
QA Contact: toolkit
Kai, please feel free to re-assign this bug to me. It seems to be a pretty straightforward request to add a new CA certificate to Mozilla et.al.
Of course I meant Mozilla browser(s) and applications and not *KDE* which I obviously copied from the same request to KDE.org...really sorry for that glitch...
Moving to be with all the other CA requests.
Assignee: kaie → hecker
Component: Security: PSM → CA Certificates
Product: Core → mozilla.org
Version: Trunk → other
Accepting this bug. Note that our current policy requires that CAs have completed a WebTrust for CAs audit or equivalent third-party audit. We have a newer policy in draft form, but it's not yet in effect; see http://www.hecker.org/mozilla/ca-certificate-policy for more information.
Status: NEW → ASSIGNED
The CA Policy as available at http://cert.startcom.org/policy.pdf and will change its status from draft to final in the comming weeks. Currently the operation will be under voluntary self control together with a third-party (lawer) statement, confirming this. We make sure, that we confirm to our own policy regarding every aspect and work in accordance to this policy. In the future a qualified independent entity or person might conduct an audit which is adequate for the current nature of this non-profit project.
All policies and relevant papers are published at http://cert.startcom.org/index.php?app=111 Working papers are in preperation for an audit, which will be performed, starting during this summer (2005) and will be published at the same location as above. CA certificates are published at page http://cert.startcom.org/index.php?app=110#auth Details of OCSP service are at page http://cert.startcom.org/index.php?app=110#ocsp CRL's are at: http://cert.startcom.org/crt1-crl.crl http://cert.startcom.org/crt2-crl.crl http://cert.startcom.org/crt3-crl.crl http://cert.startcom.org/ca-crl.crl
Published an additional important document "Evaluation of Microsoft policy compliance - AICPA Audit" (includes also Mozilla). This evaluation is a base for discussion according to topic 12 of Mozilla CA Certificate Policy and a self-audit as outlined in the CA policy. http://cert.startcom.org/msie.htm Comparable ETSI Policy Requirements document is under progress and will be published as well.
Published and renamed "Evaluation of Microsoft and Mozilla policy compliance - AICPA Audit" at http://cert.startcom.org/audit.htm, which is the evaluation and self-audit performed by StartCom. An Independent Accountants Report is confirming the audit, signed by StartCom's laywer (http://cert.startcom.org/img/report.jpg). The published papers might be reason for Mozilla to include and accept the StartCom CA in its software. A third party audit will be performed starting September 2005. The outcome and all relevant papers will be published at the end of the process.
The StartCom Certification Authority underwent a third party audit as required by most software vendors, including Mozilla, based on the AICPA/CICA Webtrust for Certification Authorities Criteria. Information of the signed audit is available at http://cert.startcom.org/audit.pdf and as such we request to get approved for inclusion in all Mozilla software.
I've updated <URL:http://www.hecker.org/mozilla/ca-certificate-list> to reflect the updated StartCom information. I'm now going through the version 1.1 of the certificate policy/CPS.
This bug is still open! Could you please approve the StartCom CA and integrate the StartCom CA Root within the Mozilla Software?
My apologies for the delay in getting to this bug. I updated my list at <http://www.hecker.org/mozilla/ca-certificate-list> to note that the current versions of the root and CA policies are 1.2, dated February 22, 2006. At this point we have enough information to evaluate this CA for inclusion, per the official CA policy at http://www.mozilla.org/projects/security/pki/nss/ca-certificates/policy.html Here are my quick thoughts on StartCom vis-a-vis the policy's requirements: Section 4. I'm not aware of any technical issues with StartCom-issued certificates. If any sees any technical problems with the certs themselves please note it in this bug report. Section 6. StartCom appears to provide a service relevant to Mozilla users: It issues no-charge certificates for SSL server use as well an personal email certificates. Policies are documented in the overall policy document and intermediate CA document published on the StartCom site and listed in the ca-certificate-list page referenced above. Section 7. StartCom appears to meet the minimum requirements for subscriber verification: For class 1 personal certificates Startcom verifies that the entity submitting the request controls the email account associated with the email address referenced in the certificate. (See page 16 of the policy document.) For class 1 SSL server certificates StartCom verifies domain control by sending an email to one of the standard addresses (webmaster@domain, etc.) associated with the domain. (See page 15 of the policy document.) StartCom also issues class 2 personal and server certs, with additional verification required. StartCom does not currently issue code signing certs. Section 8-10. StartCom has successfully completed an independent audit using the WebTrust for CAs criteria. The auditors were We! Consulting. Section 13. StartCom has multiple intermediate CAs under a single root. Class 1 certificates are issued under different intermediates than class 2, etc. Other: StartCom issues CRLs (on a 12-hour schedule) and also has an OCSP responder. Some open questions: 1. Given the obvious possibility of StartCom's service being used to obtain free SSL certs for phishing sites, what is StartCom's strategy to deal with possible fraudulent use of the service? Is it limited to certificate revocation based on reports of possible fraud, or are other measures in place or planned? 2. StartCom doesn't appear to have an official WebTrust seal. why? 3. CRL publication is on a 12-hour schedule. Is the OCSP responder's data from the CRLs (and thus might be up to 12 hours old) or is it more up-to-date? I'm opening up a period of public discussion of this request. I'll post on the mozilla.dev.tech.crypto newsgroup to start the discussion.
I just wanted to say that I've used startcom's free ssl certs for over a year, and have found eddy and company to be extrememly helpful and patient. They have responded quickly to any question I've had. When I've needed a cert revoked, due to an updated distro (and poor backups on my part), they've taken care of this very quickly, too. They have a good forum for answers, respond quickly to emails, and you can even 'skype' them if the need is there. Thanks Eddy & startcom for a great product! John F. Godfrey, Pastor Valley Christian Center
(In reply to comment #12) > > Some open questions: > > 1. Given the obvious possibility of StartCom's service being used to obtain > free SSL certs for phishing sites, what is StartCom's strategy to deal with > possible fraudulent use of the service? Is it limited to certificate revocation > based on reports of possible fraud, or are other measures in place or planned? > The pricing policy of StartCom, and the fact that certain products and certificates are provided free of chare, is not relevant to the question above. The validation of certificates is a function of the controls, verification procedures and validation in place, not the cost of the certificate. Example: In the past we used to issue Class 2 certificates without charging any fees (and we might do so again in the future). Did this change the validity of the certificates issued? Or were the certificates issued according to a certain criteria and procedure, in this case according to our definition of Class 2? StartCom conforms or exceeds to the minimum requirements of the Mozilla CA Certificate Policy section 7, even in the free Class 1 settings. So the question about fraudulent use affects any Certification Authority which provides "so called" domain validated certification and is not unique to StartCom. With the exception of domain validation, StartCom has additional measures in place to minimize the risk of misuse and fraud: * The StartCom CA and the process of certificate issuance are constantly monitored. * The process of certificate issuance may, under certain circumstances, be stopped manually or automatically. At that point, the request requires manual intervention and review by StartCom personnel. Additional information might be requested and any verification procedure implemented (Similar to Class 2 verification). Any certificate request in the Class 1 settings can get "flagged" for such a human review. * All certificate details are reviewed by StartCom personnel and additional information may be requested from the certificate holder. If in doubt, the certificate could get revoked immediately. * Random visits of the web sites are performed by StartCom to detect fraudulent sites. * Fraudulent websites, as well as sites that damage the reputation of the CA may be reported to the proper authorities and prosecuted to the full-extent of the law. > 2. StartCom doesn't appear to have an official WebTrust seal. why? > A third party audit was performed by the "We! Consulting Group", which is a respected solution and consulting provider in Israel, with great expertise in Public Key Infrastructure solutions and renowned costumers. The audit performed was based on the AICPA/CICA Webtrust for Certification Authorities Criteria and confirmed as such. However the We! Consulting Group is not a licensed WebTrust provider. > 3. CRL publication is on a 12-hour schedule. Is the OCSP responder's data from > the CRLs (and thus might be up to 12 hours old) or is it more up-to-date? > In practice CRL's get updated every 12 hours or when a certificate is revoked, especially when the revoked certificate is suspected to fall under any of the following conditions. These include, but are not limited to (according to the StartCom CA policy): * The subscriber’s private key is lost or suspected to be compromised * The information in the subscriber’s certificate is suspected to be inaccurate * The information supplied may be misleading (ex. paypa1.com, micr0soft.com) * The subject has failed to comply with the rules in this policy * The system to which the certificate has been issued has been retired * The subscriber makes a request for revocation * The subscriber violated his/her obligations The OCSP responder checks for changes on the CRL's every ten minutes and reloads all CRL's ever hour. Therefore OCSP responce of a revoked certificate is within ten minutes the most. > I'm opening up a period of public discussion of this request. I'll post on the > mozilla.dev.tech.crypto newsgroup to start the discussion. Hope this helps!
I posted my somewhat lengthy analysis in the <news://news.mozilla.org:119/mozilla.dev.tech.crypto> newsgroup, in the "StartCom CA inclusion request" thread.
Eddy, thanks for your reply. I have at least one other question, as noted below. (In reply to comment #14) > A third party audit was performed by the "We! Consulting Group", which is a > respected solution and consulting provider in Israel, with great expertise > in Public Key Infrastructure solutions and renowned costumers. The audit > performed was based on the AICPA/CICA Webtrust for Certification Authorities > Criteria and confirmed as such. However the We! Consulting Group is not a > licensed WebTrust provider. Could you point us to relevant public documentation in English demonstrating We! Consulting's expertise in information security audits and evaluations and CA and PKI issues in particular? Their web site <http://www.we-can.co.il/> is in Hebrew, and I can't find an English version; also Google was not helpful in terms of turning up third-party references to We! Consulting (e.g., news stories, case studies, etc.). Given that We! Consulting is not an authorized WebTrust auditor we need something else to give us confidence that they're competent to perform an audit against the WebTrust criteria (or similar criteria, for that matter).
(In reply to comment #16) > > Could you point us to relevant public documentation in English demonstrating > We! Consulting's expertise in information security audits and evaluations and > CA and PKI issues in particular? This information is not publicly accessible by the Internet. I'll forward all relevant and available information to you.
Thanks to Tsahi Asher I have more info on We! Consulting. The page http://www.we-can.co.il//heb/pagesContent/content.aspx?pageID=3&Scroll=true (in Hebrew) mentions some of We!'s customers for which they've done security-related work; they include two banks, two cellphone companies (including Orange), a food company, an insurance company, an academic institute, and Tower Semiconductor. Apparently We! has done deployment of PKI implementations (including CA deployment), auditing of existing PKI deployments, and provided consulting support to assist enterprises operating CAs in operating according to relevant standards and guidelines. So I think that we can accept We! Consulting Group as being an independent and competent third party evaluator as required by the CA certificate policy.
Based on the information I have thus far, I'm approving inclusion of the StartCom CA root certificate in NSS/Mozilla. I'll now go off and file a bug against NSS for the actual work.
Frank filed bug Bug 338552 to fulfil this request, and it was completed in mid 2006. So I am marking this request resolved/fixed. Subsequent to this request, another request has been made to include an additional startcom CA cert. That is the subject of bug 362304.
Status: ASSIGNED → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.