Closed Bug 371958 Opened 17 years ago Closed 3 years ago

Support for MULTIPKI platforms

Categories

(Thunderbird :: General, enhancement)

Product:
Thunderbird
Component:
General
Platform:
x86
All
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: gpastor, Unassigned)

References

Details

User-Agent:       Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Build Identifier: 1.5

We have developed an extension of Thunderbird to support the multipki validation of digital certificates. Our work is sponsored by the Ministerio de Administraciones Publicas (www.map.es) of Spain.
The intention of this bug is to promote the extension to an integrated component of the Thunderbird application or at least to look for the possibility the extension will be kept maintained by Mozilla.

Reproducible: Always

Steps to Reproduce:
1.
2.
3.



We have make contact with Pascal Chevrel who has recommed us to open this bug.
We have also notified this theme to Franck Hecker and Paul Kim.
Cc'ing a security expert for his input.

Can you give us a url for the extension, or attach it here, so we can see the source?
Status: UNCONFIRMED → NEW
Ever confirmed: true
No idea what MULTPKI is, but IF it is (or contains) a separate implementation 
of the crypto libraries (ciphers, hashes, Key establishment algorithms, etc.), 
then incorporating it would cost mozilla clients their FIPS 140 compliance 
validation.  That would cause mozilla to be exluded from use in the governments
of several countries.  How many users will MULTPKI bring to offset that?
Let us remark some of the features again, and please consider to adopt this extension as a supported functionality of Mozilla products. 

First of all, the two main capabilities of the extensions are:

a) On-line validation of certificates (valid, revoked, out of date, etc) and email messages time-stamping against a TSA.
b) To enable the use of a) services with the Spanish Identity Card (http://www.dnielectronico.es) 


Our extensions don't make any modification of standards. We extend current OCSP validation provided by Mozilla and we offer a new standard solution to validation via web services (WS). Let us to explain it.

MULTIPKI is a middleware that validates digital certificates against several CA's. In Spain, as well as in other countries, there are several legal CA's. Any digital certificate generated by any of these CAs are valid and legal as digital identity of any Spanish citizen or enterprise. The problem arises when some interactions with the government is required using such certificates because there is no way to discriminate which CA must be used in turn. 

MultiPKI platform is a middleware that unify the validation, sign, tsa, ... operations. Traditionally if we want to validate a given certificate we only can do it using an ocsp validation against a given CA. It implies that we must to have configured any ocsp responder for each CA. This is the traditional "singlePKI" schema.

What "multiPKI" schema offers is two ways of certificates validation:

1) we can make an ocsp responder call against multiPKI and it routes the query against the appropriate CA (which is registered as valid one in the multiPKI platform) (no user interaction nor configuration is required) 

2) we can make a WS request against the multiPKI and it (again) routes the
request against the adequate CA. (idem)

So with this schema we make possible to validate one certificate without keeping in mind which source has (validation is delegate to the platform and  the platform is the only point of configuration). Besides this, we offer an standard WS calling way in order to access such validation not only in OCSP manner.

WS validation is a new but emerging initiative in Europe and there is no standard at all. We propose such standard and we want that Mozilla bet for it. 

On the other hand, in the short term what we want is that Mozilla adopt this extension and promote it so, in a nearly future, it would be included as a capability supported by Mozilla products.

We hope that this explanation could clarify the intentions of our projects.
Please, give us any clue about how to proceed in order to get the objective of your sponsorship.
Assignee: mscott → nobody

wontfix per chat.

if there's still interest please file a fresh bug.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.