Closed
Bug 481725
Opened 16 years ago
Closed 8 years ago
Add validation requirement for wild card certificate to Mozilla CA Policy
Categories
(CA Program :: CA Certificate Root Program, task)
CA Program
CA Certificate Root Program
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: eddy_nigg, Assigned: hecker)
Details
Attachments
(1 file)
1.24 KB,
text/plain
|
Details |
Recent discussions at m.d.t.c and some bug entries suggested that there is a higher risk for wild card certificates which could be misused by an attacker. Wild card certificates which are only domain validated are relatively easy to get from trusted CAs which perform domain control validations by automated means. A site with URL https://www.paypal.com.cgi-bin.webscr?cmd=_login-run.site.tld/?some=more&giberrish=to&confuse=the&user would raise no warning with such a certificate and a user can be easily fooled.
Issuance of domain validated wild card certificates have been at the Problematic Practices page at https://wiki.mozilla.org/CA:Problematic_Practices for a while. This bug is about a change to the Mozilla CA policy by making identity and/or organization validation a requirement for CAs which issue wild card certificates, similar to the requirements for code signing certificates mentioned at section 7 of the Mozilla CA Policy. This requirement does not apply for regular, non-wild card certificates.
Higher validation requirements about the identity and/or organization of the subscriber will mitigate the risk described above.
(Implementation: CAs should be sufficient time given to update on the policy change and introduce changes to their own policies, procedures and controls. Possible target could be 1st of January 2010.)
Updated•15 years ago
|
Severity: normal → enhancement
Comment 1•15 years ago
|
||
Updated•15 years ago
|
Attachment #419635 -
Attachment mime type: application/octet-stream → text/plain
Comment 2•15 years ago
|
||
(In reply to comment #1)
> Created an attachment (id=419635) [details]
> not trusted -.addons.mozilla.org.crt
What does this attachment have to do with this bug?
Comment 3•15 years ago
|
||
FYI, the attachment is a copy of the cert served by the server at the URL
https://www.add-ons.mozilla.com/
before it redirects your browser to another server.
(But I don't think that answer's Reed's question. :)
Comment 4•14 years ago
|
||
Frank Hecker stated his position here:
https://groups.google.com/group/mozilla.dev.tech.crypto/msg/91819d07755b349f
Do let me know if anything has changed.
Note that the issue will be exacerbated if Mozilla adds support for DNSSEC-based SSL certification. Mozilla would have to ask the registries to require IV/OV before a registrant can submit DS records and enable DNSSEC-based certification only for a whitelist of TLDs that impose the requirement.
Comment 5•8 years ago
|
||
I believe this has been addressed by the CA/Browser Forum Baseline Requirements.
If further clarification is needed in Mozilla's policy, please file an issue here:
https://github.com/mozilla/pkipolicy/issues/
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Updated•8 years ago
|
Product: mozilla.org → NSS
Updated•2 years ago
|
Product: NSS → CA Program
You need to log in
before you can comment on or make changes to this bug.
Description
•