Closed Bug 481725 Opened 16 years ago Closed 8 years ago

Add validation requirement for wild card certificate to Mozilla CA Policy

Categories

(CA Program :: CA Certificate Root Program, task)

task
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: eddy_nigg, Assigned: hecker)

Details

Attachments

(1 file)

Recent discussions at m.d.t.c and some bug entries suggested that there is a higher risk for wild card certificates which could be misused by an attacker. Wild card certificates which are only domain validated are relatively easy to get from trusted CAs which perform domain control validations by automated means. A site with URL https://www.paypal.com.cgi-bin.webscr?cmd=_login-run.site.tld/?some=more&giberrish=to&confuse=the&user would raise no warning with such a certificate and a user can be easily fooled. Issuance of domain validated wild card certificates have been at the Problematic Practices page at https://wiki.mozilla.org/CA:Problematic_Practices for a while. This bug is about a change to the Mozilla CA policy by making identity and/or organization validation a requirement for CAs which issue wild card certificates, similar to the requirements for code signing certificates mentioned at section 7 of the Mozilla CA Policy. This requirement does not apply for regular, non-wild card certificates. Higher validation requirements about the identity and/or organization of the subscriber will mitigate the risk described above. (Implementation: CAs should be sufficient time given to update on the policy change and introduce changes to their own policies, procedures and controls. Possible target could be 1st of January 2010.)
Severity: normal → enhancement
Attachment #419635 - Attachment mime type: application/octet-stream → text/plain
(In reply to comment #1) > Created an attachment (id=419635) [details] > not trusted -.addons.mozilla.org.crt What does this attachment have to do with this bug?
FYI, the attachment is a copy of the cert served by the server at the URL https://www.add-ons.mozilla.com/ before it redirects your browser to another server. (But I don't think that answer's Reed's question. :)
Frank Hecker stated his position here: https://groups.google.com/group/mozilla.dev.tech.crypto/msg/91819d07755b349f Do let me know if anything has changed. Note that the issue will be exacerbated if Mozilla adds support for DNSSEC-based SSL certification. Mozilla would have to ask the registries to require IV/OV before a registrant can submit DS records and enable DNSSEC-based certification only for a whitelist of TLDs that impose the requirement.
I believe this has been addressed by the CA/Browser Forum Baseline Requirements. If further clarification is needed in Mozilla's policy, please file an issue here: https://github.com/mozilla/pkipolicy/issues/
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Product: mozilla.org → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: