[ale] Firefox-3 and authorizing home-made certs
Scott Castaline
hscast at charter.net
Tue Jul 8 20:46:11 EDT 2008
Daniel Kahn Gillmor wrote:
> On Tue 2008-07-08 17:27:39 -0400, Chris Fowler wrote:
>
>
>> FF3's certificate warnings are scary compared to FF2. What we have done
>> is started the process of getting a valid certificate for a server.
>>
>
> Bah. All well-formed certificates are *valid*. What you've done is
> agreed to pay some money to a middleman certificate broker who has
> managed to get their Certificate Authority's credentials "trusted" by
> default in the major browsers. Many of these CAs can't even seem to
> publish a reasonable CRL (let alone use OCSP) to properly revoke
> certificates. Given the recent debian OpenSSL debacle, these
> middleman CAs should have *overflowing* CRLs, but most of them haven't
> seemed to have done anything of the kind.
>
> For most purposes (and especially for in-house purposes), these
> "official CAs" are actually *less* trustworthy than a CA run by your
> own group's administrators. Check out the TinyCA [0] packages to see
> how simple that can be. You can set it up on an old laptop, keep it
> off-net, and transfer data to and from it via USB if you want to keep
> the mechanism of the CA itself isolated.
>
> The whole X.509 architecture is at fault here really [1], but the
> recent FF3 changes have made it much worse.
>
> If you have an inhouse CA, and you control the user's browsers (e.g. a
> lab environment or mid-size corp), you use the NSS certificate
> database tools to automatically "trust" the in-house CA for most users
> with a simple command like:
>
> certutil -A -d ~/.mozilla/firefox/default.*/ -n 'in-house CA' -t C,, </path/to/inhouse-CA-certificate.pem
>
> Then future firefox sessions for that user (using the "default"
> profile) should have no problem accessing sites that use a certificate
> signed by the in-house CA.
>
> Unfortunately, this needs to be done for every user, and it needs to
> happen *after* their default profile is created. I haven't yet
> figured out how to make this a default upon profile creation either.
> If anyone else has pointers on how to do something like this at
> profile creation time, i'd love to hear about it.
>
> Your grumpy TLS troll,
>
> --dkg
>
> [0] http://packages.debian.org/tinyca
> [1] http://lair.fifthhorseman.net/~dkg/tls-centralization
> [2] http://packages.debian.org/libnss3-tools
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
>
I have the same problem with my HP printer and FF3. The printer has a
network interface with web access. Is it safe to set "Select one
automatically" under Preferences -> Advanced -> Encryption ->
Certificates? It seems that under the default of ask me everytime I have
to go into View Certificates -> Other and delete the one created for my
printer. Or should I go with allowing the creation of the cert., export
it and then import it into Servers category and leave the option set to
"Ask me every time."?
More information about the Ale
mailing list