[opensuse-factory] http://www.cacert.org root certificates?
I recently was given a URL that was signed by http://www.cacert.org; Firefox promptly displayed a warning about unknown issuer. Is the site known? May be it could be included in certs installed by default? -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wed, Aug 27, 2014 at 07:18:57PM +0400, Andrei Borzenkov wrote:
I recently was given a URL that was signed by http://www.cacert.org; Firefox promptly displayed a warning about unknown issuer.
Is the site known? May be it could be included in certs installed by default?
zypper in ca-certificates-cacert This will not be in Firefox as there we honor what Firefox ships to not void our distribution rights. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Andrei Borzenkov schrieb:
I recently was given a URL that was signed by http://www.cacert.org; Firefox promptly displayed a warning about unknown issuer.
Is the site known? May be it could be included in certs installed by default?
This story is very long and winding, but the reason that CACert cannot be included in the Firefox root cert database is because CACert did never conclude an independent audit of their infrastructure. And their inability to do that for years sheds some questionable light onto them in general, as much as we like them because of them being community-driven and decentralized and all. See https://bugzilla.mozilla.org/show_bug.cgi?id=215243 and the thread listed in its whiteboard if you want to dig into the meant of this long-winded story. KaiRo -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2014-08-27 17:34, Robert Kaiser wrote:
Andrei Borzenkov schrieb:
I recently was given a URL that was signed by http://www.cacert.org;
...
See https://bugzilla.mozilla.org/show_bug.cgi?id=215243 and the thread listed in its whiteboard if you want to dig into the meant of this long-winded story.
Wow. Long one. I got tired reading at about post 50 (year 2004), and there are 191 (year 2009). I guess the decision was on the end not to include the certificate. There is an interesting point I noticed: that the PKI certificates do not have a scale to say how much we trust a certificate or a root certificate, it is either "fully trust" or "no trust at all". If that existed, perhaps they could have accepted cacert.org. And I'm reminded by comments on the media about "secure e-commerce", on which they tell people that when they see the "lock" icon, a web page is secure, and their money is secure, when it is not. That "lock" icon doesn't really guarantee any of that. It simply means that a certificate authority thinks that they are who they say they are. We still need to personally verify that if we find a link for the bank of London, it really is the page of that bank, and that the bank is a real one. Once we verify that, on the next connections we do to the site the lock would say that the situation regarding the site has not changed... probably. Sigh... bewildering situation. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlP+QiEACgkQtTMYHG2NR9UBYwCfRdJxN2aFwb3i7EYhySPYh+5F k/sAn09OxU4Hlp12asp9vANSUHdb/740 =vj7A -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
"Carlos E. R." <carlos.e.r@opensuse.org> writes:
There is an interesting point I noticed: that the PKI certificates do not have a scale to say how much we trust a certificate or a root certificate, it is either "fully trust" or "no trust at all". If that existed, perhaps they could have accepted cacert.org.
Is there a difference between "partial trust" and "no trust"? Andreas. -- Andreas Schwab, SUSE Labs, schwab@suse.de GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE 1748 E4D4 88E3 0EEA B9D7 "And now for something completely different." -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2014-08-28 09:04, Andreas Schwab wrote:
"Carlos E. R." <> writes:
There is an interesting point I noticed: that the PKI certificates do not have a scale to say how much we trust a certificate or a root certificate, it is either "fully trust" or "no trust at all". If that existed, perhaps they could have accepted cacert.org.
Is there a difference between "partial trust" and "no trust"?
Well, yes :-) I could use a lower trust certificate for an email site, or even for sites such as some of the opensuse.org sites, which often use self-certificates, which are no trust at all. Try https://www.opensuse.org/en/ ;-) The certificate triangle is light grey with an exclamation sign. Page info says "verified by: not specified". If I connect to my bank I see a grey padlock instead. With paypal, I see a green padlock. Some other sites where developing work for opensuse is made (and some opensource sites) use self signed certificates. Using a lower trust authority would be better than me having to verify somewhat that they are what they say they are and add exceptions manually. It would be acceptable to me to know when a connection certificate is verified by a "industry accepted organization", or one that doesn't pass all the tests. If, on the current system, I add cacert, I could open a financial page and not notice that the certificate comes from them, and that would be "/dangerous/". So yes, there are indeed grades of trust, but PKI doesn't have them. PGP does. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlP/F5sACgkQtTMYHG2NR9XkgQCgklzfEASACE7sTZuCheUW8fjn o5sAnisXujHiAi3Q7WA+BkxzZ8rDZ27/ =D2VV -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Carlos E. R. wrote:
On 2014-08-28 09:04, Andreas Schwab wrote:
"Carlos E. R." <> writes:
There is an interesting point I noticed: that the PKI certificates do not have a scale to say how much we trust a certificate or a root certificate, it is either "fully trust" or "no trust at all". If that existed, perhaps they could have accepted cacert.org.
Is there a difference between "partial trust" and "no trust"?
Well, yes :-)
I could use a lower trust certificate for an email site, or even for sites such as some of the opensuse.org sites, which often use self-certificates, which are no trust at all.
Not quite - in those cases, it is up to the user to decided if he wants to trust the issuer. There is no chain of trust.
Some other sites where developing work for opensuse is made (and some opensource sites) use self signed certificates. Using a lower trust authority would be better than me having to verify somewhat that they are what they say they are and add exceptions manually.
We're going off topic, but I disagree. It's better to ask you to decide for yourself than suggest you use a "lower" chain of trust. Besides, self-signed certificates are more often about securing the communication than identifying the website owner. -- Per Jessen, Zürich (12.9°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2014-08-28 15:49, Per Jessen wrote:
Carlos E. R. wrote:
Not quite - in those cases, it is up to the user to decided if he wants to trust the issuer. There is no chain of trust.
You don't understand. The icon on the bar that indicates the security level of the page, or however it is called, does not indicate the issuer. There is no way to configure if I trust the issuer or not. Once I add an issuer, say cacert, for all purposes it is full-trust. It is not up to me, I just get the "lock" miniicon in there... - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlP/VEEACgkQtTMYHG2NR9VLoACfYqrFotfAadw+kYDqR5lQNIvO hN4AnAzMsGKG846k62ciKTqumKoC8pvU =/UF4 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Carlos E. R. schrieb:
The icon on the bar that indicates the security level of the page, or however it is called, does not indicate the issuer. There is no way to configure if I trust the issuer or not.
The issuer is never indicated there, that's true. Also, on normal certs, which do not actually verify the identity of the cert owner, it's just the lock, whereas on EV certs, which actually do require verification of the identity of the cert owner, both a green lock and the name of the cert owner are displayed. That's both on the owner of the cert, though, and not the issuer, as ultimately, the issues is just a proxy - what it's about in the end is how secure (or "trusted" for some kind of trust) the website is. KaiRo -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2014-08-28 18:56, Robert Kaiser wrote:
Carlos E. R. schrieb:
The icon on the bar that indicates the security level of the page, or however it is called, does not indicate the issuer. There is no way to configure if I trust the issuer or not.
The issuer is never indicated there, that's true. Also, on normal certs, which do not actually verify the identity of the cert owner, it's just the lock, whereas on EV certs, which actually do require verification of the identity of the cert owner, both a green lock and the name of the cert owner are displayed. That's both on the owner of the cert, though, and not the issuer, as ultimately, the issues is just a proxy - what it's about in the end is how secure (or "trusted" for some kind of trust) the website is.
Yes, I have seen some sites that display like that, but as there is no help button when clicking on that security icon, I have not seen a list of all the possible status and their meanings. I just found it: https://support.mozilla.org/en-US/kb/how-do-i-tell-if-my-connection-is-secur... But there is no icon for custom added ca. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlP/qloACgkQtTMYHG2NR9XmGQCeKFMfD047wUug65CJB5upGEQE cdQAn2ENclkPgJgDOAvcQvyZ0T0fZhLC =xaas -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Thursday, August 28, 2014 06:56:39 PM Robert Kaiser wrote:
Carlos E. R. schrieb:
The icon on the bar that indicates the security level of the page, or however it is called, does not indicate the issuer. There is no way to configure if I trust the issuer or not.
The issuer is never indicated there, that's true. Also, on normal certs, which do not actually verify the identity of the cert owner, it's just the lock, whereas on EV certs, which actually do require verification of the identity of the cert owner, both a green lock and the name of the cert owner are displayed. That's both on the owner of the cert, though, and not the issuer, as ultimately, the issues is just a proxy - what it's about in the end is how secure (or "trusted" for some kind of trust) the website is.
KaiRo I do not find the button you mentioned on Firefox 31.0. But under tools-->Page Information it appears to be there. -- openSUSE 13.1(Linux 3.11.10-21-desktop x86_64| Intel(R) Quad Core(TM) i5-4440 CPU @ 3.10GHz|8GB DDR3| GeForce 8400GS (NVIDIA-Linux-x86_64-340.32)|KDE 4.13.3
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2014-08-28 15:49, Per Jessen wrote:
Carlos E. R. wrote:
Not quite - in those cases, it is up to the user to decided if he wants to trust the issuer. There is no chain of trust.
You don't understand.
The icon on the bar that indicates the security level of the page, or however it is called, does not indicate the issuer. There is no way to configure if I trust the issuer or not.
Sure there is - you install their root certificate.
Once I add an issuer, say cacert, for all purposes it is full-trust.
Right. That's what I mean. -- Per Jessen, Zürich (12.9°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2014-08-28 22:08, Per Jessen wrote:
Carlos E. R. wrote:
Once I add an issuer, say cacert, for all purposes it is full-trust.
Right. That's what I mean.
And that's what I do not want... I want to be told, when going to a site certified by certain ca, that it is not full trust. PGP does it. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlP/qAIACgkQtTMYHG2NR9UrhACeIUfa7sDDS2oKYlgig0iWC6lS uIsAoIMHSlZdYqNQbIpQecV/4IyLSJHG =FaLF -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Carlos E. R. wrote:
On 2014-08-27 17:34, Robert Kaiser wrote:
Andrei Borzenkov schrieb:
I recently was given a URL that was signed by http://www.cacert.org;
...
See https://bugzilla.mozilla.org/show_bug.cgi?id=215243 and the thread listed in its whiteboard if you want to dig into the meant of this long-winded story.
Wow. Long one. I got tired reading at about post 50 (year 2004), and there are 191 (year 2009). I guess the decision was on the end not to include the certificate.
There is an interesting point I noticed: that the PKI certificates do not have a scale to say how much we trust a certificate or a root certificate, it is either "fully trust" or "no trust at all". If that existed, perhaps they could have accepted cacert.org.
There are different certificates out there - the EV certificates involve more checking/documentation/authentication - when FF sees an EV certificate, the bit to the left of the URL ("Verified by") goes green (e.g. https://www.joker.com), otherwise it's blue (e.g. https://www.linkedin.com/).
And I'm reminded by comments on the media about "secure e-commerce", on which they tell people that when they see the "lock" icon, a web page is secure, and their money is secure, when it is not. That "lock" icon doesn't really guarantee any of that. It simply means that a certificate authority thinks that they are who they say they are.
Plus that the connection is (mostly) secure. -- Per Jessen, Zürich (12.9°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2014-08-28 09:23, Per Jessen wrote:
Carlos E. R. wrote:
There are different certificates out there - the EV certificates involve more checking/documentation/authentication - when FF sees an EV certificate, the bit to the left of the URL ("Verified by") goes green (e.g. https://www.joker.com), otherwise it's blue (e.g. https://www.linkedin.com/).
I recogn I don't have a clear understanding of the meaning of those icons. But I think the colour does not depend on the certificate authority. Clicking on the icon misses a link to a page explaining it. But according to what the mozilla people say, there are no degrees of certification because PKI doesn't allow it.
And I'm reminded by comments on the media about "secure e-commerce", on which they tell people that when they see the "lock" icon, a web page is secure, and their money is secure, when it is not. That "lock" icon doesn't really guarantee any of that. It simply means that a certificate authority thinks that they are who they say they are.
Plus that the connection is (mostly) secure.
Ah, yes, of course. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlP/GrUACgkQtTMYHG2NR9U++gCeOq5kA23mI8damjT1nnOLUmbz C9cAn0q8dCx2TyHJTdZ9sN241VXuBIfF =OPFO -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Carlos E. R. schrieb:
But according to what the mozilla people say, there are no degrees of certification because PKI doesn't allow it.
Well, there is a difference between normal and extended verification (EV) certs. The latter need an even more thorough audit and a tighter certification process where the CA verifies the actual identity and not just domain ownership like they do for normal certs. Note that the criteria for CAs and their audits are all laid down in https://www.mozilla.org/en-US/about/governance/policies/security-group/certs... and CACert was to date not able to conclude an independent audit (they started it but never finished) as required by the policy, esp. it's "Applying for Inclusion..." part. KaiRo -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2014-08-28 15:23, Robert Kaiser wrote:
Carlos E. R. schrieb:
But according to what the mozilla people say, there are no degrees of certification because PKI doesn't allow it.
Well, there is a difference between normal and extended verification (EV) certs. The latter need an even more thorough audit and a tighter certification process where the CA verifies the actual identity and not just domain ownership like they do for normal certs.
That's good. But as far as I understand, FF doesn't say that by clicking on the security icon on the address bar.
Note that the criteria for CAs and their audits are all laid down in https://www.mozilla.org/en-US/about/governance/policies/security-group/certs...
Yes,
on the bugzilla they were commenting that they were deciding on the policy. It was not yet decided about #50, by which I got tired of reading... Thanks for posting the link.
and CACert was to date not able to conclude an independent audit (they started it but never finished) as required by the policy, esp. it's "Applying for Inclusion..." part.
I understand. But the problem to me, as user, is that if I manually add the root certificate for cacert, I don't have a manner when going to a page certified by them to easily see that it is not a high grade certified page. All pages look the same... - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlP/MdAACgkQtTMYHG2NR9XcygCfSIuQTQRNoMDNetJ/Fnt/3avp e80AniC3wJWAvO2Il8wkAeanmAsxwHAQ =TgV/ -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Carlos E. R. wrote:
There are different certificates out there - the EV certificates involve more checking/documentation/authentication - when FF sees an EV certificate, the bit to the left of the URL ("Verified by") goes green (e.g. https://www.joker.com), otherwise it's blue (e.g. https://www.linkedin.com/).
I recogn I don't have a clear understanding of the meaning of those icons. But I think the colour does not depend on the certificate authority.
Correct - green = EV, blue = normal. There may be other colours, I don't know. -- Per Jessen, Zürich (12.9°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wed, Aug 27, 2014 at 4:40 PM, Carlos E. R. <carlos.e.r@opensuse.org> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2014-08-27 17:34, Robert Kaiser wrote:
Andrei Borzenkov schrieb:
I recently was given a URL that was signed by http://www.cacert.org;
...
See https://bugzilla.mozilla.org/show_bug.cgi?id=215243 and the thread listed in its whiteboard if you want to dig into the meant of this long-winded story.
Wow. Long one. I got tired reading at about post 50 (year 2004), and there are 191 (year 2009). I guess the decision was on the end not to include the certificate.
There is an interesting point I noticed: that the PKI certificates do not have a scale to say how much we trust a certificate or a root certificate, it is either "fully trust" or "no trust at all". If that existed, perhaps they could have accepted cacert.org.
Covergence, http://convergence.io/, seeks to replace the existing CA structure with a distributed systems which places "trust" in your hands. More on the same topic: http://www.thoughtcrime.org/blog/ssl-and-the-future-of-authenticity/
And I'm reminded by comments on the media about "secure e-commerce", on which they tell people that when they see the "lock" icon, a web page is secure, and their money is secure, when it is not. That "lock" icon doesn't really guarantee any of that. It simply means that a certificate authority thinks that they are who they say they are. We still need to personally verify that if we find a link for the bank of London, it really is the page of that bank, and that the bank is a real one. Once we verify that, on the next connections we do to the site the lock would say that the situation regarding the site has not changed... probably.
Sigh... bewildering situation.
- -- Cheers / Saludos,
Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux)
iEYEARECAAYFAlP+QiEACgkQtTMYHG2NR9UBYwCfRdJxN2aFwb3i7EYhySPYh+5F k/sAn09OxU4Hlp12asp9vANSUHdb/740 =vj7A -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (9)
-
Andreas Schwab -
Andrei Borzenkov -
Carlos E. R. -
Carlos E. R. -
Darin Perusich -
Marcus Meissner -
Per Jessen -
Robert Kaiser -
upscope