Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en; rv:1.9a6pre) Gecko/20070617 Camino/2.0a1pre in bug 399019 comment 10, nelson asks if we want to replace the CA as the responsible party for support transactions when the CAs themselves have been paid to do it. I propose that we make the CAs pay. steps: 1. quit your browser (see bugs about cached chain elements) 2. run a recent gecko (I'm using 10.3.9, so I can't) which uses pretty error pages 3. load https://www.biglumber.com/x/web?mp=1 4. load https://www.godaddy.com/ 5. load https://www.biglumber.com/x/web?mp=1 actual results: 3' hard and brutal error page actual results with my older browser: 3' certificate claiming: A. to be for "biglumber.com" B. to be issued by "Go Daddy Secure Certification Authority" 5' page loads and you can get the following information from the chain: "Go Daddy Secure Certification Authority" Issued by: "" <?> -- Camino seems a bit confused here. Organization: GoDaddy.com, Inc. Organizational Unit: http://certificates.godaddy.com/repository Issued by: The Go Daddy Group, Inc. Organizational Unit: Go Daddy Class 2 Certification Authority That certificate shows: "Go Daddy Class 2 CA" Now, we have Go Daddy's CA in our CA, which means we should have some way to provide our users a link to customer feedback for go daddy. Expected results: when we get such a certificate (biglumber's) and can't find the issuer, do a fuzzy search through the trusted CA set for possible matches. In the error page, provide links to the support sites for the fuzzy matching CAs. As nelson says, we should make the CAs provide the service since they're being paid. I'd encourage the CAs who find their customers (e.g., biglumber) costing them too much money to either refuse to issue the next year's certificate or raise the fee. In this manner, we progressively improve the state of the web. Biglumber gets feedback from someone it cares about (CA), our (browser) users have a place to send feedback (CA) which is sponsored by the service they want to use (biglumber). And the CA can choose to charge an extra fee if necessary to its client (it shouldn't mind taking in a bit of money). Now, in theory forgers could choose to invent fake CAs that look like real CAs, however, I don't see this as a problem, they can do that today, and this way there's a path for users to find out that they're encountering sites with certificates from fraudulent CAs.

I think complaining to the owners of the broken web sites is more productive than complaining to CAs.

First of all, it's the responsibility of the owner of the web site. However neither CAs nor Mozilla are working for the education department of the WWW. Instead the fetching the missing intermediate CA certificate via the CA Issuers extension was suggested in order to provide a better experience when encountering sites with incomplete CA chains.

Complaining to the owners in the case of phishing/forgeries is a bad idea, and in many cases there's no way to find a contact, if there's a valid certificate, the issuer has the contact information and can provide it. It should be the job of web browsers and CAs to educate users and improve the web. The alternative is that we help the web create better idiots ["Make something idiot-proof, and they will build a better idiot"]. If a web site has a certificate issued from a CA that is very similar to a real CA, then, I'd think the real CA would want to know when someone is impersonating it. That said, if you can give me an algorithm for complaining to web masters directly that doesn't involve dealing with the CAs, I'll gladly work with it. (I have a tentative proposal that involves a system of tech evangelism / queries / (possibly) Bugzilla, but it's not finished and needs some resources whereas CAs already have contact people and are responsible for trust on the internet.

(In reply to comment #3) > It should be the job of web browsers and CAs to educate users and improve the > web. This can be done voluntary as some CAs actually do. > The alternative is that we help the web create better idiots ["Make something > idiot-proof, and they will build a better idiot"]. Technology is here to serve people, not people serving the technology. Certificates are usually enough complicated for many, my personal opinion is to make it easier for them to use. This includes many "so-called" system admins and hobbyists running a small server. We should promote the use of security tools such as PKI, not make it harder. Continued below... > If a web site has a certificate issued from a CA that is very similar to a real > CA A similar certificate is not the same certificate. That's why one receives a warning. That's why the certificate must be chained to the approved CA root. Mozilla should try to build this chain if the server doesn't supply the complete chain or issue the warning. There is no guessing in this. Either it matches the issuer root or not. > > That said, if you can give me an algorithm for complaining to web masters > directly that doesn't involve dealing with the CAs, I'll gladly work with it. Yes, there are several ways: 1.) Contact the site owner if there is something published on the web site. 2.) Lookup the email address published within the end-user certificate. 3.) Try administrative accounts such as postmaster@ or abuse@. (postmaster@ addresses are required by RFC822 6.3, RFC1123 5.2.7, and RFC2821 4.5.1, abuse@ is required according to RFC2142)

Mass change owner of unconfirmed "Core:Security UI/PSM/SMime" bugs to nobody. Search for kaie-20100607-unconfirmed-nobody