Allow users to untrust CA's provided by Firefox

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Allow users to untrust CA's provided by Firefox

Mozilla - Cryptography mailing list
As discussed in https://bugzilla.mozilla.org/show_bug.cgi?id=1606802 and
https://phabricator.services.mozilla.com/D60382 Firefox currently does
not let users fully untrust a root CA provided by Mozilla. Event though
the Certificate Manager allows to Edit Trust of a CA and then remove the
trust bits, this does not work for sites in the HTTP Strict Transport
Security (HSTS) preload list and sites that use HTTP Public Key Pinning
(HPKP). For those sites Firefox ignores security exceptions that have
been manually added to the Certificate Manager in the Servers tab.

Section "12.1. No User Recourse" of RFC 6797 states that the user should
not be presented with a UI to proceed or click through warning/error
dialogs. That makes sense to me and Firefox abides to this. However, RFC
6797 does not state or imply that exceptions manually added by the user
should be ignored and that the only way to visit a HSTS site should be
to fully trust the root CA at the top of the certificate chain.

I believe Firefox should allow the end user to ultimately control which
entities to trust. If a user decides to no longer trust a root CA the
user should be allowed to manually add certificates for servers she
wants to visit.

Please accept patch D60382 to make this possible again.

Kind regards,

Richard van den Berg


--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: Allow users to untrust CA's provided by Firefox

JC Jones
On Wednesday, January 22, 2020 at 8:29:23 AM UTC-7, Richard van den Berg wrote:

> As discussed in https://bugzilla.mozilla.org/show_bug.cgi?id=1606802 and
> https://phabricator.services.mozilla.com/D60382 Firefox currently does
> not let users fully untrust a root CA provided by Mozilla. Event though
> the Certificate Manager allows to Edit Trust of a CA and then remove the
> trust bits, this does not work for sites in the HTTP Strict Transport
> Security (HSTS) preload list and sites that use HTTP Public Key Pinning
> (HPKP). For those sites Firefox ignores security exceptions that have
> been manually added to the Certificate Manager in the Servers tab.
>
> Section "12.1. No User Recourse" of RFC 6797 states that the user should
> not be presented with a UI to proceed or click through warning/error
> dialogs. That makes sense to me and Firefox abides to this. However, RFC
> 6797 does not state or imply that exceptions manually added by the user
> should be ignored and that the only way to visit a HSTS site should be
> to fully trust the root CA at the top of the certificate chain.
>
> I believe Firefox should allow the end user to ultimately control which
> entities to trust. If a user decides to no longer trust a root CA the
> user should be allowed to manually add certificates for servers she
> wants to visit.
>
> Please accept patch D60382 to make this possible again.
>
> Kind regards,
>
> Richard van den Berg

Hi Richard,

Just to acknowledge, we're talking this through (and my comments on the patch) internally, but since we're all packing up for our All Hands meeting in Berlin next week we haven't had enough time to reason through the threat-model here. We're going to talk this through though, and please feel free to ping if I don't seem to get back to it fast enough.

Thanks for being involved, and sorry for the delay!

J.C.
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: Allow users to untrust CA's provided by Firefox

Mozilla - Cryptography mailing list
Hi J.C.,

On 24/01/2020 23:24, JC Jones wrote:
> We're going to talk this through though, and please feel free to ping if I don't seem to get back to it fast enough.

I don't know what timeline you had in mind, but it has been almost 3 weeks..

Cheers,

Richard

--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto