[ale] Firefox-3 and authorizing home-made certs

Tue Jul 8 20:46:11 EDT 2008

Daniel Kahn Gillmor wrote:
> On Tue 2008-07-08 17:27:39 -0400, Chris Fowler wrote:
>
>   
>> FF3's certificate warnings are scary compared to FF2.  What we have done 
>> is started the process of getting a valid certificate for a server.  
>>     
>
> Bah.  All well-formed certificates are *valid*.  What you've done is
> agreed to pay some money to a middleman certificate broker who has
> managed to get their Certificate Authority's credentials "trusted" by
> default in the major browsers.  Many of these CAs can't even seem to
> publish a reasonable CRL (let alone use OCSP) to properly revoke
> certificates.  Given the recent debian OpenSSL debacle, these
> middleman CAs should have *overflowing* CRLs, but most of them haven't
> seemed to have done anything of the kind.
>
> For most purposes (and especially for in-house purposes), these
> "official CAs" are actually *less* trustworthy than a CA run by your
> own group's administrators.  Check out the TinyCA [0] packages to see
> how simple that can be.  You can set it up on an old laptop, keep it
> off-net, and transfer data to and from it via USB if you want to keep
> the mechanism of the CA itself isolated.
>
> The whole X.509 architecture is at fault here really [1], but the
> recent FF3 changes have made it much worse.
>
> If you have an inhouse CA, and you control the user's browsers (e.g. a
> lab environment or mid-size corp), you use the NSS certificate
> database tools to automatically "trust" the in-house CA for most users
> with a simple command like:
>
>  certutil -A -d ~/.mozilla/firefox/default.*/ -n 'in-house CA' -t C,, </path/to/inhouse-CA-certificate.pem
>
> Then future firefox sessions for that user (using the "default"
> profile) should have no problem accessing sites that use a certificate
> signed by the in-house CA.
>
> Unfortunately, this needs to be done for every user, and it needs to
> happen *after* their default profile is created.  I haven't yet
> figured out how to make this a default upon profile creation either.
> If anyone else has pointers on how to do something like this at
> profile creation time, i'd love to hear about it.
>
> Your grumpy TLS troll,
>
>         --dkg
>
> [0] http://packages.debian.org/tinyca
> [1] http://lair.fifthhorseman.net/~dkg/tls-centralization
> [2] http://packages.debian.org/libnss3-tools
>   
> ------------------------------------------------------------------------
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
>   
I have the same problem with my HP printer and FF3. The printer has a 
network interface with web access. Is it safe to set "Select one 
automatically" under Preferences -> Advanced -> Encryption -> 
Certificates? It seems that under the default of ask me everytime I have 
to go into View Certificates -> Other and delete the one created for my 
printer. Or should I go with allowing the creation of the cert., export 
it and then import it into Servers category and leave the option set to 
"Ask me every time."?