"Perfection is not attainable, but if we chase perfection we can catch excellence."-- Vince Lombardi (American football coach)
Friday, April 22, 2011
On Excellence
Thursday, April 21, 2011
Honest Achmed's Request
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2.16)
Gecko/20110319 Firefox/3.6.16
Build Identifier:
This is a request to add the CA root certificate for Honest Achmed's Used Cars
and Certificates. The requested information as per the CA information
checklist is as follows:
1. Name
Honest Achmed's Used Cars and Certificates
2. Website URL
www.honestachmed.dyndns.org
3. Organizational type
Individual (Achmed, and possibly his cousin Mustafa, who knows a bit about
computers).
4. Primary market / customer base
Absolutely anyone who'll give us money.
5. Impact to Mozilla Users
Achmed's business plan is to sell a sufficiently large number of certificates
as quickly as possible in order to become too big to fail (see "regulatory
capture"), at which point most of the rest of this application will become
irrelevant.
6. CA Contact Information
achmed@honestachmed.dyndns.org
Technical information about each root certificate
1. Certificate Name
Honest Achmed's Used Cars and Certificates
2. Certificate Issuer Field
Honest Achmed's Used Cars and Certificates
3. Certificate Summary
The purpose of this certificate is to allow Honest Achmed to sell bucketloads
of other certificates and make a lot of money.
4. Root Certificate URL
www.honestachmed.dyndns.org/cert.der
5. SHA1 fingerprint to 10. Signing key parameters
See the certificates.
11. Test website URL - 14. OCSP (OCSP is required for EV enablement)
https://www.honestachmed.dyndns.org / www.honestachmed.dyndns.org/chain.p7s /
www.honestachmed.dyndns.org/crl.der / www.honestachmed.dyndns.org/ocsp.asp
15. Requested Trust Bits
All of them of course. The more trust bits we get, the more certificates we
can sell.
16. SSL Validation Type
All of them. The more types, the more certificates we can sell.
CA Hierarchy information for each root certificate
1. CA Hierarchy
Honest Achmed plans to authorise certificate issuance by at least, but not
limited to, his cousin Osman, his uncles Mehmet and Iskender, and possibly his
cousin's friend Emin.
2. Sub CAs Operated by 3rd Parties
Honest Achmed's uncles may invite some of their friends to issue certificates
as well, in particular their cousins Refik and Abdi or "RA" as they're known.
Honest Achmed's uncles assure us that their RA can be trusted, apart from that
one time when they lent them the keys to the car, but that was a one-off that
won't happen again.
Verification Policies and Practices
1. Documentation: CP, CPS, and Relying Party Agreements
Honest Achmed promises to studiously verify that payment from anyone requesting
a certificate clears before issuing it (except for his uncles, who are good for
credit). Achmed guarantees that no certificate will be issued without payment
having been received, as per the old latin proverb "nil certificati sine
lucre".
2. Audits
Achmed's uncles all vouch for the fact that he's honest. In any case by the
time he's issued enough certificates he'll be regarded as too big to fail by
the browser vendors, so an expensive audit doesn't really matter.
3. SSL Verification Procedures
4. Email Address Verification Procedures
5. Code Signing Subscriber Verification Procedures
See (1).
Response to Mozilla's CA Recommended Practices
Honest Achmed promises to abide by these practices. If he's found not to abide
by them, he'll claim it was a one-off slip-up in procedures and that policies
have been changed to ensure that it doesn't happen again. If it does happen
again, he'll blame it on one of his uncles or maybe his cousin, who still owes
him some money for getting the car fixed.
Reproducible: Always
Source: https://bugzilla.mozilla.org/show_bug.cgi?id=647959
Monday, April 4, 2011
Saturday, April 2, 2011
The Soup Nazi
Subscribe to:
Posts (Atom)
