[OpenID] OpenID Providers Invited to Join in an NSTIC Pilot Proposal

Francisco Corella fcorella at pomcor.com
Tue Feb 14 04:46:13 UTC 2012 

Eddy,

> On 02/13/2012 07:43 PM, From Francisco Corella:
> > OK, that says you use keygen to generate a key pair in Firefox (an
> > ActiveX control in IE).  But you still have to use JavaScript to
> > import the certificate into the browser.  AFAIK that's the only way
> > you can automatically import a certificate into the browser with
> > current technology.  In Firefox you must be using
> > crypto.importUserCertificates(), is that right?
> 
> No, that's wrong, we simply push the certificate to the browser in the
> correct format and headers. Browsers like Firefox know what to do with
> it in case it finds a valid key pair.

Thank you for pointing that out, it's interesting.

I guess you mean that if the relying party downloads a certificate in
the body of an HTTP response with a content-type header whose value is
a MIME type indicating that the body contains a certificate, and if
Firefox "finds a valid key pair" then Firefox will import the
certificate automatically.  Did I guess right?

Well, depending on the details, that could be a security hole.  If the
valid key pair that Firefox finds consists of the publick key in an
existing certificate and the associated private key, Firefox could end
up replacing the existing certificate with one downloaded by an
attacker that binds the public key to the attacker's identity.  That
could cause the user to log into an account controlled by the
attacker, and to enter other sensitive data into the account, making
it available to the attacker.

Is this Firefox feature documented somewhere?  If so could you send a
link?

Thanks,

Francisco



>________________________________
> From: Eddy Nigg (StartCom Ltd.) <eddy_nigg at startcom.org>
>To: Francisco Corella <fcorella at pomcor.com> 
>Cc: "openid-general at lists.openid.net >> 'openid-general'" <openid-general at lists.openid.net>; Karen Lewison <kplewison at pomcor.com> 
>Sent: Monday, February 13, 2012 5:46 PM
>Subject: Re: [OpenID] OpenID Providers Invited to Join in an NSTIC Pilot Proposal
> 
>
>
>On 02/13/2012 07:43 PM, From Francisco Corella: 
>OK, that says you use keygen to generate a key pair in Firefox (an
>>ActiveX control in IE).  But you still have to use JavaScript to
>>import the certificate into the browser.  AFAIK that's the only
        way
>>you can automatically import a certificate into the browser with
>>current technology.  In Firefox you must be using
>>crypto.importUserCertificates(), is that right?
>>
>No, that's wrong, we simply push the certificate to the browser in
    the correct format and headers. Browsers like Firefox know what to
    do with it in case it finds a valid key pair.
>
>
>
>Regards  
>  
>Signer:  Eddy Nigg, COO/CTO 
>  StartCom Ltd. 
>XMPP:  startcom at startcom.org 
>Blog:  Join the Revolution! 
>Twitter:  Follow Me 
>  
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20120213/90a798df/attachment.html>

More information about the general mailing list