ipsCA and Mozilla fail 2010 January 5
Many educational institutions in the United States have relied on ipssCA for SSL certificates. The main reason for this is that ipsCA has offered them at no cost to these institutions. Certificates, especially Wildcard certificates that are required for services such as EZproxy, can run into the hundreds of dollars per year. For example. Digicert charges $495 for 1 year and Instant SSL charges $449.95 for 1 year. Thus, it is not a surprise that over 12,000 higher educational institutions would rely on ipsCA for certificates.
Each certificate issuer has to have CAs, and ipsCA recently received a new ones because there previous CAs expired. The new ipsCA CAs have been issued and they are providing customers with new certificates based on their new CAs free of charge. Once they receive the CA’s, issuers have to provide it to Web browser developers to be included with the browser. However, ipsCA did not do this until recently and while Microsoft has accepted the new root CA, Mozilla (creators of the Firefox browser) has not up until this point. In fact, Mozilla will not be adding the new CA anytime soon. According to Mozilla’s time line the process typically takes up to 14 months and because of issues with the initial request from ipsCA, their request is at the beginning of the process and it appears Mozilla is unwilling to speed up the process. According to David E. Ross:
[T]he problem lies in the hands of ipsCA and not Mozilla. [… T]he very late recognition by ipsCA that they had to replace a root certificate that was about to expire compounded the problem. Further expressions of the need for haste will not speed the process. Any shortcuts or other measures to hasten the process can only weaken the trust users have in the overall certificate database.
While I understand David’s (and apparently Mozilla’s) reluctance to speed up the process, I disagree with him that doing so will weaken the trust in the overall certificate database. In fact, I believe just the opposite will happen because of delays like this. Having a time line that takes 14 months when most of the time nothing is happening is just not acceptable in 2010 – especially when it involves technology and the Internet. However the process is moving at glacial speed. If CAs are not added in a timely process, people will become use to creating exceptions which, when done on any scale average Internet users, will undermine the whole idea of a certificate database. Apparently Microsoft was able to handle this in a timely manner, why can’t Mozilla? If their was some kind of constant review going on, that would be one thing, but things just sit in a queue for 9 out of the best case scenario of ~10 months. They need to figure out a way to increase their goal from only starting one public discussion per week. Yes, ipsCA messed up and the fact that they didn’t act sooner is the major cause of this particular problem. However, I do not think Mozillia should be let off the hook. They have failed over 12,000 institutions and millions of Internet users that use the Web sites they operate. A 14 month process with 90% of the time being spent in queues is just not acceptable. Mozilla #FAIL.
This is a real screw up on Mozilla’s part. When Verisign can renew certs with a pair of phone calls to a client there is NO REASON that a RENEWAL even at a ROOT level should be such an issue. This is really a simply replacement of a file from a source that you supposedly already trusted.
14 days would be too long.
At most this is a 24-48 hour process.
As I understand it, there are other reasons Mozilla has problems with ipsCA, such as issuing certs with embedded nulls, non-compliant OPCSA servers, and issuing certs that expire after the root etc.
This root expiry therefore compounded the issue.
I reminded ipsCA their root would expire last Jan in a support ticket (query about what would happen to my certs). They have known about the issue since the cert was generated 11 years ago. Why did they wait til the last minute to generate a new root (sep 09)????
It’s commercial suicide. I don’t expect to see them round much longer. Do a search, see how many customers are jumping ship.
AdC: I don’t think ipsCA isn’t at fault, but what reasonable explanation is there for a ~14 month long process? I don’t see absolutely any. Yes, people are jumping ship (as I have at my place of work), but they are jumping because of Mozilla’s unreasonable time-frame. As Mike Volk pointed out even a 14 day timeframe is not really reasonable (although I’m okay with some time to get into a security update).
It seems to me that Mozilla is saying it’s my ball and if you don’t like it I’m taking it with me and going home. This is the antithesis of what Open Source should be about in my opinion, and because of this attitude I am contemplating changing my default browser to Google Chrome. I’m not a really a huge fan of Google, but I am quickly becoming not a fan of Mozilla as well. Any allegiance I may have had is waining fast.
ecorrado…
even if Mozilla did get the cert immediately into the latest firefox, there are still major problems caused by ipsCA.
IE8 + latest mozilla only account for a small amount of users of these certs. Our web logs show 30% of IE users are still on IE6. How long would it take for someone to update their mozilla also?
Basically ipsCA acted as if it would be no problem to get a cert on every desktop on the planet in a couple months. Incredible.
They needed to start a couple years ago, get the cert into windows first (root cert updates, which btw aren’t deemed critical updates), or into a windows service pack (e.g. XP SP3 etc). they also needed to get it into every major piece of software that ships a bunch of root certs, such as mozilla, chrome, a bunch of java distrs etc etc etc.
So the fact they only generated that cert a couple months before d-day, just really shows what turkeys they are. I’m with Mozilla on this one, it doesn’t engender a sense of trust.