Domain: entrust.net
Stories and comments across the archive that link to entrust.net.
Comments · 8
-
Re:Asking the wrong question
They don't.
A Malaysian CA was issuing bad certificates from their intermediate CA that was chained to Entrust. They were allowing weak, 512-bit RSA keys to be signed, as well as not including any certificate extensions (and thus the certificates were treated as valid for all purposes by many OSs and browsers, as opposed to being limited to only what the extensions stated). Entrust revoked the intermediate CA. Evidently the Malaysia CA also had broken CRL locations burned into the certs (or didn't include any CRL information, I don't quite recall), and
Since the certificate had no extensions, it was usable as a code-signing certificate and used to sign malware. The same thing would could have happened if the bad guys managed to steal a regular code-signing cert and the revocation was broken.
-
Entrust's SSL certificate, and its problemsOK, here's Entrust's SSL certificate. Let's see what we've got.
Domain: www.entrust.com
Server identity:
CN = www.entrust.com
serialNumber = DOC:19961216
OU = it
O = Entrust Inc
jurisdictionOfIncorporationStateOrProvinceName = MD
jurisdictionOfIncorporationCountryName = US
L = Ottawa
ST = Ontario
C = CA
Issuer identity:
CN = Entrust Certification Authority - L1A
OU = (c) 2006 Entrust, Inc.
OU = www.entrust.net/CPS is incorporated by reference
OU = CPS CONTAINS IMPORTANT LIMITATIONS OF WARRANTIES AND LIABILITY
OU = AND ADDITIONAL TERMS GOVERNING USE AND RELIANCE
O = Entrust, Inc.
C = US Certificate has 10 extensions.- Extension #0: keyUsage = Digital Signature, Key Encipherment
- Extension #1: privateKeyUsagePeriod = Not Before: Jan 12 13:57:28 2007 GMT, Not After: Jan 12 14:17:41 2009 GMT
- Extension #2: extendedKeyUsage = TLS Web Server Authentication, TLS Web Client Authentication
- Extension #3: authorityInfoAccess = OCSP - URI:http://ocsp.entrust.net
- Extension #4: crlDistributionPoints = URI:http://crl.entrust.net/level1a.crl
- Extension #5: certificatePolicies = Policy: 2.16.840.1.114028.10.1.2 CPS: http://www.entrust.net/cps User Notice: Explicit Text: The Entrust SSL Web Server Certification Practice Statement (CPS) available at www.entrust.net/cps is hereby inc orporated into your use or reliance on this Certificate. This CPS contains limitations on warranties and liabilities. Copyright (c) 2002 Entrust Limited
- Extension #6: authorityKeyIdentifier = keyid:7E:B7:FC:4C:26:E6:B0:7A:FB:54:E2:3C:45:73:C6
:43:90:5E:28:04 - Extension #7: subjectKeyIdentifier = 10:E0:70:1B:D7:78:17:32:B4:BA:EB:00:6A:E2:25:C3:67
:FC:77:1D - Extension #8: basicConstraints = CA:FALSE
- Extension #9: UNDEF = None (this is a bug in the cert. viewer)
The CA Browser Forum has published a standard for these certificate. So that's what we go by.
How do you tell this is an Extended Validation certificate? That's not in the CA Browser Forum's standard. It's dependent on the certificate issuer.
It's documented, on Entrust's web site "Each EV SSL Certificate issued by the Entrust EV SSL CA to a Subscriber contains an Object Identifier (OID) defined by the Entrust EV SSL CA in the certificate's certificatePolicies extension
... which by pre-agreement with Application Software Vendors, marks the certificate as being an EV SSL Certificate.The following OID has been registered by the Entrust EV SSL CA for inclusion in EV SSL Certificates: 2.16.840.1.114028.10.1.2"
That OID number appears in the middle of a comment in the certificatePolicies extension. So, for each issuer, you have to look for something different.
The certificate checker has to be really careful. To verify that a certificate is an Extended Validation certificate, it's not enough to find that OID. You have to make sure that the certificate was issued by the issuer entitled to use that OID. Otherwise, it's easy to forge these certificates.
But if you're too thorough in the checking, the certificate bounces. The whole point of an Extended Validation certificate is to validate the company's identity. So we have the new fields "serialNumber", "jurisdictionOfIncorporationStateOrProvinceName", and "jurisdictionOfIncorporationCo
-
Entrust's SSL certificate, and its problemsOK, here's Entrust's SSL certificate. Let's see what we've got.
Domain: www.entrust.com
Server identity:
CN = www.entrust.com
serialNumber = DOC:19961216
OU = it
O = Entrust Inc
jurisdictionOfIncorporationStateOrProvinceName = MD
jurisdictionOfIncorporationCountryName = US
L = Ottawa
ST = Ontario
C = CA
Issuer identity:
CN = Entrust Certification Authority - L1A
OU = (c) 2006 Entrust, Inc.
OU = www.entrust.net/CPS is incorporated by reference
OU = CPS CONTAINS IMPORTANT LIMITATIONS OF WARRANTIES AND LIABILITY
OU = AND ADDITIONAL TERMS GOVERNING USE AND RELIANCE
O = Entrust, Inc.
C = US Certificate has 10 extensions.- Extension #0: keyUsage = Digital Signature, Key Encipherment
- Extension #1: privateKeyUsagePeriod = Not Before: Jan 12 13:57:28 2007 GMT, Not After: Jan 12 14:17:41 2009 GMT
- Extension #2: extendedKeyUsage = TLS Web Server Authentication, TLS Web Client Authentication
- Extension #3: authorityInfoAccess = OCSP - URI:http://ocsp.entrust.net
- Extension #4: crlDistributionPoints = URI:http://crl.entrust.net/level1a.crl
- Extension #5: certificatePolicies = Policy: 2.16.840.1.114028.10.1.2 CPS: http://www.entrust.net/cps User Notice: Explicit Text: The Entrust SSL Web Server Certification Practice Statement (CPS) available at www.entrust.net/cps is hereby inc orporated into your use or reliance on this Certificate. This CPS contains limitations on warranties and liabilities. Copyright (c) 2002 Entrust Limited
- Extension #6: authorityKeyIdentifier = keyid:7E:B7:FC:4C:26:E6:B0:7A:FB:54:E2:3C:45:73:C6
:43:90:5E:28:04 - Extension #7: subjectKeyIdentifier = 10:E0:70:1B:D7:78:17:32:B4:BA:EB:00:6A:E2:25:C3:67
:FC:77:1D - Extension #8: basicConstraints = CA:FALSE
- Extension #9: UNDEF = None (this is a bug in the cert. viewer)
The CA Browser Forum has published a standard for these certificate. So that's what we go by.
How do you tell this is an Extended Validation certificate? That's not in the CA Browser Forum's standard. It's dependent on the certificate issuer.
It's documented, on Entrust's web site "Each EV SSL Certificate issued by the Entrust EV SSL CA to a Subscriber contains an Object Identifier (OID) defined by the Entrust EV SSL CA in the certificate's certificatePolicies extension
... which by pre-agreement with Application Software Vendors, marks the certificate as being an EV SSL Certificate.The following OID has been registered by the Entrust EV SSL CA for inclusion in EV SSL Certificates: 2.16.840.1.114028.10.1.2"
That OID number appears in the middle of a comment in the certificatePolicies extension. So, for each issuer, you have to look for something different.
The certificate checker has to be really careful. To verify that a certificate is an Extended Validation certificate, it's not enough to find that OID. You have to make sure that the certificate was issued by the issuer entitled to use that OID. Otherwise, it's easy to forge these certificates.
But if you're too thorough in the checking, the certificate bounces. The whole point of an Extended Validation certificate is to validate the company's identity. So we have the new fields "serialNumber", "jurisdictionOfIncorporationStateOrProvinceName", and "jurisdictionOfIncorporationCo
-
Re:We need certificates with teethSome relying party agreements, with notes:
- GeoTrust. No warranty. Certificate worthless. Reject.
- Entrust Disclaims all warranties. Certificate worthless. Reject.
- Pttrust This one is very funny. There are some notes at the bottom about links that need to be fixed up. But generally follows Verisign's approach, with warranties. Probably OK.
- DigiSign. Certificate quality varies. Some are validated, some aren't. Probably best to reject.
- Thawte Certificate quality varies. Only High Assurance certificates should be accepted.
-
BitPass trust and legal problemsBitPass has a prominent "Certified by Entrust" logo on their web site. It means very little. Read their certification practices statement, which guarantees almost nothing, disclaims liability for almost all cases, limits liability to $1000 per certificate (i.e. everybody scammed by one site), and even calls for the "relying party" (the customer) to indemnify Entrust.
This is even weaker than Verisign's lower class of SSL certificate. Verisign at least requires a Dun and Bradstreet number.
There are far better seal programs, such as the classic Good Housekeeping Seal of Approval. That's an actual warranty. "If a product bearing the Seal proves to be defective within two years of purchase, Good Housekeeping will replace the product or refund the purchase price." "Entrust" doesn't come anywhere near that.
Then there's the question of whether BitPass is a payment service or a reseller. iBill, for example, is a reseller. When you buy something through iBill, the actual "merchant" is iBill, and if you want a refund, you can get it through iBill's customer service operation. Getting it back from the site operator is iBill's problem, which is why they take a big cut and hold back payments for weeks.
BitPass doesn't seem to be set up that way. BitPass is, in a sense, "selling money" That may create problems. Credit card issuers don't allow merchants to "sell money"; that's a loan, which comes under banking laws. Also, the U.S. Government has a monopoly on money. Casinos in Las Vegas used to take each other's chips, but that was ruled to be a "currency" years ago, and they had to stop.
Worse, the BitPass site does not disclose the name and address of the business before asking for a credit card number. They've set things up so it's hard to get a refund. They don't disclose their refund policy. That's a criminal offense in California (B&P code 17538), where BitPass apparently is located. That's good for six months in jail. Here's the law, which is very specific, so sleazy operators can't hide the required info and claim they comply.
-
(d) A vendor conducting business through the Internet or any other
electronic means of communication shall do all of the following when
the transaction involves a buyer located in this state:
(1) Before accepting any payment or processing any debit or credit charge or funds transfer, the vendor shall disclose to the buyer in writing or by electronic means of communication, such as e-mail or an on-screen notice, the vendor's return and refund policy, the legal name under which the business is conducted and, except as provided in paragraph (3), the complete street address from which the business is actually conducted.
(2) If the disclosure of the vendor's legal name and address information required by this subdivision is made by on-screen notice, all of the following shall apply:
(A) The disclosure of the legal name and address information shall appear on any of the following: (i) the first screen displayed when the vendor's electronic site is accessed, (ii) on the screen on which goods or services are first offered, (iii) on the screen on which a buyer may place the order for goods or services, (iv) on the screen on which the buyer may enter payment information, such as a credit card account number, or (v) for nonbrowser-based technologies, in a manner that gives the user a reasonable opportunity to review that information. The communication of that disclosure shall not be structured to be smaller or less legible than the text of the offer of the goods or services.
(3) The complete street address need not be disclosed as required by paragraph (1) if the vendor utilizes
-
(d) A vendor conducting business through the Internet or any other
electronic means of communication shall do all of the following when
the transaction involves a buyer located in this state:
-
Entrust is a certificate vendor
Quick clarification: Entrust is now the #2 certificate vendor (behind the combined VeriSign/Thawte). You can buy certificates at Entrust.net.
Entrust doesn't resell Thawte certificates; it issues certificates that are chained to the Thawte root, but signed by the Entrust.net CA. In newer browsers (e.g. IE5) the Entrust.net root certificate is present so the Thawte root is not used. (Disclosure: I am an Entrust employee...)
-
Verisign bad, Entrust good
I use Netscape 3.04 instead of Netscape 4.X for technical reasons (unbearable bugs in Netscape 4.X). The Verisign CA in Netscape 3.04 (and earliest 4.X) expired Dec 31, 1999. I went to download a new CA certificate and found that none was available. An exchange of e-mail with tech support, after a couple rounds of trying to explain to them what I even wanted, their only excuse was "We only support Netscape 4, you should upgrade". AFAIC, if they "support" it, they should fix it (but they declined).
I went to the Entrust site to see if they might have a root CA certificate I could download. Bingo! They do!
Now tell me why a big resourceful company like Verisign is totally unable to build a root CA certificate for Netscape 3.04 while a little puny company like Entrust has the resources to pull it off (and even earlier versions).
And Verisign can't even get their web site to work without having to type in the "www." while most places, including Entrust and Slashdot can. -
Verisign bad, Entrust good
I use Netscape 3.04 instead of Netscape 4.X for technical reasons (unbearable bugs in Netscape 4.X). The Verisign CA in Netscape 3.04 (and earliest 4.X) expired Dec 31, 1999. I went to download a new CA certificate and found that none was available. An exchange of e-mail with tech support, after a couple rounds of trying to explain to them what I even wanted, their only excuse was "We only support Netscape 4, you should upgrade". AFAIC, if they "support" it, they should fix it (but they declined).
I went to the Entrust site to see if they might have a root CA certificate I could download. Bingo! They do!
Now tell me why a big resourceful company like Verisign is totally unable to build a root CA certificate for Netscape 3.04 while a little puny company like Entrust has the resources to pull it off (and even earlier versions).
And Verisign can't even get their web site to work without having to type in the "www." while most places, including Entrust and Slashdot can.