The Opera Rootstore

The Roots of Internet trust

New Roots, new EV, and a new Public Suffix file

By Yngve Nysæter Pettersenyngve. Wednesday, July 28, 2010 10:43:39 PM

, , , , , , , ,

The Opera Rootstore has been updated with several new Roots, a new CA has been EV-enabled, and a new file has been added to the Public Suffix repository.


Extended Validation:



New Roots:

  • AffirmTrust: This is a new US-based CA, headed by people that worked at Geotrust before it was acquired by Verisign. Test sites: 1, 2, 3
  • GoDaddy: This popular US ISP and CA has added 3 new EV-enabled Roots signed using SHA-256, a more secure signature method. Test sites: 1, 2, 3
  • Taiwan CA (TWCA): This a CA is based in Taiwan. Test site
  • TrustCenter: This is a German CA that has been in Opera for a while. They have created two new Roots to take over when some of their
    older certificates expire in January 2011. Test sites are not yet
    available (this article will be updated when they are)     Testsites: CA-1 and CA-3.
  • StartCom/StartSSL : This is a CA based in Israel which has gathered
    a following. We received quite a few requests to include it, and the wait
    is now over. Test site


AffirmTrust, GoDaddy and Taiwan CA were all added at the end of April, but due to problems with some of the test cases this announcement was delayed.


Public Suffix

  • To improve performance for the Public Suffix handling in upcoming versions, we have created a new file that collects all the specifications into a single file. This does not affect the existing files. The updated distribution (Mozilla Tri-License) version 1.2 is also available from our repository.


The new file is "all.tlds.xml", and it contains a "<tlds>..</tlds>" element containing multiple "<tld>..</tld>" elements. The draft describing the format has not yet been updated with this addition.

Additional EV-OID for Izenpe, untrusted certificates, and public suffix updateEV-enabled Startcom and Trustcenter, updated Public Suffix list to v1.3

Comments

huxr Thursday, July 29, 2010 7:10:49 AM

Still sorely waiting year after year for the first and second most used CAs in Hungary.

Most secure websites use Netlock here, while e.g. the official e-government site recently swithched to the other local CA, Microsec e-Szigno. (Which is, in itself, good, because they don't seem to be as negligent as Netlock.)

Talk about low Opera market share here! Most people are annoyed and intimidated by the security warnings on most secure sites, including most banks too. Most are unable to install the needed certificates manually. They may conclude that Opera is less secure than other browsers.

I'm a power user, but this issue annoys me even! (Having to manually get all the several types of certs and install them one by one on all new Opera installation. I was even too lazy to install Netlock on my Symbia S60 for use with Opera Mobile, because Netlock's downloadable certs are in a format that is not supported by S60!)

I have given up hope though. After all, David Storey reported more than a year ago that he is in talks with Netlock. And still no progress...

Yngve Nysæter Pettersenyngve Thursday, July 29, 2010 8:25:23 AM

Huxr: To be able to include a CA we need to receive and verify specific documents from and about the CA, see http://www.opera.com/docs/ca/ . At the moment we don't have those documents for Netlock, though we may have received electronic copies recently.

For reference, users can install a Root manually for CAs that they personally trust (remember to set the permission flags correctly).

Roman Kyrylychrkyrylych Thursday, July 29, 2010 8:49:40 AM

Please include support for CAcert (http://www.cacert.org/)
and support locally installed certificates on Linux (i.e. /etc/ssl/certs/)

z@h3kZAHEK Thursday, July 29, 2010 9:18:43 AM

Good news.Thnaks.

Yngve Nysæter Pettersenyngve Thursday, July 29, 2010 11:00:52 AM

Roman Kyrylych: To the best of my knowledge CAcert does not qualify, since they do not have a WebTrust or ETSI CA audit, or something that is equivalent. I am also not aware that any other browser vendor have embedded this CA, though it may be that some smaller distributions have.

If you choose to trust them, that is your choice.

huxr Thursday, July 29, 2010 1:22:03 PM

Yngve: Thanks for checking. I know the guidelines, but can a mere user (like me) do anything about this issue with little time and effort? I certainly cannot and would not want to do major volunteer evangelization and coordination for Opera, because I have more than enough tasks for myself nowadays.

At least it would be good if Opera Link could act as a "personal rootstore", saving the manually added certificates on the server, and pushing them to the other instances of Opera Desktop and Mobile (btw, does it use the Rootstore too?) of the same user. Opera Link is done through a secure channel, if I'm not mistaken.

huxr Thursday, July 29, 2010 1:29:51 PM

Btw, yes, of course, in an ideal world, users would be able to install the certs on their own. But reality is very different.

Anyway, I personally do not trust the certs that can be downloaded from the two Hungarian CAs' website *through plain HTTP*. Am I right on this stance?

So I exported the Netlock root certs from Firefox, and the Microsec ones from IE, because when I last checked, afaik, Firefox didn't have the latter ones.

But I expect that Joe next door will only go as far as dismissing Opera's security warnings, or setting it to remember the dismissal. Or switching to another browser if they know how.

Charles SchlossChas4 Thursday, July 29, 2010 7:06:56 PM

up

Write a comment

You must be logged in to write a comment. If you're not a registered member, please sign up.