Path: mv.asterisco.pt!mvalente
From: mvale…@ruido-visual.pt (Mario Valente)
Newsgroups: mv
Subject: 1000 Euro Firefox Bounty
Date: Sun, 01 Jul 07 22:16:21 GMT
Here’s a challenge for all you hackers out there,
with a 1000 Euro reward that the portuguese Ministry
of Justice will pay for. You will be helping not only
Firefox, but also the new portuguese ID card as well
as the national PKI and the portuguese EU presidency.
How’s that for a CV entry?…
Here’s the problem.
Goto https://private.eu2007.pt/ using Internet Explorer,
Safari, Opera or any other browser. It should work in all
of them. The certificate is recognized and you get to the
login page.
Now go there with Firefox. You’ll get an error saying
that the certificate is not recognized, supposedly for
not being signed by a known authority. Which is false:
it works in other browsers and in those you can check
the certificate chain and verify that it is signed by
known CAs.
The problem would be admitedly related to Firefox not
implementing a subjective part of the standard, as you
can read in the following links:
http://blogs.msdn.com/larryosterman/archive/2004/06/04/148612.aspx
https://bugzilla.mozilla.org/show_bug.cgi?id=245609
But somehow that doesnt seem enough to justify the problem.
First because it seems really stupid for Firefox not to
implement something that all other browsers implement and just
saying “lets wait till the standard is clear”.
Second because its not a solution if you just say “reconfigure
the server and make sure that the intermediate certificate is
served”. The other browsers dont need that.
Third because even if you install the certificates locally
in your browser, the problem continues. It seems to be
related to a possible problem with comparisons of fields
encoded in UTF-8 in one certificate and encoded in quoted
printable in others.
So, here’s the deal. If:
– you correctly identify what the actual problem is
– you provide a solution, whether in code or configuration,
that involves only Firefox
– you can provide a receipt for 1000 Euro
– you email me at mvalente@itij.mj.pt and I validate
your solution
… you get 1000 Euro in cash and singlehandedly prove
to portuguese government and bureaucrats that the open
source community kicks ass. Gentlemen, start your engines…
— MV