Fossa Team has updated Fossa Guard to V0.2.2 following requests from our users about extension hangs up while working with certificates issued by cacert.org.
A small investigation has been done with Certificate Revocation Lists (CRLs) available at https://isc.sans.edu/crls.html and it was discovered that CAcert's CRL is the biggest one - around 8Mb.
It contains certificates revoked since 2002 which looks reasonable only in the case when there are certificates issued for 14+ years which have a high probability of being revoked.
Unfortunately is not practical to handle such big CRLs in the browser thus we limited size of supported CRL by 512Kb to avoid time-consuming download and decoding.
So it looks like there is a strong request to implement Online Certificate Status Protocol (OCSP) support in new versions of Fossa Guard making possible to perform single certificate check if it has been revoked or not.
In V0.2.1 Fossa Guard has changed certificate validation procedure by new crypto lib integration.
New certificate validation mechanism checks full certificate chain up to the Root certificate (which should be definitely in the list of trusted) with respect to corresponding Certificate Revocation Lists (CRLs).
Thus a CRL management mechanism was introduced to let new certificate validation performs full-functional validity check.
On each certificate validation, Fossa Guard checks actuality of all CRLs mentioned in CRL distribution points in the certificate and in trusted certificates.
CRLs with expired dates are downloaded using Fetch API and are stored in the local storage.
Then corresponding stored CRLs are routed to certificate validation routine inside the crypto lib.
Please note that from V0.2.1 due to CRL support Fossa Guard requires permission to download files from all the sites.
Fossa Guard V0.2.1 is available now to bring users new certificate management abilities:
Certificate Re-enrollment as simple as possible utilizing existing key pair and passphrase meaning once your current free certificate (limited by 3 months) expires you will be able easily to renew it to continue S/MIME mailing at the same time keeping a possibility to read your old emails.
Certificate Revocation Lists (CRL) support implemented to allow you explicitly revoke any your certificate issued by Fossa.me server. The revoked certificate will no longer pass certificate validation. CRL is updated every hour at Fossa.me server so that your recipients can be aware within 1 hour since you revoke your certificate on the server.
Note that Certificate validation mechanism has been also changed to fully support CRLs including downloading and actualization the lists of revoked certificates for all certificates in the extension.
There are also several improvements and bug fixes:
Signed message now includes Fossa Root F1, Fossa Authority F2 certificates as well helping 3d party clients to easily build full Fossa certificate chain.
Certificate import mechanism has been improved so that extension detects CA certificates and proposes corresponding storage providing certificate preview with SHA-1 / SHA-256 fingerprints.
Fossa.me received an update which introduces CRL support for Fossa.Me Authority F2 Certification Authority. CRL (or Certificate Revocation List) is a list of revoked certificates (or more precisely their serial numbers), users presenting those certificates (had been revoked earlier) are no longer trusted. Fossa.Me Authority F2 implements CRL in accordance to RFC 5280. The CRL is issued every hour. Also Fossa.me provides a way for authorized and authenticated user to revoke one of his/her own certificates on the Web page. As well, now our new users will receive an e-mail containing details about issued certificate and its validity dates.
By this terms update Fossa Team would like to explicitly state that Fossa Guard extension keeps private key within User's Google account space and does not transfer or copy it somewhere else in any form.
User's private key is packaged into PKCS#12 secured by a passphrase. Each private key usage is adviced by a corresponding popup asking User for the passphrase.
Fossa.me server keeps a registry of all issued certificates associated with User's public information from Google account. It helps to identify and validate recipients with Fossa certificates during mailing.
Fossa Team keeps a right to revoke issued Fossa certificate in the case of law enforcement appeals or judicial decisions.
Do not hesitate to share your opinion, question or advice for terms update below.
Fossa Team has released a beta version of Fossa Guard an extension for Chrome which enables S/MIME mailing on top of Gmail. Fossa Guard has autonomous Compose / View dialog to avoid plain content auto-saving and provides mail signing, encryption functionality based on X.509 certificates issued by Fossa.Me service. Attachments are supported as well though limited by 100KB each. Certificates are associated with Google Chrome accounts and are free for public usage for 3 months (beta limitation). Fossa Guard is supplied with a certificate enrollment (via CSR / PKCS#10) wizard and third-party trusted / endpoint certificates import / export in DER/PEM formats. Private key resides in protected by a passphrase PKCS#12 archive on Chrome sync storage alongside with other certificates. It guarantees synchronization between multiple user's computers. Check out YouTube how-to videos