Closed
Bug 1011182
Opened 10 years ago
Closed 9 years ago
Add "S-TRUST Universal Root CA" root certificate
Categories
(CA Program :: CA Certificate Root Program, task)
CA Program
CA Certificate Root Program
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: kathleen.a.wilson, Assigned: kathleen.a.wilson)
References
Details
(Whiteboard: In NSS 3.18, Firefox 38)
Attachments
(4 files)
From S-Trust (DSV Gruppe): We created a new S-TRUST root certificate and want to include it in the NSS root certificate store. Certificate name: S-TRUST Universal Root CA Certificate location: https://www.s-trust.de/service_support/signaturkarten/download_wurzelzertifikate/qual_angezeigt_akkreditiert/index.htm Fingerprint: 1b 3d 11 14 ea 7a 0f 95 58 54 41 95 bf 6b 25 82 ab 40 ce 9a Pointer to Cerificate Practice Statement: www.s-trust.de/stn-cps Third party audits: ETSI TS 102 042 Can you please create a bug for the inclusion of the S-TRUST root certificate in the NSS programm.
Assignee | ||
Updated•10 years ago
|
Status: NEW → ASSIGNED
Assignee | ||
Comment 1•10 years ago
|
||
Alexandru, Please provide the information listed here: https://wiki.mozilla.org/CA:Information_checklist
Whiteboard: Information incomplete
Comment 2•10 years ago
|
||
Dear Kathleen, please find attached the information checklis.
Comment 3•10 years ago
|
||
Assignee | ||
Comment 4•10 years ago
|
||
Thanks for the information. Can you attach a sample/test certificate to this bug?
Comment 5•10 years ago
|
||
Hi Kathleen, this is a active enduser certificate. Best regards, Alexandru
Assignee | ||
Comment 6•10 years ago
|
||
Assignee | ||
Comment 7•10 years ago
|
||
This request has been added to the queue for public discussion. https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion
Whiteboard: Information incomplete → Information confirmed complete
Assignee | ||
Comment 8•10 years ago
|
||
I am now opening the first public discussion period for this request from DSV Gruppe to include the SHA-256 “S-TRUST Universal Root CA” root certificate and enable the Email trust bit. DSV Gruppe’s SHA-1 “S-TRUST Authentication and Encryption Root CA 2005:PN” root certificate was included in NSS via Bugzilla Bug #370627. For a description of the public discussion phase, see https://wiki.mozilla.org/CA:How_to_apply#Public_discussion Public discussion will be in the mozilla.dev.security.policy forum. https://www.mozilla.org/en-US/about/forums/#dev-security-policy The discussion thread is called “DSV Gruppe Root Renewal Request”. Please actively review, respond, and contribute to the discussion. A representative of DSV Gruppe must promptly respond directly in the discussion thread to all questions that are posted.
Whiteboard: Information confirmed complete → In Public Discussion
Assignee | ||
Comment 9•10 years ago
|
||
Assignee | ||
Comment 10•10 years ago
|
||
The public comment period for this request is now over. This request has been evaluated as per Mozilla’s CA Certificate Inclusion Policy at https://www.mozilla.org/about/governance/policies/security-group/certs/policy/inclusion/ Here follows a summary of the assessment. If anyone sees any factual errors, please point them out. Inclusion Policy Section 4 [Technical]. I am not aware of instances where Deutscher Sparkassen Verlag GmbH (DSV-Gruppe, S-TRUST) has knowingly issued certificates for fraudulent use. If anyone knows of any such issues or instances, please note them in this bug. Inclusion Policy Section 6 [Relevance and Policy]. S-TRUST appears to provide a service relevant to Mozilla users. It provides all customers of the German Savings Bank Financial Group with client-certificates for his/her signature enabled debit card (smartcard). The German Financial Group consists of 463 Savings banks with about 17000 branches. Below is a summary of the root certificate that was evaluated for this request. Based on this assessment I intend to approve this request as stated below. === Root Certificate 1 of 1 === Subject: Include S-TRUST Universal Root CA Root Certificate Name: S-TRUST Universal Root CA O From Issuer Field: Deutscher Sparkassen Verlag GmbH Trust Bits: Email EV Policy OID(s): Not applicable Root Certificate Download URL: https://www.s-trust.de/ablage_download_dokumente/ablage_zertifikate/S-TRUST_Universal_Root_CA1.cer Certificate Summary: This SHA-256 root will eventually replace DSV Gruppe’s SHA-1 "S-TRUST Authentication and Encryption Root CA 2005:PN" root certificate was included in NSS via Bugzilla Bug #370627. CPS: https://www.s-trust.de/stn-cps Certificate Revocation CRL URL(s): http://crl.s-trust.de/public/offlineCA/DeutscherSparkassenVerlagGmbHS-TRUSTUniveralRootCA/LatestCRL.crl OCSP URL(s): None Inclusion Policy Section 7 [Validation]. S-TRUST appears to meet the minimum requirements for subscriber verification, as follows. * SSL Verification Procedures: Not requesting Websites trust bit. * Email Verification Procedures: According to section 2.4.2.2 of the CPS the proof of email ownership occurs by means of a personal code, which is sent to the applicant via the email address specified in the certificate. The download process can only be completed using this emailed verification code. * Code Signing Subscriber Verification Procedure: Not requesting Code Signing trust bit. Inclusion Policy Sections 11-14 [Audit]. Annual audits are performed by TUVIT, according to the ETSI TS 102 042 criteria. Audit Statement: https://www.tuvit.de/data/content_data/tuevit_en/6744UE_s.pdf Inclusion Policy Section 18 [Certificate Hierarchy] CA Hierarchy: 1 subCA is internally operated -- S-TRUST Authentication and Encryption Class 3 CA Externally Operated SubCAs: No externally operated CAs. Cross Signing: No issuance of Cross-Signing certificates CA’s Response to Mozilla’s list of Potentially Problematic Practices: No issuance of SSL certificates. No Domain Delegation / no E-Mail Validation delegated to third parties.
Whiteboard: In Public Discussion → Pending Approval
Assignee | ||
Comment 11•9 years ago
|
||
As per the summary in Comment #10, and on behalf of Mozilla I approve this request from DSV-Gruppe (S-TRUST) to include the following root certificate: ** “S-TRUST Universal Root CA” (email) I will file the NSS bug for the approved changes.
Whiteboard: Pending Approval → Approved - awaiting NSS changes
Assignee | ||
Comment 12•9 years ago
|
||
I have filed bug #1118079 for the actual changes.
Assignee | ||
Updated•9 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Whiteboard: Approved - awaiting NSS changes → In NSS 3.18, Firefox 38
Updated•7 years ago
|
Product: mozilla.org → NSS
Updated•1 year ago
|
Product: NSS → CA Program
You need to log in
before you can comment on or make changes to this bug.
Description
•