1011182 - Add "S-TRUST Universal Root CA" root certificate

Status: RESOLVED FIXED

(CA Program :: CA Certificate Root Program, task)

Description

[Kathleen Wilson]

From S-Trust (DSV Gruppe):

We created a new S-TRUST root certificate and want to include it in the NSS root certificate store.

Certificate name: S-TRUST Universal Root CA

Certificate location:  https://www.s-trust.de/service_support/signaturkarten/download_wurzelzertifikate/qual_angezeigt_akkreditiert/index.htm

Fingerprint: 1b 3d 11 14 ea 7a 0f 95 58 54 41 95 bf 6b 25 82 ab 40 ce 9a

Pointer to Cerificate Practice Statement: www.s-trust.de/stn-cps

Third party audits: ETSI TS 102 042        

Can you please create a bug for the inclusion of the S-TRUST root certificate in the NSS programm.

Comment 1

[Kathleen Wilson]

Alexandru, Please provide the information listed here:
https://wiki.mozilla.org/CA:Information_checklist

Comment 2

[Alexandru Matei]

Dear Kathleen,

please find attached the information checklis.

Comment 3

[Alexandru Matei]

Attachment: CAInformation_complete.docx

Comment 4

[Kathleen Wilson]

Thanks for the information. Can you attach a sample/test certificate to this bug?

Comment 5

[Alexandru Matei]

Attachment: Example_Certificate.cer

Hi Kathleen, this is a active enduser certificate. Best regards, Alexandru

Comment 6

[Kathleen Wilson]

Attachment: Completed CA Information Document

Comment 7

[Kathleen Wilson]

This request has been added to the queue for public discussion. 
https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion

Comment 8

[Kathleen Wilson]

I am now opening the first public discussion period for this request from DSV Gruppe to include the SHA-256 “S-TRUST Universal Root CA” root certificate and enable the Email trust bit. DSV Gruppe’s SHA-1 “S-TRUST Authentication and Encryption Root CA 2005:PN” root certificate was included in NSS via Bugzilla Bug #370627.

For a description of the public discussion phase, see https://wiki.mozilla.org/CA:How_to_apply#Public_discussion

Public discussion will be in the mozilla.dev.security.policy forum.
https://www.mozilla.org/en-US/about/forums/#dev-security-policy

The discussion thread is called “DSV Gruppe Root Renewal Request”.

Please actively review, respond, and contribute to the discussion.

A representative of DSV Gruppe must promptly respond directly in the discussion thread to all questions that are posted.

Comment 9

[Kathleen Wilson]

Attachment: 1011182-CAInformation-SF.pdf

Comment 10

[Kathleen Wilson]

The public comment period for this request is now over.

This request has been evaluated as per Mozilla’s CA Certificate Inclusion Policy at

https://www.mozilla.org/about/governance/policies/security-group/certs/policy/inclusion/

Here follows a summary of the assessment. If anyone sees any factual errors, please point them out.

Inclusion Policy Section 4 [Technical]. I am not aware of instances where Deutscher Sparkassen Verlag GmbH (DSV-Gruppe, S-TRUST) has knowingly issued certificates for fraudulent use. If anyone knows of any such issues or instances, please note them in this bug.

Inclusion Policy Section 6 [Relevance and Policy]. S-TRUST appears to provide a service relevant to Mozilla users. It provides all customers of the German Savings Bank Financial Group with client-certificates for his/her signature enabled debit card (smartcard). The German Financial Group consists of 463 Savings banks with about 17000 branches.

Below is a summary of the root certificate that was evaluated for this request.

Based on this assessment I intend to approve this request as stated below.

=== Root Certificate 1 of 1 ===
	 
Subject: Include S-TRUST Universal Root CA

Root Certificate Name: S-TRUST Universal Root CA
O From Issuer Field: Deutscher Sparkassen Verlag GmbH
Trust Bits: Email
EV Policy OID(s): Not applicable

Root Certificate Download URL: https://www.s-trust.de/ablage_download_dokumente/ablage_zertifikate/S-TRUST_Universal_Root_CA1.cer

Certificate Summary: This SHA-256 root will eventually replace DSV Gruppe’s SHA-1 "S-TRUST Authentication and Encryption Root CA 2005:PN" root certificate was included in NSS via Bugzilla Bug #370627.

CPS: https://www.s-trust.de/stn-cps

Certificate Revocation
CRL URL(s): http://crl.s-trust.de/public/offlineCA/DeutscherSparkassenVerlagGmbHS-TRUSTUniveralRootCA/LatestCRL.crl
OCSP URL(s): None

Inclusion Policy Section 7 [Validation]. S-TRUST appears to meet the minimum requirements for subscriber verification, as follows.

* SSL Verification Procedures: Not requesting Websites trust bit.

* Email Verification Procedures: According to section 2.4.2.2 of the CPS the proof of email ownership occurs by means of a personal code, which is sent to the applicant via the email address specified in the certificate. The download process can only be completed using this emailed verification code.

* Code Signing Subscriber Verification Procedure: Not requesting Code Signing trust bit.

Inclusion Policy Sections 11-14 [Audit]. Annual audits are performed by TUVIT, according to the ETSI TS 102 042 criteria.
Audit Statement: https://www.tuvit.de/data/content_data/tuevit_en/6744UE_s.pdf

Inclusion Policy Section 18 [Certificate Hierarchy]
CA Hierarchy: 1 subCA is internally operated -- S-TRUST Authentication and Encryption Class 3 CA
Externally Operated SubCAs: No externally operated CAs.
Cross Signing: No issuance of Cross-Signing certificates

CA’s Response to Mozilla’s list of Potentially Problematic Practices: 
No issuance of SSL certificates. No Domain Delegation / no E-Mail Validation delegated to third parties.

Comment 11

[Kathleen Wilson]

As per the summary in Comment #10, and on behalf of Mozilla I approve this request from DSV-Gruppe (S-TRUST) to include the following root certificate:

** “S-TRUST Universal Root CA” (email)

I will file the NSS bug for the approved changes.

Comment 12

[Kathleen Wilson]

I have filed bug #1118079 for the actual changes.