Closed Bug 204839 Opened 21 years ago Closed 19 years ago

Add TDC OCES CA certificate to builtin certificates

Categories

(CA Program :: CA Certificate Root Program, task, P3)

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: bugzilla, Assigned: hecker)

References

()

Details

Attachments

(2 files)

TDC is the largest danish ISP. They are also providing free Certificates to all danish citizens. it would be sooo cool if their root CA certificat was installed in Mozilla as default.
AFAIK, all requests to add CA certs to mozilla/Netscape are decided by 
ssaux@netscape.com.  Stephane, if you decide we should do this, please
assign a target NSS release and raise the priority.  THanks.
Assignee: wtc → ssaux
Priority: -- → P3
Hardware: PC → All
Representatives of this CA should contact me directly.
Stephane: Does root cert inclusion in Mozilla also have the $150.000 Engineering Fee or is that for Netscape only?
I would not ask Mozilla users to trust this (or any other certificate authority)
without some assurance (beyond self assertions) that its practices do indeed
meet the standards generally advocated for CAs.  Not speaking Danish, I cannot
find any indication on TDC's Web site of a third-party accreditation of TDC's
practices.  While two other CAs operating in Denmark have WebTrust seals, TDC
does not.  

This illustrates the need for a clear policy as requested in bug #233453.  
Assignee: ssaux → hecker
Component: Libraries → CA Certificates
Product: NSS → mozilla.org
Version: unspecified → other
Assignee: hecker → hecker
First, I need a clarification: TDC apparently operates at least four separate
CAs: TDC OCES CA, Certificate Hotel II CA, TDC Internet Class II CA, and TDC
Internet Kvalificeret ["qualified"?] CA. Is the request to include a root
certificate only for the TDC OCES CA, not for the other CAs?

Second, I did find some information in English describing certificate policies,
certification practices; see my draft CA list at
<http://www.hecker.org/mozilla/ca-certificate-list/> for references. (The
English versions are available only in Microsoft Word format, unfortunately.)
However the Certification Practice Statement in English is version 1.2, and the
current 2.0 version of the CPS is apparently available only in Danish. Also the
Certificate Policies in English are not complete; there are additional CPs in
Danish that are not available in English translation.

Finally, as David Ross notes TDC doesn't appear to have been audited by WebTrust
(or by any other independent auditor, for that matter).

I am not going to do anything further with this request until I have more
information.



And as David Ross noted they do 
Status: NEW → ASSIGNED
TDC is in the process of getting a WebTrust accreditation on various TDC CA's 
and the published CP's and CPS will be updated.


The three CA's of current interest are

TDC OCES CA
A PKI with 150.000+ users and approx. 1000 new user each day. This CA 
accreditated and issues certificates according CP's published by the National 
Danish IT and Telecom Agency. In short the certificates are issued based on PIN-
letters send to users postal address registered by public authorities. The CA 
is audited by an independent auditor.

TDC Internet Kvalificeret CA
Yes, this is a qualified CA according to the danish law on electronic 
signatures (an implementation of the EU directive). This PKI isn't very large 
yet due the difficult registration process (physical presence). The CA is 
audited by an independent auditor.

TDC Internet Root CA
This CA is a PCA only isssuing certs to TDC SubCA's. This CA is the process of 
being audited by an independent auditor.

As you might sense the most important CA for the time being is TDC OCES CA. I 
suggest that the Danish IT and Telecom Agency is contacted in order to verify 
that TDC is in fact compliant with the official CP's. Contact in the agency 
will probably be Charlotte Jacoby, cj(a)itst.dk.

Peter Lind Damkjaer
TDC
Frank: We're very keen on getting the TDC OCES certs into Mozilla. What is
needed by us and is there anything that you're missing that we can provide.
Getting the TDC OCES root cert into Mozilla could help us making the Mozilla
markedshare bigger in Denmark.
I think gemal changed the URL by mistake. Please fix.

Here are a few additional showstoppers concerning Mozilla's marketshare in
Denmark in relation to the push for the national TDC-certificates:
http://bugzilla.mozilla.org/show_bug.cgi?id=243738
http://bugzilla.mozilla.org/show_bug.cgi?id=217305
Frank or Nelson:
What's missing before we can add TDC OCES to the NSS? I really like to get on
with this bug. I'm working for TDC and can there help if you need more info
about the TDC OCES root cert.
(In reply to comment #9)
> Frank or Nelson:
> What's missing before we can add TDC OCES to the NSS? I really like to get on
> with this bug. I'm working for TDC and can there help if you need more info
> about the TDC OCES root cert.

My apologies for the delay in responding. I think the most important task is to
get more information about independent audits of TDC CAs. (For example, Peter
Lind Damkjaer mentioned that the Danish IT and Telecom Agency had done an
audit.) In particular, are any documents related to these audits publicly
available on the web? If not, could they be made publicly available?

Note that under our interim policy I am approving only WebTrust-audited CAs, and
as I understand it TDC has not yet completed a WebTrust audit. However I am
willing to consider other approving CA based on the results of other independent
audits, along the lines of Microsoft's policy of accepting "WebTrust-equivalent"
audits; this is something I will bring up in the n.p.m.crypto newsgroup in the
next couple of days.
(In reply to comment #10)
> My apologies for the delay in responding. I think the most important task is 
to
> get more information about independent audits of TDC CAs. (For example, Peter
> Lind Damkjaer mentioned that the Danish IT and Telecom Agency had done an
> audit.) In particular, are any documents related to these audits publicly
> available on the web? If not, could they be made publicly available?
> Note that under our interim policy I am approving only WebTrust-audited CAs, 
and
> as I understand it TDC has not yet completed a WebTrust audit. However I am
> willing to consider other approving CA based on the results of other 
independent
> audits, along the lines of Microsoft's policy of accepting "WebTrust-
equivalent"
> audits; this is something I will bring up in the n.p.m.crypto newsgroup in 
the
> next couple of days.

We are very close of getting the WebTrust accreditation (hopefully we speaking 
days), so let us take it from there.

We also gets the WebTrust accreditation on a Primary CA (TDC Internet Root CA) 
so we would very much like this to be included as well.

I'll return when the WebTrust formalities are in place.

Best regards
Peter Lind Damkjaer
TDC Solutions
(In reply to comment #11)
The CA's now have received the WebTrust seal:
https://cert.webtrust.org/ViewSeal?id=374

The root certificates mentioned in Comment #11 are attached!

What are the procedures for checking the validity of the root certificates ? I
can be reached in danish daytime from TDC's official number +45 8080 8080 if
sha-1 validation should be done.

Is it possible to include the root certificates in the upcoming final version?

Best regards
Peter Lind Damkjaer
TDC Solutions

(In reply to comment #14)
> (In reply to comment #11)
> The CA's now have received the WebTrust seal:
> https://cert.webtrust.org/ViewSeal?id=374

Congratulations on completing the WebTrust audit process!

> The root certificates mentioned in Comment #11 are attached!
> 
> What are the procedures for checking the validity of the root certificates ? I
> can be reached in danish daytime from TDC's official number +45 8080 8080 if
> sha-1 validation should be done.

Usually I do a quick validation of the certificates by trying to load them into
Mozilla. The NSS developers also do some checks when I file a bug to have the
certificates actually added to the NSS library. If I have a problem loading the
certificates I'll put a note in this bug report.

Note that I maintain a CA list at

  http://www.hecker.org/mozilla/ca-certificate-list

and reference URLs for the various CA certificates. I have one TDC certificate
there, but am missing the other. Could you provide me with a URL for the other
certificate? Also, could you confirm that the certificates referenced at the
URLs are the same certificates you're attaching to this bug report? (I can check
this too, of course.)

> Is it possible to include the root certificates in the upcoming final version?

I presume that by "upcoming final version" you mean Firefox 1.0. Unfortunately
it is now too late to add any more CA certificates to Firefox 1.0. Adding a CA
certificate currently requires adding the certificate to NSS, producing a new
NSS release, and then incorporating that NSS release into the Mozilla, Firefox,
and Thunderbird code. The NSS developers have already done this, and there is
not time to do it again prior to release of Firefox 1.0.
>>What are the procedures for checking the validity of the root certificates ? I
>>can be reached in danish daytime from TDC's official number +45 8080 8080 if
>>sha-1 validation should be done.
> 
> Usually I do a quick validation of the certificates by trying to load them 
> into Mozilla. 

Frank, I think Peter was asking "what procedures check that these are the real
certs for the right CA, and not certs from some impostor?"  He was proposing
that we could check cert fingerprints with him by phone, and he gave a phone
number.  Of course, if he was an impostor (not the proper spokesperson for 
that CA), calling the number he gave us would not detect that.  So, if we 
want to be duely dilligent, we would find some way to contact the CA based 
on info from an independent source and channel.  

Frank, perhaps we need to put into place some well-defined procedure that 
we will follow to perform such verification in the future.

For now, I will leave this burden on Frank.  If Frank tells me, in a signed
email, that the cert with fingerprint XXXXX is the right one, I will use it.

Also, separately, there is a suggestion/RFE to make the root CA list a 
separately releasable component, so that a new release of it can be made 
without a full new release of NSS (which involves MUCH QA).  I don't know
if there's a bugzilla bug for that idea, but I support it.
Sorry, Nelson, I was being a bit stupid. I'll think about this issue some more
when I have time, but here are my thoughts right now: Traditionally I have used
the CA certificates directly from the CA's web site, as opposed to checking
certificates attached to Bugzilla reports. In effect I've been relying on the
security of DNS (such as it is) and the fact that a CA would presumably notice
if its site had been hacked and its root certificates replaced.

Regarding doing certificate fingerprint checks by phone, as you note this would
require some additional measures, for example looking up the needed phone number
on the CA's web site (subject to the same security concerns noted in the
previous paragraph) or finding the number through the phone company's directory
assistance service.

Relying on signed email might be doable, but obviously the CA personnel would
have to use email certs issued by some other already-approved CA, otherwise the
scheme falls apart a bit.
(In reply to comment #16)
> Frank, I think Peter was asking "what procedures check that these are the real
> certs for the right CA, and not certs from some impostor?"  He was proposing
> that we could check cert fingerprints with him by phone, and he gave a phone
> number.  Of course, if he was an impostor (not the proper spokesperson for 
> that CA), calling the number he gave us would not detect that.  So, if we 
> want to be duely dilligent, we would find some way to contact the CA based 
> on info from an independent source and channel.  

That's exactly what was on my mind. Actually the number (+45 8080 8080) can be 
verified to be the main phone number of TDC. It can be check in several 
international yellowpages (e.g. http://www.wayp.com/).

Note that this links to two different danish service providers (one of them is 
in fact TDC). "Phone number" in danish is "Telefonnummer" or apprev. "Tlf.nr.".

As an alternative I suggest that you can get a snail-mail from the Danish 
National IT- and Telecom Agency with information on the SHA-1 fingerprints. If 
this is an acceptable way to do it, please let me know the name and snail-mail 
address of the recipient.

Best regards
Peter Lind Damkjaer
TDC
(In reply to comment #16)
> >>What are the procedures for checking the validity of the root 
certificates ? I
> >>can be reached in danish daytime from TDC's official number +45 8080 8080 if
> >>sha-1 validation should be done.
> > 
> > Usually I do a quick validation of the certificates by trying to load them 
> > into Mozilla. 
> Frank, I think Peter was asking "what procedures check that these are the real
> certs for the right CA, and not certs from some impostor?"  He was proposing
> that we could check cert fingerprints with him by phone, and he gave a phone
> number.  Of course, if he was an impostor (not the proper spokesperson for 
> that CA), calling the number he gave us would not detect that.  So, if we 
> want to be duely dilligent, we would find some way to contact the CA based 
> on info from an independent source and channel.  
> Frank, perhaps we need to put into place some well-defined procedure that 
> we will follow to perform such verification in the future.
> For now, I will leave this burden on Frank.  If Frank tells me, in a signed
> email, that the cert with fingerprint XXXXX is the right one, I will use it.
> Also, separately, there is a suggestion/RFE to make the root CA list a 
> separately releasable component, so that a new release of it can be made 
> without a full new release of NSS (which involves MUCH QA).  I don't know
> if there's a bugzilla bug for that idea, but I support it.

Frank: what's the status here? We missed Firefox 1.0 but we relly dont want to
miss Thunderbird 1.0.

Is there anything you need from our side?
My apologies for the delay; I've been on vacation the past few days. Here's what
I will do: 1. Call Peter Lind Damkjaer to verify fingerprints on the certs. 2.
Formally approve TDC in this bug. 3. File a new bug against Nelson to add the
certs. I will try to get all three things done today.

I've also separately sent an email to TB and MF folks to ask about getting new
certs into Thunderbird 1.0. I'm guessing that this may be difficult given the
timeframe for 1.0 release, but others know more than I about this.
I had a phone conversation with Peter Lind Damkjaer of TDC and verified the
following SHA-1 fingerprints for their root CA certs as attached to bug 204839:

TDC ODES:
  87 81 C2 5A 96 BD C2 FB 4C 65 06 4F F9 39 0B 26 04 8A 0E 01

TDC Internet:
  21 FC BD 8E 7F 6C AF 05 1B D1 B3 43 EC A8 E7 61 47 F2 0F 8A

Based on the WebTrust audit of TDC (noted above) I'm formally approving these
certificates for inclusion in Mozilla, etc., and will file a bug to have them
added to NSS.

[I sent the above in a signed email to Nelson Bolyard per his request in a
previous comment.]
Depends on: 271551
Filed bug 271551 to get the certificates added to NSS, and marked that bug as
blocking this one. Any further technical questions and comments should be added
to bug 271551. And to repeat: I don't know exactly when these certificates will
be including in a shipping release of Mozilla, Firefox, or Thunderbird; in
particular, I don't know if it will be possible to include these certificates in
Thunderbird 1.0.
Frank,

Nelson has added these root CA certs to NSS.  So
you can mark this bug fixed now.

You might want to remove bug 233453 as a dependency
of this bug.
Certificates are in Firefox 1.0.2 and Thunderbird 1.0.2; resolving as fixed.
Also removing bugs 233453 and 271551 as dependencies.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
No longer depends on: 233453, 271551
Resolution: --- → FIXED
Product: mozilla.org → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.