Closed Bug 204839 Opened 22 years ago Closed 20 years ago

Add TDC OCES CA certificate to builtin certificates

Categories

(CA Program :: CA Certificate Root Program, task, P3)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: bugzilla, Assigned: hecker)

References

(
URL
)

Details

Attachments

(2 files)

TDC OCES Root Certificate (base64 encoded)
1.82 KB, text/plain
Details
TDC Internet Root CA (base64 encoded)
1.49 KB, text/plain
Details
TDC is the largest danish ISP. They are also providing free Certificates to all danish citizens. it would be sooo cool if their root CA certificat was installed in Mozilla as default.
AFAIK, all requests to add CA certs to mozilla/Netscape are decided by ssaux@netscape.com. Stephane, if you decide we should do this, please assign a target NSS release and raise the priority. THanks.
Assignee: wtc → ssaux
Priority: -- → P3
Hardware: PC → All
Representatives of this CA should contact me directly.
Stephane: Does root cert inclusion in Mozilla also have the $150.000 Engineering Fee or is that for Netscape only?
I would not ask Mozilla users to trust this (or any other certificate authority) without some assurance (beyond self assertions) that its practices do indeed meet the standards generally advocated for CAs. Not speaking Danish, I cannot find any indication on TDC's Web site of a third-party accreditation of TDC's practices. While two other CAs operating in Denmark have WebTrust seals, TDC does not. This illustrates the need for a clear policy as requested in bug #233453.
Assignee: ssaux → hecker
Component: Libraries → CA Certificates
Product: NSS → mozilla.org
Version: unspecified → other
Assignee: hecker → hecker
First, I need a clarification: TDC apparently operates at least four separate CAs: TDC OCES CA, Certificate Hotel II CA, TDC Internet Class II CA, and TDC Internet Kvalificeret ["qualified"?] CA. Is the request to include a root certificate only for the TDC OCES CA, not for the other CAs? Second, I did find some information in English describing certificate policies, certification practices; see my draft CA list at <http://www.hecker.org/mozilla/ca-certificate-list/> for references. (The English versions are available only in Microsoft Word format, unfortunately.) However the Certification Practice Statement in English is version 1.2, and the current 2.0 version of the CPS is apparently available only in Danish. Also the Certificate Policies in English are not complete; there are additional CPs in Danish that are not available in English translation. Finally, as David Ross notes TDC doesn't appear to have been audited by WebTrust (or by any other independent auditor, for that matter). I am not going to do anything further with this request until I have more information. And as David Ross noted they do
Status: NEW → ASSIGNED
TDC is in the process of getting a WebTrust accreditation on various TDC CA's and the published CP's and CPS will be updated. The three CA's of current interest are TDC OCES CA A PKI with 150.000+ users and approx. 1000 new user each day. This CA accreditated and issues certificates according CP's published by the National Danish IT and Telecom Agency. In short the certificates are issued based on PIN- letters send to users postal address registered by public authorities. The CA is audited by an independent auditor. TDC Internet Kvalificeret CA Yes, this is a qualified CA according to the danish law on electronic signatures (an implementation of the EU directive). This PKI isn't very large yet due the difficult registration process (physical presence). The CA is audited by an independent auditor. TDC Internet Root CA This CA is a PCA only isssuing certs to TDC SubCA's. This CA is the process of being audited by an independent auditor. As you might sense the most important CA for the time being is TDC OCES CA. I suggest that the Danish IT and Telecom Agency is contacted in order to verify that TDC is in fact compliant with the official CP's. Contact in the agency will probably be Charlotte Jacoby, cj(a)itst.dk. Peter Lind Damkjaer TDC
Frank: We're very keen on getting the TDC OCES certs into Mozilla. What is needed by us and is there anything that you're missing that we can provide. Getting the TDC OCES root cert into Mozilla could help us making the Mozilla markedshare bigger in Denmark.
URL: http://www1.certifikat.dk/repository/...http://www1.ccertifikat.dk/repository...
I think gemal changed the URL by mistake. Please fix. Here are a few additional showstoppers concerning Mozilla's marketshare in Denmark in relation to the push for the national TDC-certificates: http://bugzilla.mozilla.org/show_bug.cgi?id=243738 http://bugzilla.mozilla.org/show_bug.cgi?id=217305
Frank or Nelson: What's missing before we can add TDC OCES to the NSS? I really like to get on with this bug. I'm working for TDC and can there help if you need more info about the TDC OCES root cert.
(In reply to comment #9) > Frank or Nelson: > What's missing before we can add TDC OCES to the NSS? I really like to get on > with this bug. I'm working for TDC and can there help if you need more info > about the TDC OCES root cert. My apologies for the delay in responding. I think the most important task is to get more information about independent audits of TDC CAs. (For example, Peter Lind Damkjaer mentioned that the Danish IT and Telecom Agency had done an audit.) In particular, are any documents related to these audits publicly available on the web? If not, could they be made publicly available? Note that under our interim policy I am approving only WebTrust-audited CAs, and as I understand it TDC has not yet completed a WebTrust audit. However I am willing to consider other approving CA based on the results of other independent audits, along the lines of Microsoft's policy of accepting "WebTrust-equivalent" audits; this is something I will bring up in the n.p.m.crypto newsgroup in the next couple of days.
(In reply to comment #10) > My apologies for the delay in responding. I think the most important task is to > get more information about independent audits of TDC CAs. (For example, Peter > Lind Damkjaer mentioned that the Danish IT and Telecom Agency had done an > audit.) In particular, are any documents related to these audits publicly > available on the web? If not, could they be made publicly available? > Note that under our interim policy I am approving only WebTrust-audited CAs, and > as I understand it TDC has not yet completed a WebTrust audit. However I am > willing to consider other approving CA based on the results of other independent > audits, along the lines of Microsoft's policy of accepting "WebTrust- equivalent" > audits; this is something I will bring up in the n.p.m.crypto newsgroup in the > next couple of days. We are very close of getting the WebTrust accreditation (hopefully we speaking days), so let us take it from there. We also gets the WebTrust accreditation on a Primary CA (TDC Internet Root CA) so we would very much like this to be included as well. I'll return when the WebTrust formalities are in place. Best regards Peter Lind Damkjaer TDC Solutions
(In reply to comment #11) The CA's now have received the WebTrust seal: https://cert.webtrust.org/ViewSeal?id=374 The root certificates mentioned in Comment #11 are attached! What are the procedures for checking the validity of the root certificates ? I can be reached in danish daytime from TDC's official number +45 8080 8080 if sha-1 validation should be done. Is it possible to include the root certificates in the upcoming final version? Best regards Peter Lind Damkjaer TDC Solutions
(In reply to comment #14) > (In reply to comment #11) > The CA's now have received the WebTrust seal: > https://cert.webtrust.org/ViewSeal?id=374 Congratulations on completing the WebTrust audit process! > The root certificates mentioned in Comment #11 are attached! > > What are the procedures for checking the validity of the root certificates ? I > can be reached in danish daytime from TDC's official number +45 8080 8080 if > sha-1 validation should be done. Usually I do a quick validation of the certificates by trying to load them into Mozilla. The NSS developers also do some checks when I file a bug to have the certificates actually added to the NSS library. If I have a problem loading the certificates I'll put a note in this bug report. Note that I maintain a CA list at http://www.hecker.org/mozilla/ca-certificate-list and reference URLs for the various CA certificates. I have one TDC certificate there, but am missing the other. Could you provide me with a URL for the other certificate? Also, could you confirm that the certificates referenced at the URLs are the same certificates you're attaching to this bug report? (I can check this too, of course.) > Is it possible to include the root certificates in the upcoming final version? I presume that by "upcoming final version" you mean Firefox 1.0. Unfortunately it is now too late to add any more CA certificates to Firefox 1.0. Adding a CA certificate currently requires adding the certificate to NSS, producing a new NSS release, and then incorporating that NSS release into the Mozilla, Firefox, and Thunderbird code. The NSS developers have already done this, and there is not time to do it again prior to release of Firefox 1.0.
>>What are the procedures for checking the validity of the root certificates ? I >>can be reached in danish daytime from TDC's official number +45 8080 8080 if >>sha-1 validation should be done. > > Usually I do a quick validation of the certificates by trying to load them > into Mozilla. Frank, I think Peter was asking "what procedures check that these are the real certs for the right CA, and not certs from some impostor?" He was proposing that we could check cert fingerprints with him by phone, and he gave a phone number. Of course, if he was an impostor (not the proper spokesperson for that CA), calling the number he gave us would not detect that. So, if we want to be duely dilligent, we would find some way to contact the CA based on info from an independent source and channel. Frank, perhaps we need to put into place some well-defined procedure that we will follow to perform such verification in the future. For now, I will leave this burden on Frank. If Frank tells me, in a signed email, that the cert with fingerprint XXXXX is the right one, I will use it. Also, separately, there is a suggestion/RFE to make the root CA list a separately releasable component, so that a new release of it can be made without a full new release of NSS (which involves MUCH QA). I don't know if there's a bugzilla bug for that idea, but I support it.
Sorry, Nelson, I was being a bit stupid. I'll think about this issue some more when I have time, but here are my thoughts right now: Traditionally I have used the CA certificates directly from the CA's web site, as opposed to checking certificates attached to Bugzilla reports. In effect I've been relying on the security of DNS (such as it is) and the fact that a CA would presumably notice if its site had been hacked and its root certificates replaced. Regarding doing certificate fingerprint checks by phone, as you note this would require some additional measures, for example looking up the needed phone number on the CA's web site (subject to the same security concerns noted in the previous paragraph) or finding the number through the phone company's directory assistance service. Relying on signed email might be doable, but obviously the CA personnel would have to use email certs issued by some other already-approved CA, otherwise the scheme falls apart a bit.
(In reply to comment #16) > Frank, I think Peter was asking "what procedures check that these are the real > certs for the right CA, and not certs from some impostor?" He was proposing > that we could check cert fingerprints with him by phone, and he gave a phone > number. Of course, if he was an impostor (not the proper spokesperson for > that CA), calling the number he gave us would not detect that. So, if we > want to be duely dilligent, we would find some way to contact the CA based > on info from an independent source and channel. That's exactly what was on my mind. Actually the number (+45 8080 8080) can be verified to be the main phone number of TDC. It can be check in several international yellowpages (e.g. http://www.wayp.com/). Note that this links to two different danish service providers (one of them is in fact TDC). "Phone number" in danish is "Telefonnummer" or apprev. "Tlf.nr.". As an alternative I suggest that you can get a snail-mail from the Danish National IT- and Telecom Agency with information on the SHA-1 fingerprints. If this is an acceptable way to do it, please let me know the name and snail-mail address of the recipient. Best regards Peter Lind Damkjaer TDC (In reply to comment #16) > >>What are the procedures for checking the validity of the root certificates ? I > >>can be reached in danish daytime from TDC's official number +45 8080 8080 if > >>sha-1 validation should be done. > > > > Usually I do a quick validation of the certificates by trying to load them > > into Mozilla. > Frank, I think Peter was asking "what procedures check that these are the real > certs for the right CA, and not certs from some impostor?" He was proposing > that we could check cert fingerprints with him by phone, and he gave a phone > number. Of course, if he was an impostor (not the proper spokesperson for > that CA), calling the number he gave us would not detect that. So, if we > want to be duely dilligent, we would find some way to contact the CA based > on info from an independent source and channel. > Frank, perhaps we need to put into place some well-defined procedure that > we will follow to perform such verification in the future. > For now, I will leave this burden on Frank. If Frank tells me, in a signed > email, that the cert with fingerprint XXXXX is the right one, I will use it. > Also, separately, there is a suggestion/RFE to make the root CA list a > separately releasable component, so that a new release of it can be made > without a full new release of NSS (which involves MUCH QA). I don't know > if there's a bugzilla bug for that idea, but I support it.
Frank: what's the status here? We missed Firefox 1.0 but we relly dont want to miss Thunderbird 1.0. Is there anything you need from our side?
My apologies for the delay; I've been on vacation the past few days. Here's what I will do: 1. Call Peter Lind Damkjaer to verify fingerprints on the certs. 2. Formally approve TDC in this bug. 3. File a new bug against Nelson to add the certs. I will try to get all three things done today. I've also separately sent an email to TB and MF folks to ask about getting new certs into Thunderbird 1.0. I'm guessing that this may be difficult given the timeframe for 1.0 release, but others know more than I about this.
I had a phone conversation with Peter Lind Damkjaer of TDC and verified the following SHA-1 fingerprints for their root CA certs as attached to bug 204839: TDC ODES: 87 81 C2 5A 96 BD C2 FB 4C 65 06 4F F9 39 0B 26 04 8A 0E 01 TDC Internet: 21 FC BD 8E 7F 6C AF 05 1B D1 B3 43 EC A8 E7 61 47 F2 0F 8A Based on the WebTrust audit of TDC (noted above) I'm formally approving these certificates for inclusion in Mozilla, etc., and will file a bug to have them added to NSS. [I sent the above in a signed email to Nelson Bolyard per his request in a previous comment.]
Depends on: 271551
Filed bug 271551 to get the certificates added to NSS, and marked that bug as blocking this one. Any further technical questions and comments should be added to bug 271551. And to repeat: I don't know exactly when these certificates will be including in a shipping release of Mozilla, Firefox, or Thunderbird; in particular, I don't know if it will be possible to include these certificates in Thunderbird 1.0.
Frank, Nelson has added these root CA certs to NSS. So you can mark this bug fixed now. You might want to remove bug 233453 as a dependency of this bug.
Certificates are in Firefox 1.0.2 and Thunderbird 1.0.2; resolving as fixed. Also removing bugs 233453 and 271551 as dependencies.
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
No longer depends on: 233453, 271551
Resolution: --- → FIXED
Product: mozilla.org → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: