Closed
Bug 238381
Opened 21 years ago
Closed 20 years ago
Add QuoVadis commercial CA cert to builtin trusted CA list
Categories
(CA Program :: CA Certificate Root Program, task)
CA Program
CA Certificate Root Program
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: sdavidson, Assigned: hecker)
References
()
Details
Attachments
(2 files)
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)
Build Identifier:
QuoVadis is a commercial certificate authority located in Bermuda and serving
customers worldwide. We have particular expertise in the insurance and
financial services sectors, and also serve the Bermuda Government. Corporate
customers acting as registration authorities may use our web-based Trust/Link
administration pages to issue and manage their certificate populations.
QuoVadis is an Authorised Certification Services Provider (CSP) under
Bermuda's Electronic Transactions Act. The CSP standard synthesizes major
requirements from BS 7799, WebTrust for Certification Authorities, and the
European Electronic Signature Standards Initiative (EESSI). More information
may be found at: http://www.quovadis.bm/bdacsp.asp.
The QuoVadis CA cert is already in Apple OSX, is expected to be added to the
RIM BlackBerry OS in version 4, and has completed the WebTrust for CAs
procedures for Microsoft.
QuoVadis provides device/SSL certificates, as well as end user certificates in
multiple classes ranging from low authentication to due diligence meeting
international "know your client" standards. A summary of our certificate
classes may be found at: http://www.quovadis.bm/policies/pki.asp
We provide CRL at (root) www.quovadisoffshore.com/crl/qvrca.crl and (primary
issuing) www.quovadisoffshore.com/crl/qvica2.crl. We do not currently provide
OCSP.
In addition to our CA services, QuoVadis provides professional services to
assist organizations in deploying PKI for tasks such as secure e-mail, desktop
login, VPN, digital signatures, smartcards and tokens, etc.
QuoVadis currently provides a "root injector" that senses the user's computer
config and inserts the root appropriately. This may be found at:
http://www.quovadis.bm/root/
Following is the QV root CA cert in base 64 format. This must be verified at
the URL above before it is deployed:
-----BEGIN CERTIFICATE-----
MIIF0DCCBLigAwIBAgIEOrZQizANBgkqhkiG9w0BAQUFADB/MQswCQYDVQQGEwJC
TTEZMBcGA1UEChMQUXVvVmFkaXMgTGltaXRlZDElMCMGA1UECxMcUm9vdCBDZXJ0
aWZpY2F0aW9uIEF1dGhvcml0eTEuMCwGA1UEAxMlUXVvVmFkaXMgUm9vdCBDZXJ0
aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wMTAzMTkxODMzMzNaFw0yMTAzMTcxODMz
MzNaMH8xCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1pdGVkMSUw
IwYDVQQLExxSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MS4wLAYDVQQDEyVR
dW9WYWRpcyBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv2G1lVO6V/z68mcLOhrfEYBklbTRvM16z/Yp
li4kVEAkOPcahdxYTMukJ0KX0J+DisPkBgNbAKVRHnAEdOLB1Dqr1607BxgFjv2D
rOpm2RgbaIr1VxqYuvXtdj182d6UajtLF8HVj71lODqV0D1VNk7feVcxKh7YWWVJ
WCCYfqtffp/p1k3sg3Spx2zY7ilKhSoGFPlU5tPaZQeLYzcS19Dsw3sgQUSj7cug
F+FxZc4dZjH3dgEZyH0DWLaVSR2mEiboxgx24ONmy+pdpibu5cxfvWenAScOospU
xbF6lR1xHkopigPcakXBpBlebzbNw6Kwt/5cOOJSvPhEQ+aQuwIDAQABo4ICUjCC
Ak4wPQYIKwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwczovL29jc3AucXVv
dmFkaXNvZmZzaG9yZS5jb20wDwYDVR0TAQH/BAUwAwEB/zCCARoGA1UdIASCAREw
ggENMIIBCQYJKwYBBAG+WAABMIH7MIHUBggrBgEFBQcCAjCBxxqBxFJlbGlhbmNl
IG9uIHRoZSBRdW9WYWRpcyBSb290IENlcnRpZmljYXRlIGJ5IGFueSBwYXJ0eSBh
c3N1bWVzIGFjY2VwdGFuY2Ugb2YgdGhlIHRoZW4gYXBwbGljYWJsZSBzdGFuZGFy
ZCB0ZXJtcyBhbmQgY29uZGl0aW9ucyBvZiB1c2UsIGNlcnRpZmljYXRpb24gcHJh
Y3RpY2VzLCBhbmQgdGhlIFF1b1ZhZGlzIENlcnRpZmljYXRlIFBvbGljeS4wIgYI
KwYBBQUHAgEWFmh0dHA6Ly93d3cucXVvdmFkaXMuYm0wHQYDVR0OBBYEFItLbe3T
KbkGGew5Oanwl4Rqy+/fMIGuBgNVHSMEgaYwgaOAFItLbe3TKbkGGew5Oanwl4Rq
y+/foYGEpIGBMH8xCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1p
dGVkMSUwIwYDVQQLExxSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MS4wLAYD
VQQDEyVRdW9WYWRpcyBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5ggQ6tlCL
MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQUFAAOCAQEAitQUtf70mpKnGdSk
fnIYj9lofFIk3WdvOXrEql494liwTXCYhGHoG+NpGA7O+0dQoE7/8CQfvbLO9Sf8
7C9TqnN7Az10buYWnuulLsS/VidQK2K6vkscPFVcQR0kvoIgR13VRH56FmjffU1R
cHhXHTMe/QKZnAzNCgVPx7uOpHX6Sm2xgI4JVrmcGmD+XcHXetwReNDWXcG31a0y
mQM6isxUJTkxgXsTIlG6Rmyhu576BGxJJnSP0nPrzDCi5upZIof4l/UO/erMkqQW
xFIY6iHOsfHmhIHluqmGKPJDWl0Snawe2ajlCmqnf6CHKc/yiU3U7MXi5nrQNiOK
SnQ2+Q==
-----END CERTIFICATE-----
Reproducible: Always
Steps to Reproduce:
Depends on 233453
|
Reporter | |
Comment 1•21 years ago
|
||
May also be found at www.quovadis.bm/root
|
||
Comment 2•21 years ago
|
||
I would not ask Mozilla users to trust this (or any other certificate authority)
without some assurance (beyond self assertions) that its practices do indeed
meet the standards claimed in the second paragraph of the Description. The
QuoVadis Web site does not indicate any third-party verification of its
practices. While WebTrust for Certification Authorities is cited, QuoVadis does
not have the WebTrust seal; other offshore CAs do have the seal.
This illustrates the need for a clear policy as requested in bug #233453.
|
|
Reporter | |
Comment 3•21 years ago
|
||
I agree that a clearly stated policy for CA cert acceptance is advisable.
For example, the Microsoft policy may be found at:
http://www.microsoft.com/technet/security/news/rootcert.mspx
Clearly, QuoVadis can provide supporting documentation for our CSP status and
WebTrust procedures, conducted by the information security team of a Big Four
accounting firm.
|
||
Comment 4•21 years ago
|
||
I confirm that this is a genuine request for enhancement. :)
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
|
||
Comment 5•21 years ago
|
||
mass reassign enhancement requests for root CA certs to mozilla.org product
and to Frank Hecker. This will take several steps, as component must be
changed separately :(
Assignee: wchang0222 → hecker
Component: Libraries → CA Certificates
Product: NSS → mozilla.org
Version: unspecified → other
|
||
Updated•21 years ago
|
Assignee: hecker → hecker
|
|
Reporter | |
Comment 6•21 years ago
|
||
As of April 9, the QuoVadis Root was added to the Microsoft Root Store for
Windows XP and Windows 2003. It will be released shortly (4/27/04) in Windows
Update for all lower-level Windows users.
On that date, QuoVadis should appear on the list of Windows roots at
http://msdn.microsoft.com/library/default.asp?url=/library/en-
us/dnsecure/html/rootcertprog.asp
As noted earlier, to achieve this QuoVadis completed the WebTrust for
Certification Authorities procedures.
Please contact me for copies of the documentation your require.
Regards, Stephen
www.quovadis.bm
|
|
Reporter | |
Comment 7•21 years ago
|
||
Attached provides links to key QuoVadis policy documents per Frank Hecker's
evaluation matrix.
|
Assignee | |
Comment 8•21 years ago
|
||
I'm accepting this bug per my prior decision to consider approving CAs with
WebTrust audits. I've updated my CA list at
<http://www.hecker.org/mozilla/ca-certificate-list/> to reflect the QuoVadis
info provided by Stephen Davidson, with a few minor changes from what he
included in his attachment.
A few comments and questions:
* First, let me commend QuoVadis on the completeness of their documentation and
its accessibility on the QV web site. I especially like the fact that QV has a
PKI disclosure statement which is actually concise enough that a real user might
actually read it :-)
* The QuoVadis site links to CA certs at URLs
<http://www.quovadis.bm/public/rca.crt> and
<http://www.quovadis.bm/public/ica2.crt> respectively, while the attachment
provided by Stephen Davidson lists them at
<http://www.quovadis.bm/public/rca_base64.crt> and
<http://www.quovadis.bm/public/ica2_base64.crt> respectively. Both appear to
load into Mozilla the same way, and I presume the difference is simply a matter
of convenience for people who want the base-64 encoded versions.
* Of the two CA certs, the Root CA cert is a true root cert, while the ICA2 cert
is for an intermediate CA under that root. (Just thought I'd note that for
Nelson's benefit.)
* QuoVadis doesn't appear to have an actual WebTrust seal. From reading the
press release about QV being added to the Windows cert list
<http://www.quovadis.bm/corporate/article.asp?newsid=72> I presume the claim is
that by QV fulfilling requirements for the Bermuda Authorised CSP designation it
has met "WebTrust equivalent" requirements. Is my interpretation correct? If so,
is there actually a publicly-available audit report, similar to the WebTrust for
CA reports I've linked to for other CAs, or is the only public document the
certificate from the Ministry of Telecommunications and E-Commerce?
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 9•20 years ago
|
||
Per my comments in the n.p.m.crypto newsgroup and mozilla-crypto mailing list
(on "WebTrust-equivalent" CA audits), I'm approving the QuoVadis root CA
certificate for inclusion in Mozilla, etc., based on their having completed a
"WebTrust-equivalent" independent audit, and have filed bug 261375 to get the
actual cert added to NSS.
Per discussions in n.p.m.crypto, I'm presuming that we should add only the
QuoVadis Root CA cert to NSS, not the QuoVadis Issuing CA2 cert under that root,
and have so indicated in bug 261375.
Please direct technical comments about the addition of this cert to bug 261375;
all other comments should be made in this bug or the newsgroup/mailing list.
|
||
Comment 10•20 years ago
|
||
Frank,
Nelson has added this root CA cert to NSS. So
you can mark the bug fixed now.
You might want to remove bug 233453 as a dependency
of this bug.
|
|
Assignee | |
Comment 11•20 years ago
|
||
Certificates are in Firefox 1.0.2 and Thunderbird 1.0.2; resolving as fixed and
removing bug 233543 and bug 261375 as dependencies.
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
|
|
||
Updated•20 years ago
|
|
||
Updated•8 years ago
|
Product: mozilla.org → NSS
|
||
Updated•2 years ago
|
Product: NSS → CA Program
You need to log in
before you can comment on or make changes to this bug.
Description
•