Closed Bug 239485 Opened 21 years ago Closed 19 years ago

Request to include CA cert for DFN-PCA

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: hecker, Assigned: hecker)

References

(
URL
)

Details

User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.6) Gecko/20040113 Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.6) Gecko/20040113 From the original email: Dear Frank Hecker, referring to http://bugzilla.mozilla.org/show_bug.cgi?id=215243#c14 I would apply for the addition of the DFN-PCA SSL certificate into the next release of Mozilla. The cert is attached (http://www.dfn-pca.de/certification/x509/g1/data/html/cacert.html). As far as I know, the requirements are fulfilled: (a) The DFN-PCA is root CA in the DFN association (b) certification is offered to the public, for non-commercial organizations without fee (c) info about DFN-PCA authority http://www.dfn-cert.de/eng/dfncert/ (d) policy http://www.dfn-pca.de/certification/policies/ssl-tls/cp-1.4/wwwpolicy.html --- http://www.dfn.de/content/welcometodfn/aboutdfn/ --- "The DFN-Verein is a non-profit association of the research, development and education sector in Germany to promote computer-based communication and information services." The DFN-PCA is reachable via e-mail at dfnpca@dfn-pca.de. Regards, Daniel Vollbrecht -- scram! e.V. media community Ludwigstraße 4 D-67346 Speyer d.vollbrecht@scram.de http://scram.de Reproducible: Always Steps to Reproduce: 1. 2. 3.
Depends on: 233453
Assignee: hecker → hecker
Hi Guys, nice that there is some movement in this. Good things take a while :) I am staff of the DFN-PCA and if I can do anything that might help to get this bug closed just ask and I see what I can do for you. A thing that I can't offer (at the moment) is a Webtrust AICPA/CICA audit of our CA. If there is more english documentation needed, we need to get precise information what kind of documents will be needed in what format and again I can try to convince my boss to throw in more resources. Cheers, Reimer
I'm formally accepting this bug. (My apologies, because the bug was marked as unconfirmed it didn't show up in my standard list of my bugs, and so I forgot to mention this request in my recent messages to the netscape.public.mozilla.crypto newsgroup.) Note that right now I am considering only requests from CAs that have been WebTrust audited; that's because we haven't completed a formal policy on how to evaluate CAs, and the WebTrust for CA audit is the only criterion we have right now. In the future policy (when it's finished) I plan to also allow consideration of CAs that do not have a WebTrust audit, but then we will have some other evaluation criteria; those other criteria have not yet been agreed upon. Concerning documentation: You can look at my draft CA certificate list at <http://www.hecker.org/mozilla/ca-certificate-list/> to see what types of documents I have been referencing for CAs.
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
*** Bug 146999 has been marked as a duplicate of this bug. ***
Since the DFN Verein is revamping its PKI service, we have three new CPs/CPSs and and three new associated root certificates. These were generated in Q1 an Q2 of 2005. More Information (in German) is available on http://www.pca.dfn.de and http://www.dfn.de/pki DFN-PKI Classic: is replacing the old WWW-Policy which this bug was originally opened against. The old root certificate and its PKI are beeing phased out. No more certificates, just updated CRLs. Identity vetting in DFN-PKI Classic is done via personal contact and presenting a photo ID. DFN-PKI Grid: Is for the German Grid World. This CA and policy are accredited at http://www.eugridpma.org Identity vetting in DFN-PKI Grid is done via personal contact and presenting a photo ID. DFN-PKI Basic: a new security level which is lower than the security level of DFN-PKI Classic. Identity vetting can be done by sending snailmail letters with certificate access codes to the subscriber (verification of the address the subscriber). No personal contact and photo ID is needed. Root CA certs and CRLs can be found at http://www.pca.dfn.de/dfn-pki/certification/cacert.html If Mozilla is going to include any of our root certificates, the three new root certificates have a higher priority. DFN-PKI Classic has the highest priority. Thanks Reimer
This is an enhancement request.
Severity: normal → enhancement
QA Contact: ca-certificates
If this inclusion is still being requested, please could a representative of "DFN-PCA" file a new inclusion request, including all the information specified in section 14 of the Mozilla CA Certificate Policy: http://www.mozilla.org/projects/security/pki/nss/ca-certificates/policy.html Specifically, as noted in comment #1, we require a Webtrust audit or equivalent under sections 6 and 8-11. If a WebTrust audit is not planned, please feel free to get in touch with us about what "or equivalent" might mean (section 12). Gerv
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → WONTFIX
> what "or equivalent" might mean (section 12). Actually, it's specified in section 8.
Right, those are some of the options; but we've accepted other criteria in the past (e.g. for Startcom). Gerv
Unlike the other certificate bugs that were closed in the past week as WONTFIX, this one contains no comment as to how that decision was reached. Please add such a comment.
David, Gerv gave comment 7 when he resolved this bug. I think the reason is clear from that comment. If there's new information to be shared about any policy audit of this CA, then (per Gerv's request) a new RFE should be filed for this CA, with all the info specified in the policy.
Product: mozilla.org → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.