Closed Bug 250351 Opened 21 years ago Closed 18 years ago

ESnet CA request for cert inclusion

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Platform:
All
macOS
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: hecker, Assigned: hecker)

References

(
URL
)

Details

Excerpting from the original message received: "We would like the Mozilla Foundation to add the ESnet root CA [certificate] to upcoming Mozilla distributions. ESnet (http://www.es.net) supports networking for US DOE national laboratories and science. ESnet also provices PKI services. One of our subordinate CA's is the DOEGrids CA -- see http://www.doegrids.org This CA supports both DOE and related NSF science, world-wide, and is the largest known Grid CA (see http://www.globus.org/about/faq/general.html#grid for more information on the Grid). This PKI and the Grid PKI's with which we interoperate are one of the largest and most diverse PKI's ever attempted. The ESnet root CA signs subordinate CA certificates, which in turn provide End Entity certificates. More information on the ESnet root CA can be found here http://www.es.net/CA/ESnet%20Root%20CA%201/ including policy documents." Note that the ESnet CA does not appear to have undergone a WebTrust audit or any other external audit. Thus I'll consider this request after I finish processing the initial set of WebTrust-audited CAs and turn to the other CAs that have not been WebTrust audited.
Accepting bug. Added ESnet to <http://www.hecker.org/mozilla/ca-certificate-list/>
Status: NEW → ASSIGNED
Some additional questions and comments: 1. There seem to be a lot of URLs referencing policy documents and other data, all of which point to the same documents. For example, compare the links in <http://www.es.net/CA/> with the links at <http://www.es.net/CA/ESnet%20Root%20CA%201/>. It would be nice to know which are the "official" stable URLs for such things as the CPS, CA certs, etc. 2. There are two links for the root CA certificate, one for the cert in PEM format and the other for DER format. However in neither case can one simply click on the link and have the cert be loaded into Mozilla (missing the proper MIME type). It would be nice to have such a link available as a convenience for Mozilla users who'd want to add the ESnet CA prior to it's being included in Mozilla by default. 3. Same comment as 2, except with reference to the CRL. 4. The CPS makes mention of an experimental OCSP service, but none appears to be currently active. Is this correct?
QA Contact: ca-certificates
Frank: do you have the email address for a contact at es.net? Gerv
Mike Helm <helm@fionn.es.net>
I have sent the following email to helm@fionn.es.net: Dear Mr Helm, Two and a half years ago, you requested inclusion of the root certificate of your Certificate Authority in Mozilla products. https://bugzilla.mozilla.org/show_bug.cgi?id=250351 Since that time, we have formalised a CA Certificate policy, detailing how we process such requests: http://www.mozilla.org/projects/security/pki/nss/ca-certificates/policy.html We hope that this will bring clarity to the process. Due to the age of the request, the above mentioned bug report has been closed. If inclusion of your certificate(s) is still desired, please could you file a new bug report as specified in section 14 of the policy, including all the information requested by that clause. Many thanks, Gerv
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → WONTFIX
Product: mozilla.org → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.