Closed Bug 261375 (QuoVadis) Opened 20 years ago Closed 20 years ago

Please add QuoVadis root CA certificate

Categories

(NSS :: Libraries, enhancement, P2)

enhancement

Tracking

(Not tracked)

VERIFIED FIXED

People

(Reporter: hecker, Assigned: nelson)

Details

Per my comments in bug 238381 and n.p.m.crypto, I'm approving the QuoVadis root
CA certificate for inclusion in Mozilla, etc., based on their having completed a
"WebTrust-equivalent" independent audit. Please add the QuoVadis root CA
certificate as attached to bug 238381 or available at
<http://www.hecker.org/mozilla/ca-certificate-list> and mark it as trusted for
all purposes.

Note that QuoVadis also has an intermediate CA (QuoVadis Issuing CA2) whose
certificate is issued by the QuoVadis root CA. Per discussions in n.p.m.crypto,
I'm presuming that we should *not* add this cert to NSS.

(Marking this bug as blocking bug 238381.)
Oops, forgot to set the "blocks" field.
Blocks: 238381
Mass reassign to myself of enhancement requests for new root certs.
Targetting them all for NSS 3.10
Assignee: wchang0222 → nelson
Priority: -- → P2
Target Milestone: --- → 3.10
Version: unspecified → 3.9
The patches that add these requested ROOT CA certs to the NSS 3.9 branch
and to the NSS trunk have been attached to bug 271585.  Please see 
bug 271585 for those attachments.  When those attachments have been 
reviewed and checked in, this bug will be marked resolved/fixed.
Status: NEW → ASSIGNED
Thee above root cert has been added to the trunk and the NSS 3.9 branch.
See bug 271585 for more details and the patches.

For testing purposes, for a short time (weeks), a copy of a debug build
of nssckbi.dll with these certs added, built from the NSS 3.9 branch,
may be obtained for testing at http://nelson.bolyard.com/mozilla/nssckbi.dll

I invite the representatives of the various CAs to download it and test it.
Please add any comments (reflecting success or failure) to this bug.
It passes my tests.
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Target Milestone: 3.10 → 3.9.5
Re:  QuoVadis root certificate in NSS.  Works in our tests as well.  Many 
thanks to all concerned!
Mass re-assign of 3.9.5 fixed bugs to 3.9.6 , since we built 3.9.5 with the same
source tree as 3.9.4 .
Target Milestone: 3.9.5 → 3.9.6
Verified with Firefox 1.0.2 that QuoVadis root CA is
in the "Builtin Object Token" with the following trust
settings:
This certificate can identify web sites.
This certificate can identify mail users.
This certificate can identify software makers.
Status: RESOLVED → VERIFIED
No longer blocks: 238381
Alias: QuoVadis
for reference, this cert caused us to get strange press, so expect random comments about this url: http://www.privsoft.com/archive/nws-who.html
Note that I posted a message to the mozilla.dev.security group about this:

http://groups.google.com/group/mozilla.dev.security/msg/0040e1d23f638661

The underlying problem appears to be that the PSC folks are confusing the Windows pre-loaded CA cert list (which is in the Windows registry) with the Mozilla pre-loaded CA cert list (which is in NSSCKBI.DLL). Mozilla-based products (which use NSS as their underlying crypto library) don't use or modify the Windows cert list in the registry.
For point of clarity, Privsoft erroneously identified the Mozilla NSSCKBI.DLL as malware.  They appear to have randomly plucked the name QUOVADIS from the dozens of root certificates in the bundle and misinterpreted it as the name of a trojan coder. 

To the contrary, QuoVadis is a legitimate and reputable certification authority whose root is widely distributed.  QuoVadis complies with Mozilla's requirements holding an AICPA/CICA Webtrust for Certification Authories seal (conducted by Ernst & Young) as well as an ETSI TS 101.456 certification (conducted by KPMG as part of its licensing as a Qualified Certification Service Provider in Switzerland).  You can find information on these, and other accreditations, linked from the QuoVadis website at www.quovadis.bm.
You need to log in before you can comment on or make changes to this bug.