Closed Bug 261778 Opened 20 years ago Closed 16 years ago

Add Camerfirma CA certificate (Spain)

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: ramirom, Assigned: hecker)

References

(
URL
)

Details

Attachments

(1 file)

SSL Audit info Chambers of Commerce Root
2.17 MB, application/pdf
Details
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a1) Gecko/20040520 AC Camerfirma is a spanish certification authority which is trusted in IE, but not in mozilla. Reproducible: Always Steps to Reproduce: 1.go to https://www.camerfirma.com 2. 3. Actual Results: A message saying my server's cert is not trusted appeared. Expected Results: Just go ahead This bug is already reported by a number of CA.
I'm accepting this bug. I'm changing the summary line to "Add Camerfirma CA certificate" to better reflect the nature of the request.
Severity: normal → enhancement
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Summary: A message saying my server's cert is not trusted appeared → Add Camerfirma CA certificate
Camerfirma has passed a WebTrust for CAs audit, so I expect that I will approve Camerfirma's root CA certificates for inclusion in Mozilla and other products. However first I need to have answers to the following questions: 1. What are the actual Certificate Authorities whose certificates should be included in Mozilla? The page <http://www.camerfirma.com/mod_web/repositorio/otrascas.html> shows several Camerfirma CA hierarchies. After reading some other material on the Camerfirma web site, I'm guessing that the root CA certificates that should be included are for the Chambers of Commerce root CA and the Global Chambersign root CA. Is this correct? (Incidentally, the CA hierarchy graph on the otrascas.html page is very mice, especially with the links to the certificates, hashes, CRLs, etc. I wish more CA did the same thing.) 2. What are the actual root CA certificates that should be included, and where can they be obtained? From the otrascas.html page I'm guessing that the root CA certificates are the ones at the following URLs: http://www.camerfirma.com/mod_web/consultas/certi/Chambers.cer http://www.camerfirma.com/certs/ROOT-CHAMBERSIGN.crt for the "Chambers of Commerce" and "Global Chambersign" CAs. Is this correct? 3. What are the intended uses of the end-entity certificates issued by the CAs? Both of the certificates referenced above have a netscape cert type extension referencing all three of SSL, S/MIME, and object signing, so I presume that the certificates should be trusted for all purposes relevant to Mozilla. Is this correct? 4. Where is the Certification Practices Statement (CPS) for Camerfirma? I'm guessing that the most recent CPS is the document at the following URL: http://docs.camerfirma.com/mod_web/usuarios/pdf/CPS_1.4.pdf Is this correct? Does this CPS apply to both of the CAs ("Chambers of Commerce" and "Global Chambersign")? Is the CPS available in an English translation? 5. Where are the CRLs for the Camerfirma root CAs? According to the otrascas.html page, the CRLs are at the following URLs: http://crl.chambersign.org/chambersroot.crl http://crl.chambersign.org/chambersignroot.crl for the "Chambers of Commerce" and "Global Chambersign" CAs? Is this correct? 6. Does Camerfirma support OSCP validation of certificates, in addition to the CRLs?
I've edited my CA certificates information page: http://www.hecker.org/mozilla/ca-certificate-list to include information concerning Camerfirma. Please review the information and provide corrections where needed.
I am willing to approve this request, but I need answers to the questions I asked in my previous comment (#2); in particular I need answers to questions 1, 2, and 3. I will not do anything further with this request until I receive those answers.
(In reply to comment #2) > 1. What are the actual Certificate Authorities whose certificates should be > included in Mozilla? > The page <http://www.camerfirma.com/mod_web/repositorio/otrascas.html> shows > several Camerfirma CA hierarchies. After reading some other material on the > Camerfirma web site, I'm guessing that the root CA certificates that should be > included are for the Chambers of Commerce root CA and the Global Chambersign > root CA. Is this correct? Yes it is. > (Incidentally, the CA hierarchy graph on the otrascas.html page is very mice, > especially with the links to the certificates, hashes, CRLs, etc. I wish more CA > did the same thing.) Thank you a lot, I am pleased to hear that. > 2. What are the actual root CA certificates that should be included, and where > can they be obtained? From the otrascas.html page I'm guessing that the root CA > certificates are the ones at the following URLs: > http://www.camerfirma.com/mod_web/consultas/certi/Chambers.cer > http://www.camerfirma.com/certs/ROOT-CHAMBERSIGN.crt > for the "Chambers of Commerce" and "Global Chambersign" CAs. Is this correct? Yes. > 3. What are the intended uses of the end-entity certificates issued by the CAs? > Both of the certificates referenced above have a netscape cert type extension > referencing all three of SSL, S/MIME, and object signing, so I presume that the > certificates should be trusted for all purposes relevant to Mozilla. Is this > correct? Yes, mainly for digital signature and web authentication. > 4. Where is the Certification Practices Statement (CPS) for Camerfirma? I'm > guessing that the most recent CPS is the document at the following URL: > http://docs.camerfirma.com/mod_web/usuarios/pdf/CPS_1.4.pdf > Is this correct? Does this CPS apply to both of the CAs ("Chambers of Commerce" > and "Global Chambersign")? Is the CPS available in an English translation? Yes, this CPS involve all certificates issued by Camerfirma and I am affraid is not translated to English jet. > 5. Where are the CRLs for the Camerfirma root CAs? According to the > otrascas.html page, the CRLs are at the following URLs: > http://crl.chambersign.org/chambersroot.crl > http://crl.chambersign.org/chambersignroot.crl > for the "Chambers of Commerce" and "Global Chambersign" CAs? Is this correct? Yes, but, you will need all crl from all CA´s delegated in the hierarchy, will you ?, it is important for us that all CA´s were recognize by Mozilla. > 6. Does Camerfirma support OSCP validation of certificates, in addition to the CRLs? Yes you can get information about "Chambers of Commerce Root" and "Chambersign Global Root" from http://ocsp.certiver.com:7070
Thank you for the answers to my questions. I just have two more comments: * Regarding question 3, about uses of the certificates: I asked this question in order to determine how we should set the "trust bits" on the root CA certificate. Your answer was somewhat ambiguous. Based on your answer we will certainly mark the root CAs (or potentially their subordinate CAs) as trusted for certifying SSL-enabled web sites and S/MIME email users. However we will *not* mark the root CA (or subordinates) as being trusted for certifying developers of digitally-signed executable code objects, since you didn't explicitly say that your CAs issue such certificates. If this is incorrect (in other words, if the Camerfirma root CAs and/or their subordinate CAs *do* issue certificates for signing executable code objects), then please correct me, and we will mark the root CA as trusted for all three purposes. * Regarding question 5, about CRLs: We do *not* preload CRLs into Mozilla or related products. If Mozilla users want to use CRLs then they have to explicitly download the CRLs and install them. However I wanted the information about CRLs in order to publish the information on my CA web page at <http://www.hecker.org/mozilla/ca-certificate-list> for use by anyone who's interested. Since you have subordinate CAs under the two root CAs, I'll modify my web page to include links to the CRLs for those other CAs. If you can answer my first question above (to clarify how we should set the "trust bits") then I will go ahead and officially approve including the Camerfirm root CA certificate.
(In reply to comment #6) > Thank you for the answers to my questions. I just have two more comments: > * Regarding question 3, about uses of the certificates: I asked this question in > order to determine how we should set the "trust bits" on the root CA > certificate. Your answer was somewhat ambiguous. Based on your answer we will > certainly mark the root CAs (or potentially their subordinate CAs) as trusted > for certifying SSL-enabled web sites and S/MIME email users. However we will > *not* mark the root CA (or subordinates) as being trusted for certifying > developers of digitally-signed executable code objects, since you didn't > explicitly say that your CAs issue such certificates. > If this is incorrect (in other words, if the Camerfirma root CAs and/or their > subordinate CAs *do* issue certificates for signing executable code objects), > then please correct me, and we will mark the root CA as trusted for all three > purposes. Dear Frank, you have a point there. We whould like there is no limit at all in the use of our certificates, so code signing, TSA, OCSP use whould be included. We will restrict the use in end users certificartes. > * Regarding question 5, about CRLs: We do *not* preload CRLs into Mozilla or > related products. If Mozilla users want to use CRLs then they have to explicitly > download the CRLs and install them. However I wanted the information about CRLs > in order to publish the information on my CA web page at > <http://www.hecker.org/mozilla/ca-certificate-list> for use by anyone who's > interested. > Since you have subordinate CAs under the two root CAs, I'll modify my web page > to include links to the CRLs for those other CAs. > If you can answer my first question above (to clarify how we should set the > "trust bits") then I will go ahead and officially approve including the > Camerfirm root CA certificate. OK thank you a lot Frank
In accordance with current policy, I am approving Camerfirma's root CA certificates for inclusion in Mozilla, and will file a bug against NSS to have the actual certificates added.
Depends on: 275576
Filed bug 275576 against NSS for the actual addition of the certificates, and marked it as blocking this bug. Any further *technical* comments re this should be directed to bug 275576.
The Camerfirma Chamber of Commerce Root CA and Global Chambersign Root CA have been added to NSS. They will be in Mozilla 1.8 Beta 2 and Firefox/Thunderbird 1.1 Alpha. I don't know if this is enough to mark the bug fixed or you want to wait until Mozilla 1.8 final and Firefox/Thunderbird 1.1 final.
I found a discrepancy in the SHA-1 fingerprint of the Chambers of Commerce Root. So please don't mark this bug fixed yet.
OK, the SHA-1 fingerprint issue has been resolved.
Resolving this bug as FIXED, given that the necessary changes have been made to NSS and will show up in future versions of Firefox, Thunderbird, etc.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Summary: Add Camerfirma CA certificate → Add Camerfirma CA certificate (Spain)
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
We whould like to include new ca root certificates. We are planning generate new key pair generation in a few weeks and obviously new certificates that we want to be included in a future version of the Mozilla suite.
We would like to include new ca root certificates. We are planning generate new key pair generation in a few weeks and obviously new certificates that we want to be included in a future version of the Mozilla suite.
Ramiro, You need to file a new bug to request the addition of MORE certs. The original requests in this old bug have been satisfied in full. Please start with this page: http://wiki.mozilla.org/CA:Root_Certificate_Requests
Status: REOPENED → RESOLVED
Closed: 19 years ago16 years ago
Resolution: --- → FIXED
Ramiro, I see that you have opened another bug for the new certificate requests. That bug is bug 406968. The information in that request is incomplete. Please put all further information about that request in that bug.
OK, Nelson I will use this bug for my request, sorry for any trouble. Then could I use this bug to include new roots, or I use the new bug I opened 406968 ?
current audit info
Product: mozilla.org → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: