Closed
Bug 539257
Opened 15 years ago
Closed 12 years ago
EV enable thawte SHA256 root certificate
Categories
(CA Program :: CA Certificate Root Program, task)
CA Program
CA Certificate Root Program
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: kathleen.a.wilson, Assigned: kathleen.a.wilson)
References
Details
(Whiteboard: EV - Approved - in Firefox 26)
Attachments
(5 files, 3 obsolete files)
Screen showing EV treatment
This request is to EV enable the following thawte ECC and SHA256 root
certificates that are currently included in NSS.
- thawte Primary Root CA – G3 (SHA256 root)
Inclusion Bug #484903
- thawte Primary Root - G2 (ECC root)
Inclusion Bug #409237
|
Assignee | |
Updated•15 years ago
|
Status: NEW → ASSIGNED
Whiteboard: Information incomplete
|
|
Assignee | |
Comment 1•15 years ago
|
||
The attached document summarizes the information that has been gathered and
verified.
The items highlighted in yellow indicate where further information or
clarification is needed. Please review the full document for accuracy and
completeness.
|
||
Comment 2•15 years ago
|
||
|
|
Assignee | |
Comment 3•15 years ago
|
||
Thank you for the information.
I have a question about “thawte Primary Root CA - G2”… My notes indicate that all of the subCAs under this root will be of Class 3. However, my notes also indicate that the SSL verification type is DV, OV, and EV. Should it just be OV and EV since Class 3 verification means High Assurance?
(by DV, I mean DV only with no organizational verification).
|
|
||
Comment 4•14 years ago
|
||
Hi Kathleen,
There is a possibility that if Thawte moves all products to this root DV may be included under a DV intermediate CA.
|
|
||
Comment 5•14 years ago
|
||
A test site for this root has been created: https://ecc-test-valid.thawte.com
|
|
Assignee | |
Comment 6•14 years ago
|
||
|
|
Assignee | |
Comment 7•14 years ago
|
||
This request has been combined with the other Thawte request in the queue for public discussion:
https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion
Whiteboard: Information incomplete → EV - Information Confirmed Complete
|
|
||
Comment 8•14 years ago
|
||
Hi
The thawte Primary Root CA - G3 was included in Thawte's latest EV audit. Please can you proceed with EV enabling this root.
https://cert.webtrust.org/SealFile?seal=527&file=pdf
Thanks
Tony
|
|
Assignee | |
Updated•14 years ago
|
Summary: EV enable thawte ECC and SHA256 root certificates → EV enable thawte SHA256 root certificate
|
|
Assignee | |
Comment 9•14 years ago
|
||
Attachment #507203 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 10•14 years ago
|
||
Attachment #537684 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 11•14 years ago
|
||
Attachment #537697 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 12•14 years ago
|
||
I am now opening the first public discussion period for two requests from Thawte:
Bug #539257: Enable EV for the “thawte Primary Root CA - G3” root certificate.
Bug #601950: Turn on the code signing trust bit for the “thawte Primary Root CA” root certificate.
For a description of the public discussion phase, see https://wiki.mozilla.org/CA:How_to_apply#Public_discussion
Public discussion will be in the mozilla.dev.security.policy newsgroup and the corresponding dev-security-policy@lists.mozilla.org mailing list.
http://www.mozilla.org/community/developer-forums.html
https://lists.mozilla.org/listinfo/dev-security-policy
news://news.mozilla.org/mozilla.dev.security.policy
The discussion thread is called “Symantec/Thawte EV and Trust Bit Change Request”
Please actively review, respond, and contribute to the discussion.
Whiteboard: EV - Information Confirmed Complete → EV - In public discussion
|
|
Assignee | |
Comment 13•13 years ago
|
||
The public comment period for this request is now over.
Symantec has the following action items:
1) Create the EV issuing intermediate CA, and OCSP service.
2) Perform the EV testing described here:
https://wiki.mozilla.org/PSM:EV_Testing_Easy_Version
3) Update this bug to provide the URL to a test website whose EV SSL cert chains up to this root.
After this bug has been updated to indicate completion of these action items, I will check the provided test website and then recommend approval in this bug to enable EV for the “thawte Primary Root CA - G3” root certificate.
Whiteboard: EV - In public discussion → EV - CA Action Items -- EV testing
|
||
Comment 14•13 years ago
|
||
Kathleen, I presume you intend those action items to apply to both roots:
- thawte Primary Root CA – G3 (SHA256 root)
- thawte Primary Root - G2 (ECC root)
Right?
|
|
Assignee | |
Comment 15•13 years ago
|
||
(In reply to Rick Andrews from comment #14)
> Kathleen, I presume you intend those action items to apply to both roots:
> - thawte Primary Root CA – G3 (SHA256 root)
> - thawte Primary Root - G2 (ECC root)
> Right?
Please note comment #8. Tony requested that we proceed with EV-enablement for only the SHA256 root in this particular request.
|
|
Assignee | |
Comment 16•12 years ago
|
||
Reminder, this request is to enable EV for the "thawte Primary Root CA - G3" root certificate.
As per Comment #13, the discussion of this request was completed, and this request is only waiting on successful completion of EV Testing.
|
|
||
Comment 17•12 years ago
|
||
Here are the test results using Minefield to visit https://ssltest8.bbtest.net:
There is no warning when loading the page (expected)
End Entity chains up to given root cert (expected)
Green bar is not present (not expected)
|
|
||
Comment 18•12 years ago
|
||
BTW, here's the contents of the test_ev_roots file we used:
1_fingerprint F1:8B:53:8D:1B:E9:03:B6:A6:F0:56:43:5B:17:15:89:CA:F3:6B:F2
2_readable_oid 2.16.840.1.113733.1.7.48.1
3_issuer MIGuMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMdGhhd3RlLCBJbmMuMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMTgwNgYDVQQLEy8oYykgMjAwOCB0aGF3dGUsIEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25seTEkMCIGA1UEAxMbdGhhd3RlIFByaW1hcnkgUm9vdCBDQSAtIEcz
4_serial
|
|
Assignee | |
Comment 19•12 years ago
|
||
Try using the attached test_ev_roots.txt file and also using an appropriate CA hierarchy (with an intermediate certificate). EV treatment will only be given if the requirements in the EV Guidelines are met.
|
|
||
Comment 20•12 years ago
|
||
OK, we've added the intermediate and enabled OCSP, and tested with firefox-4.0b8pre.en-US.win32 (Minefield) and the new test_ev_roots.txt file that you provided. Testing was successful. We can hit the site without warnings or errors, and we see the green toolbar.
|
|
Assignee | |
Comment 21•12 years ago
|
||
|
|
Assignee | |
Comment 22•12 years ago
|
||
As per Comment #13, the public discussion for this request resulted in approval being on hold until the CA completed EV testing.
As per Comment #20, the CA has successfully completed EV testing, and I confirmed this in Comment #21.
This request has been evaluated as per Mozilla’s CA Certificate Policy at
http://www.mozilla.org/projects/security/certs/policy/
Here follows a summary of the assessment. If anyone sees any factual errors, please point them out.
To summarize, this assessment is for the request to enable EV treatment for the “thawte Primary Root CA - G3” root certificate.
Section 4 [Technical]. I am not aware of instances where Symantec has knowingly issued certificates for fraudulent use. If anyone knows of any such issues or instances, please note them in this bug report.
Section 6 [Relevance and Policy]. Symantec appears to provide a service relevant to Mozilla users. Thawte is a subsidiary of Symantec. Symantec acquired the VeriSign Authentication Services and root certificates, and is a major commercial CA with worldwide operations and customer base.
Policies are documented in the documents published on their website and listed in the entry on the pending applications list; the main document of interest is the CPS, which is provided in English.
http://www.thawte.com/cps
Section 7 [Validation]. Symantec appears to meet the minimum requirements for subscriber verification, as follows:
* Email: Not applicable -- not requesting the email trust bit.
* SSL: According to section 3.2.2 of the CPS: Where a domain name or e-mail address is included in the certificate thawte authenticates the Organization’s right to use that domain name. Confirmation of an organization’s right to use a domain name is not performed for SSL123 Certificates. For these certificates, validation of domain control only is performed … thawte validates the Certificate Applicant’s control of a domain by requiring the person to answer an e-mail sent to the e-mail address listed or predetermined for that domain.
** Supplemental validation procedures for EV SSL Certificates is provided in Appendix B1 of the CPS. Section 11.6 describes the procedures for verifying the applicant’s domain name, which includes: thawte performs a WHOIS inquiry on the Internet for the domain name supplied by the Applicant, to verify that the Applicant is the entity to whom the domain name is registered.
* Code: According to section 3.2.2.1 of the CPS: thawte confirms the identity of a Certificate Applicant for a High Assurance Server or Code Signing Certificate by: 1) Verifying that the organization exists through the use of at least one third party identity proofing service or database, or alternatively, organizational documentation issued by or filed with the applicable government that confirms the existence of the organization and 2) Confirming with an appropriate Organizational contact by telephone, postal mail, or a comparable procedure certain information about the organization, that the organization has authorized the Certificate Application, and that the person submitting the Certificate Application on behalf of the Organization is authorized to do so.
Section 18 [Certificate Hierarchy]
This root has internally-operated intermediate certificates.
* EV Policy OID: 2.16.840.1.113733.1.7.48.1
* CRL:
http://crl.thawte.com/ThawtePCA-G3.crl
http://ev-sha256-crl.thawte.com/ThawteEVSHA256.crl
CPS Appendix D: For Subscriber Certificates CRLs are be updated and reissued at least every seven (7) days, and the nextUpdate field value SHALL NOT be more than ten (10) days beyond the value of the thisUpdate field
* OCSP
http://ocsp.thawte.com
http://ev-sha256-ocsp.thawte.com
CPS Appendix D: For Subscriber Certificates … (OCSP) is updated at least every four (4) days, and with a maximum expiration time of ten (10) days.
Sections 11-14 [Audit].
Symantec is audited according to the WebTust CA and WebTrust EV criteria, and audit statements are posted on the webtrust.org website.
https://cert.webtrust.org/ViewSeal?id=527
Based on this assessment I intend to approve this request to enable EV treatment for the “thawte Primary Root CA - G3” root certificate.
Whiteboard: EV - CA Action Items -- EV testing → EV - Pending Approval
|
|
Assignee | |
Comment 23•12 years ago
|
||
As per the summary in Comment #22, and on behalf of Mozilla I approve this request from Symantec to enable EV treatment for the following root certificate:
** “thawte Primary Root CA - G3”, enable EV.
I will file the PSM bug for the actual changes.
Whiteboard: EV - Pending Approval → EV - Approved - awaiting PSM
|
|
Assignee | |
Comment 24•12 years ago
|
||
I have filed bug #872304 against PSM for the actual changes.
|
|
Assignee | |
Updated•12 years ago
|
Whiteboard: EV - Approved - awaiting PSM → EV - Approved - in Firefox 26
|
|
Assignee | |
Updated•12 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
||
Updated•8 years ago
|
Product: mozilla.org → NSS
|
||
Updated•3 years ago
|
Product: NSS → CA Program
You need to log in
before you can comment on or make changes to this bug.
Description
•