Closed Bug 632292 Opened 15 years ago Closed 9 years ago

Add Netrust root certificate

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: huishi.seet, Assigned: kathleen.a.wilson)

References

Details

(Whiteboard: Information incomplete)

Attachments

(13 files, 2 obsolete files)

CA’s associated organization
10.92 KB, application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
Details
Netrust Root Cert
1.51 KB, application/x-x509-ca-cert
Details
Initial CA Information Document
61.23 KB, application/pdf
Details
Updated
12.17 KB, application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
Details
Email address/code signing verification procedures and Audits information
164.46 KB, application/vnd.openxmlformats-officedocument.wordprocessingml.document
Details
Audit doc
776.37 KB, application/pdf
Details
Updated CA Information
73.42 KB, application/pdf
Details
CA Audit Comparative Analysis - Singapore 2007
1.46 MB, application/pdf
Details
Auditor cisa cert
680.38 KB, application/pdf
Details
auditor cv
123.92 KB, application/pdf
Details
DOC250311.pdf
414.70 KB, application/pdf
Details
Netrust-Audit of Certificate Authority 2010.pdf
776.37 KB, application/pdf
Details
UPdated CA audit doc
183.50 KB, application/octet-stream
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 (.NET CLR 3.5.30729) Build Identifier: TO include Netrust root cert in Mozilla Reproducible: Always
Please provide the rest of the information that is listed here: https://wiki.mozilla.org/CA:Information_checklist Please be specific and also provide direct urls and document section/page numbers where applicable. For instance, for the Root Cert URL, it is not sufficient to say "www.netrust.net". The CA must provide the direct url to the cert download. For Policy Documentation, it is not sufficient to say "Kindly refer to cps.pdf". The CA must provide the direct urls to the relevant CP/CPS documentation and the section/page numbers that respond to the specific items about verification procedures.
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: EV- information incomplete
The Root cert URL is https://www.netrust.net/rootcert.php As for the direct url for policy doc is https://www.netrust.net/docs/ourpractices/cps.pdf Sorry for any inconvenience caused
Attached file Netrust Root Cert
Summary: TO include Netrust root cert in Mozilla → Add Netrust root certificate
The attached document summarizes the information that has been verified. The items highlighted in yellow indicate where further information or clarification is needed. Please review the full document for accuracy and completeness.
Attached file Updated
Does the "Netrust CA1" root certificate sign end-entity certificates directly? Does the "Netrust CA1" root certificate have any sub-ordinate (intermediate CAs)? Are you requesting EV treatment? If yes, then a) Please provide the url to the CP/CPS for EV SSL certificates. b) OSCP is required. c) Please provide the url to a website whose EV SSL cert chains up to this root. On https://www.netrust.net/ourpractices.php in the Certificate Policies section it says: “Netrust issues multiple classes of certificates to support different certificate user communities. Each class of certificates is governed by a CP that differentiates the use of the certificates for different application purposes and/or by different certificate user communities. The CP(s) include:” Which of the certificates in the list chain up to this root? For audit, please see sections 9 through 14 of http://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html and provide the corresponding information. Audit Type: Auditor: Auditor Website: URL to Audit Report and Management’s Assertions: For Subscriber verification procedures (SSL, S/MIME, Code signing), please see sections 6, 7, 8, and 14 of http://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html and provide the corresponding information. For the Potentially Problematic Practices that you responded with a "Yes", please provide further information about how it applies, and the steps that you take to mitigate the risks involved. Please included pointers to sections of your public-facing documentation that address these.
Does the "Netrust CA1" root certificate sign end-entity certificates directly? Yes Does the "Netrust CA1" root certificate have any sub-ordinate (intermediate CAs)? No Are you requesting EV treatment? No Audit Type: Auditor: Tay Ghim Hui (Associate Security Consultant) Email: tay.ghimhui@e-cop.net Auditor Website:http://www.e-cop.net/ URL to Audit Report and Management’s Assertions: DO you mean the full audit report?
(In reply to comment #10) > Does the "Netrust CA1" root certificate sign end-entity certificates directly? > Yes > > Does the "Netrust CA1" root certificate have any sub-ordinate (intermediate > CAs)? > No > Issuing end-entity certs directly from the root is not as secure as using an offline root and issuing certificates using a subordinate CA. Why does your root directly sign end-entity certs? What actions are taken to mitigate the risk? Is it possible for you to modify your practices such that the root cert is offline and only signs intermediate CAs which sign end-entity certs? > Audit Type: > Auditor: Tay Ghim Hui (Associate Security Consultant) > Email: tay.ghimhui@e-cop.net > Auditor Website:http://www.e-cop.net/ > URL to Audit Report and Management’s Assertions: DO you mean the full audit > report? The audit type must be one of the criteria listed in #9 of http://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html The auditor must meet the requirements of #10 and #11 of http://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html We do not expect that the full, detailed audit report be provided. However, the auditor must provide a statement about what was audited, the criteria that was use, and a summary of the findings.
Attached file Audit doc
From the audit statement: "The purpose of this audit was to express an opinion on the compliance of Netrust in implementing the control objectives as specified in the Security Guidelines for Certificate Authority and the ISO27001/27002:2005 Standard. Is this equivalent to any of the items in the list of accepted criteria in section 9 of the Mozilla CA Cert Policy? http://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html
Do you need more document or item?
There are questions in Comment #11 and Comment #13 that still need to be answered.
Whiteboard: EV- information incomplete → Information incomplete
Attached file Updated CA Information
Updated the CA Information document to show where there are issues and where more information is needed -- see the items highlighted in yellow.
Attached file Auditor cisa cert
Attached file auditor cv
Attached file DOC250311.pdf
Attached file LRA Audit Guide 1.2.pdf (obsolete) —
Attached file UPdated CA audit doc
Thank you for the information. > Attached is the Netrust SSL Verification Procedures > document and Entrust verification Procedures document > (LRA Audit Guide 1.2.pdf and) I see the Entrust LRA Audit Guide, but I don’t understand what it has to do with this root inclusion request. I did not find the Netrust SSL Verification Procedures document. Which attachment is that? > test site: http://testconnector.netrust.net/ Please provide an https URL to a website whose SSL certificate chains up to this root. >> The “Netrust CA1” root signs end-entity certificates directly. >> It does not have any subordinate CAs. > > Our Root CA is located at a highly secure data center and > the keys are stored in HSM. It is very likely that the Mozilla CA Certificate Policy will be updated soon to require that roots do not sign end-entity certificates directly. Roots will most likely be required to be offline, and only sign intermediate certificates. On https://www.netrust.net/ourpractices.php in the Certificate Policies section it says: “Netrust issues multiple classes of certificates to support different certificate user communities..." Why don’t you have an intermediate certificate corresponding to each CP?
Attached file SSL Manual V2 - on verification of ssl (obsolete) —
Hi, Netrust is the authorize distributor for Entrust SSL Cert and we are not issue our own SSL cert. We only have 1 CP but it points to different OID(Enterprise/webcert)
Re comment #26: For Web site certificates, Netrust is merely a third-party reseller of Entrust certificates. This request should NOT be approved for Web sites.
Netrust, Please identify which trust bits you are requesting to be enabled for this root; one or more of websites (SLL), email (S/MIME), and/or code signing. If you are requesting that SSL certs be enabled for this root, then you must provide your own documentation about Netrust's process for verifying the information that is to be included in the SSL certs. You may not use Entrust's documentation for this. If you do not issue SSL certs in the hierarchy of this particular root, then you should not be requesting that the websites trust bit be enabled.
Attachment #532147 - Attachment is obsolete: true
Attachment #534373 - Attachment is obsolete: true
Subscriber will submit the request by creating a CSR generated from the subscriber server. Hence Netrust will perform the following verification procedures 1. Proof of Rights verification – Netrust Pte Ltd will check and validate that the company’s legally registered name is existing and currently active. This will be checked and verified thru a government website that allows public to check and validate company’s existence OR obtaining a copy of their business registration certificate, registrar of society or equivalent documents in their respective countries. 2. Ownership of domain name – Netrust Pte Ltd will verify that the subscriber is the registrant or the owner of the domain name. This can be checked and verified thru domain information lookup from whois sites. Any application which does not conform to this requirement will be rejected. 3. Fields in the distinguish name will be checked against all verified information such as domain name, company name and country reflected in the Proof of Rights. i.e. Domain name against whois, company and country of origin against incorporation documents etc. 4. Contact employment verification – Netrust Pte Ltd will verify that the contact personnel is legally and rightfully employed by the company. The company’s contact number will be verified thru the yellowpages directory and contact will be initiated to the company upon obtaining their details from the directory for personnel’s employment verification. 5. Upon completion of the verification procedures, the certificate will be generated according to the CSR and sent to subscriber accordingly.
(In reply to comment #29) Please provide the URL(s) and section number(s) where this information may be found in your CP/CPS for the "Netrust CA1" root certificate. Mozilla CA Certificate Policy: http://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html "6. We require that all CAs whose certificates are distributed with our software products: + provide some service relevant to typical users of our software products; + publicly disclose information about their policies and business practices (e.g., in a Certificate Policy and Certification Practice Statement);" and "7. We consider verification of certificate signing requests to be acceptable if it meets or exceeds the following requirements: + all information that is supplied by the certificate subscriber must be verified by using an independent source of information or an alternative communication channel before it is included in the certificate; + for a certificate to be used for digitally signing or encrypting email messages, the CA takes reasonable measures to verify that the entity submitting the request controls the email account associated with the email address referenced in the certificate or has been authorized by the email account holder to act on the account holder's behalf; + for a certificate to be used for SSL-enabled servers, the CA takes reasonable measures to verify that the entity submitting the certificate signing request has registered the domain(s) referenced in the certificate or has been authorized by the domain registrant to act on the registrant's behalf; + for certificates to be used for digitally signing code objects, the CA takes reasonable measures to verify that the entity submitting the certificate signing request is the same entity referenced in the certificate or has been authorized by the entity referenced in the certificate to act on that entity's behalf;"
There's no update from CA for more than 1.5 year. Closing this bug for now as Won't fix. If CA ever provide further information, this bug will be re-opened.
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → WONTFIX
Product: mozilla.org → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: