908827 - DigiCert Root Inclusion Request

Status: RESOLVED FIXED

(CA Program :: CA Certificate Root Program, task)

Description

[Christopher Skarda]

DigiCert would like to request inclusion of the following 5 new root certificates to the NSS store:

Friendly Name: "DigiCert Assured ID Root G2"
Signature Algorithm: SHA-256 with RSA
Key Size: 2048-bit RSA
Valid From: August 1, 2013
Valid to: January 15, 2038
SHA1 fingerprint: A1 4B 48 D9 43 EE 0A 0E 40 90 4F 3C E0 A4 C0 91 93 51 5D 3F

Friendly Name: "DigiCert Assured ID Root G3"
Signature Algorithm: ECDSA Signature with SHA-384
Key Size: 384-bit ECC
Valid From: August 1, 2013
Valid to: January 15, 2038
SHA1 fingerprint: F5 17 A2 4F 9A 48 C6 C9 F8 A2 00 26 9F DC 0F 48 2C AB 30 89

Friendly Name: "DigiCert Global Root G2"
Signature Algorithm: SHA-256 with RSA
Key Size: 2048-bit RSA
Valid From: August 1, 2013
Valid to: January 15, 2038
SHA1 Fingerprint: DF 3C 24 F9 BF D6 66 76 1B 26 80 73 FE 06 D1 CC 8D 4F 82 A4

Friendly Name: "DigiCert Global Root G3"
Signature Algorithm: ECDSA Signature with SHA-384
Key Size: 384-bit ECC
Valid From: August 1, 2013
Valid to: January 15, 2038
SHA1 Fingerprint: 7E 04 DE 89 6A 3E 66 6D 00 E6 87 D3 3F FA D9 3B E8 3D 34 9E

Friendly Name: "DigiCert Trusted Root G4"
Signature Algorithm: SHA-384 with RSA
Key Size: 4096-bit RSA
Valid From: August 1, 2013
Valid to: January 15, 2038
SHA1 Fingerprint: DD FB 16 CD 49 31 C9 73 A2 03 7D 3F C8 3A 4D 7D 77 5D 05 E4

All five certificate files will be attached to this bug.  Test links are available for each root as follows: 

https://assured-id-root-g2.digicert.com
https://assured-id-root-g3.digicert.com
https://global-root-g2.digicert.com
https://global-root-g3.digicert.com
https://trusted-root-g4.digicert.com

These new DigiCert root certificates should be added to the existing set of DigiCert root certificates which are already trusted in NSS.  All five are used for issuing intermediate certificates which are then used to issue end-entity SSL, email, and code-signing certificates.  All five of these roots will be used with EV certificates and time stamping.

DigiCert's EV Policy OID: 2.16.840.1.114412.2.1

DigiCert's CP is available at http://www.digicert.com/docs/cps/DigiCert_CP_v405-May-2-2013.pdf

DigiCert's CPS is available at http://www.digicert.com/docs/cps/DigiCert_CPS_v405-May-2-2013.pdf

None of these DigiCert Root certificates have subordinate CAs that are operated by by external third parties.  There are no other root certificates that have issued cross-signing certificates for any of these five root certificates.

Comment 1

[Christopher Skarda]

Attachment: DigiCertAssuredIDRootG2.crt

Comment 2

[Christopher Skarda]

Attachment: DigiCertAssuredIDRootG3.crt

Comment 3

[Christopher Skarda]

Attachment: DigiCertGlobalRootG2.crt

Comment 4

[Christopher Skarda]

Attachment: DigiCertGlobalRootG3.crt

Comment 5

[Christopher Skarda]

Attachment: DigiCertTrustedRootG4.crt

Comment 6

[Kathleen Wilson]

I am accepting this bug, and will work on it as soon as possible, but I have a large backlog.
https://wiki.mozilla.org/CA:Schedule#Requests_in_the_Information_Gathering_and_Verification_Phase

I will update this bug when I begin the Information Verification phase.
https://wiki.mozilla.org/CA:How_to_apply#Information_Verification

Comment 7

[Kathleen Wilson]

Which of DigiCert's already-included root certs will eventually be replaced by these new root certs?
(http://www.mozilla.org/projects/security/certs/included/index.html)

Is Bug #617179 still needed? Or does this bug replace it?

Comment 8

[Christopher Skarda]

These are DigiCert's next-generation certificates. With growing rumors of potential weakness in certain encryption and signing algorithms, DigiCert has decided to diversify the algorithms used in our new root certificates. This will ensure that we are able to meet the needs of our users in the coming years.  We have both RSA and ECC versions of our new "Assured" and "Global" roots as we anticipate demand for both algorithms from each of these roots in the future.


The new "Assured ID" roots will eventually replace the current DigiCert Assured ID Root CA certificate.
The new "Global" roots will eventually replace the current DigiCert Global Root CA certificate.
The new "Trusted" root will eventually replace the current DigiCert High Assurance EV Root CA certificate


The original DigiCert Root certificates should remain in the NSS root store until the new root certificates gain sufficient ubiquity to replace the originals, and the end entity certificates signed by the original roots all expire.

Comment 9

[Christopher Skarda]

This request replaces Bug #617179

Comment 11

[Kathleen Wilson]

Attachment: Initial CA Information Document

The attached document summarizes the information that has been verified.

The items highlighted in yellow indicate where further information or
clarification is needed. Please review the full document for accuracy and
completeness.

Comment 12

[Jeremy Rowley]

Thanks Kathleen.  Here is additional clarification:
1) Technical Constraints on Third-Party Issuers:  DigiCert does not permit third parties to act as true CAs or RAs. DigiCert verifies certificate information, including control over the domain, using its own personnel. Our CPS has placeholders talking about the use of CAs and RAs external to DigiCert, but we do  not plan to implement any external RAs or CAs in the near future.
2) Multi-factor Authentication: Multi-factor authentication is required on all accounts that can cause issuance.  All such accounts are internal DigiCert internal accounts.
3) Network Security: We recently completed a scan for misissuance of certificates and found no anomolies.  In addition, we comply with the network security guidelines, have an intrusion detection system, and can turn off certificate issuance immediately in the event of a compromise. We undergo frequent pen tests by an independent third party to ensure that we are aware of any weaknesses in our system.  Logs of sensitive systems are reviewed regularly, both manually and automatically, to detect anomalies and suspicious activity.  
4) IDNs: IDN handling is referenced in Section 3.1.3 and 3.1.4 of the CPS.  All IDNs are reviewed by validation staff to ensure they are not misleading or prone to confusion.
5) DNS Names in SAN: All DNS names are listed in the SAN. Names in the CN field are duplicated in the SAN.
6) Domain owned by a natural person: Per the BRs, DigiCert only uses the CN field to display address information. Individual identity information is displayed in the O field. 
7) Private Key Generation: DigiCert does not generate private keys for SSL customers. Client certificate private keys are delivered in a PKCS#12 file.
8) DV Certificates:  DigiCert does not issue DV certificates.  We have included them in our CPS as an option in case we ever see a truly compelling need.  However, we have currently taken a hard stance that these certificates are dangerous to the Internet and should not be allowed.  We currently do not have plans to provide DV certs. 
9) Private/Internal Names:  DigiCert is currently issuing certificates with private/internal names. Per the BRs and Section 3.1.1 of our CPS, we plan to halt this process and revoke all existing certificates by the deadline.  All such certificates currently being issued have an expiration date before October 1, 2016.  DigiCert is also actively working with ICANN to ensure these names do not impact the release of the new gTLDs.

Comment 13

[Christopher Skarda]

Our OCSP responses are valid for seven days.

Comment 14

[Jeremy Rowley]

Attachment: DigiCert Assured ID Root G2 (screen shot).png

Comment 15

[Jeremy Rowley]

Attachment: DigiCert Assured ID Root G3 (screen shot).png

Comment 16

[Jeremy Rowley]

Attachment: DigiCert Global Root G2 (screen shot).png

Comment 17

[Jeremy Rowley]

Attachment: DigiCert Global Root G3 (screen shot).png

Comment 18

[Jeremy Rowley]

Attachment: DigiCert Trusted Root G4 (screen shot).png

Comment 19

[Kathleen Wilson]

Attachment: Completed CA Information Document

Comment 20

[Kathleen Wilson]

I'll try to start the discussion soon.
https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion

Comment 21

[Jeremy Rowley]

Thanks Kathleen!

Comment 22

[Kathleen Wilson]

I am now opening the first public discussion period for this request from DigiCert to include 5 new root certificates that will eventually replace the 3 DigiCert root certificates that are currently included in NSS. The request is to turn on all 3 trust bits and enable EV for all of the new root certs.

1) DigiCert Assured ID Root G2 -- This SHA-256 root will eventually replace the SHA-1 “DigiCert Assured ID Root CA” certificate.

2) DigiCert Assured ID Root G3 -- The ECC version of the Assured ID root. 

3) DigiCert Global Root G2 -- This SHA-256 root will eventually replace the SHA-1 “DigiCert Global Root CA” certificate.

4) DigiCert Global Root G3 -- The ECC version of the Global root. 

5) DigiCert Trusted Root G4 -- This SHA-384 root will eventually replace the SHA-1 “DigiCert High Assurance EV Root CA” certificate.

For a description of the public discussion phase, see https://wiki.mozilla.org/CA:How_to_apply#Public_discussion

Public discussion will be in the mozilla.dev.security.policy newsgroup and the corresponding dev-security-policy@lists.mozilla.org mailing list.

The discussion thread is called “DigiCert Request to Include Renewed Roots”.

Please actively review, respond, and contribute to the discussion.

A representative of DigiCert must promptly respond directly in the discussion thread to all questions that are posted.

Comment 23

[Kathleen Wilson]

The public comment period for this request is now over. 

This request has been evaluated as per Mozilla’s CA Certificate Policy at

 http://www.mozilla.org/projects/security/certs/policy/

Here follows a summary of the assessment. If anyone sees any factual errors, please point them out.

To summarize, this assessment is for the request to include 5 new root certificates that will eventually replace the 3 DigiCert root certificates that are currently included in NSS. The request is to turn on all 3 trust bits and enable EV for all of the new root certs.

1) DigiCert Assured ID Root G2 -- This SHA-256 root will eventually replace the SHA-1 “DigiCert Assured ID Root CA” certificate.

2) DigiCert Assured ID Root G3 -- The ECC version of the Assured ID root. 

3) DigiCert Global Root G2 -- This SHA-256 root will eventually replace the SHA-1 “DigiCert Global Root CA” certificate.

4) DigiCert Global Root G3 -- The ECC version of the Global root. 

5) DigiCert Trusted Root G4 -- This SHA-384 root will eventually replace the SHA-1 “DigiCert High Assurance EV Root CA” certificate.

Section 4 [Technical]. I am not aware of instances where DigiCert has knowingly issued certificates for fraudulent use. If anyone knows of any such issues or instances, please note them in this bug.

Section 6 [Relevance and Policy]. DigiCert appears to provide a service relevant to Mozilla users. It is a US-based commercial CA with headquarters in the Utah. DigiCert provides digital certification and identity assurance services internationally to a variety of sectors including business, education, and government.

Policies are documented in the documents published on their website and listed in the entry on the pending applications list; the main documents of interest are the CP and CPS, which are in English.

Legal Repository: http://www.digicert.com/ssl-cps-repository.htm 

CP: http://www.digicert.com/docs/cps/DigiCert_CP_v405-May-2-2013.pdf 

CPS: http://www.digicert.com/docs/cps/DigiCert_CPS_v405-May-2-2013.pdf

Section 7 [Validation]. DigiCert appears to meet the minimum requirements for subscriber verification, as follows:

* SSL: As described in section 3.2.2 of the CPS, DigiCert verifies the applicant’s right to use or control the domain names that will be listed in the certificate by using WHOIS, other DNS record information, an email challenge-response mechanism, or another practical demonstration of domain control.

* Email: As described in section 3.2.3 of the CPS, DigiCert or an RA verifies applicant's control of the email address or website listed in the certificate.

* Code: Section 3.2.3 and 3.2.5 of the CPS outline the steps DigiCert takes to confirm the identity and authority of the applicant to request a code signing certificate. The requester’s contact information is verified with an authoritative source within the applicant’s organization (e.g. corporate, legal, IT, HR, or other appropriate organizational sources) using a reliable method of communication. The contact information is then used to confirm the authenticity of the certificate request.

Section 18 [Certificate Hierarchy]. All of the new root certs will have internally-operated intermediate certificates for issuing SSL, email, and code-signing certificates

* EV Policy OID: 2.16.840.1.114412.2.1
EV treatment is requested for all of the new root certs.

* OCSP: http://ocsp.digicert.com

Sections 11-14 [Audit].  Annual audits are performed by KPMG according to the WebTrust CA and WebTrust EV criteria.
https://cert.webtrust.org/SealFile?seal=1527&file=pdf (2013.07.12)
https://cert.webtrust.org/SealFile?seal=1527&file=pdf (2013.07.12)

Based on this assessment I intend to approve this request to include 5 new root certificates that will eventually replace the 3 DigiCert root certificates that are currently included in NSS. The request is to turn on all 3 trust bits and enable EV for all of the new root certs.

Note that inclusion will be on hold until the upcoming BR audit statement has been provided and confirmed.

Comment 24

[Kathleen Wilson]

BR Audit: https://cert.webtrust.org/SealFile?seal=1677&file=pdf

Comment 25

[Kathleen Wilson]

As per the summary in Comment #23, and on behalf of Mozilla I approve this request from DigiCert to include the following 5 root certificates:

1) DigiCert Assured ID Root G2 (websites, email, code signing), enable EV

2) DigiCert Assured ID Root G3 (websites, email, code signing), enable EV

3) DigiCert Global Root G2 (websites, email, code signing), enable EV

4) DigiCert Global Root G3 (websites, email, code signing), enable EV

5) DigiCert Trusted Root G4 (websites, email, code signing), enable EV

I will file the NSS and PSM bugs for the approved changes.

Comment 26

[Kathleen Wilson]

I have filed bug #1021039 against NSS and bug #1021093 against PSM for the actual changes.