Closed Bug 1172401 Opened 9 years ago Closed 7 years ago

Add Amazon root certificates

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: pzb, Assigned: kathleen.a.wilson)

References

Details

(Whiteboard: In NSS 3.28.1, Firefox 51. EV-enabled in Firefox 54.)

Attachments

(2 files, 2 obsolete files)

1172401-CAInformation.pdf
410.94 KB, application/pdf
Details
1172401-CAInformation-Complete.pdf
431.63 KB, application/pdf
Details 
CA Details
----------

CA Name: Amazon
Websites: https://aws.amazon.com/ and http://www.awstrust.com/repository/
One Paragraph Summary of CA:
The Amazon PKI is run by Amazon Web Services.  Amazon is a commercial CA that will provide certificates to customers from around the world.  We will offer certificates for server authentication, client authentication, email (both signing and encrypting), and code signing.  We will offer both standard and extended validation server authentication certificates.  Customers of the Amazon PKI are the general public.  We do not require customers that customers have a domain registration with Amazon, use domain suffixes where Amazon is the registrant, or have other services from Amazon.

Audit Type (WebTrust, ETSI etc.): Point in Time Readiness Assessments for WebTrust for CA 2.0, BR 2.0, and EV 1.4.5
Auditor: EY
Auditor Website: http://www.ey.com/
Audit Document URL(s):

Certificate #1 Details
----------------------
Certificate Name: Amazon Root CA 1
The Amazon Root CA 1 is a Root CA with a RSA key with a 2048 bit long modulus.  It will be used to issue a variety of certificate types, as defined in our CP and CPS.

We will have separate subordinate CAs to issue the following types of certificates:
- Extended Validation Server Authentication
- Code Signing
- Other types of certificates as covered by our CP and CPS (including Server Authentication and Email Protection)

We will not issue EV certificates from subordinates used to issue non-EV certificates and we will not issue code signing certificates from subordinates used to issue non-code signing certificates.

Certificate download URL: http://www.awstrust.com/repository/AmazonRootCA1.cer
Version: X.509 v3
SHA1 Fingerprint: 8D:A7:F9:65:EC:5E:FC:37:91:0F:1C:6E:59:FD:C1:CC:6A:6E:DE:16
Public key length (for RSA, modulus length) in bits: 2048
Valid From : 2015-05-26
Valid To : 2038-01-07

CRL HTTP URL: http://crl.rootca1.amazontrust.com/rootca1.crl
CRL issuing frequency for subordinate end-entity certificates: at least once every seven days 
CRL issuing frequency for subordinate CA certificates: at least once every twelve months 
OCSP URL: http://ocsp.rootca1.amazontrust.com/

Class (domain-validated, identity/organizationally-validated or EV): DV, IV/OV, and EV for SSL certificates 
Certificate Policy URL: http://www.awstrust.com/repository/cp-1.0.1.pdf
CPS URL: http://www.awstrust.com/repository/cps-1.0.1.pdf
Requested Trust Indicators (email and/or SSL and/or code signing): Server Authentication (SSL), Email Protection, and Code Signing

Certificate #2 Details
----------------------
Certificate Name: Amazon Root CA 2
The Amazon Root CA 2 is a Root CA with a RSA key with a 4096 bit long modulus.  It will be used to issue a variety of certificate types, as defined in our CP and CPS.

We will have separate subordinate CAs to issue the following types of certificates:
- Extended Validation Server Authentication
- Code Signing
- Other types of certificates as covered by our CP and CPS (including Server Authentication and Email Protection)

We will not issue EV certificates from subordinates used to issue non-EV certificates and we will not issue code signing certificates from subordinates used to issue non-code signing certificates.

Certificate download URL: http://www.awstrust.com/repository/AmazonRootCA2.cer
Version: X.509 v3
SHA1 Fingerprint: 5A:8C:EF:45:D7:A6:98:59:76:7A:8C:8B:44:96:B5:78:CF:47:4B:1A
Public key length (for RSA, modulus length) in bits: 4096
Valid From : 2015-05-26
Valid To : 2040-05-26

CRL HTTP URL: http://crl.rootca2.amazontrust.com/rootca2.crl
CRL issuing frequency for subordinate end-entity certificates: at least once every seven days 
CRL issuing frequency for subordinate CA certificates: at least once every twelve months 
OCSP URL: http://ocsp.rootca2.amazontrust.com/

Class (domain-validated, identity/organizationally-validated or EV): DV, IV/OV, and EV for SSL certificates 
Certificate Policy URL: http://www.awstrust.com/repository/cp-1.0.1.pdf
CPS URL: http://www.awstrust.com/repository/cps-1.0.1.pdf
Requested Trust Indicators (email and/or SSL and/or code signing): Server Authentication (SSL), Email Protection, and Code Signing

Certificate #3 Details
----------------------
Certificate Name: Amazon Root CA 3
The Amazon Root CA 3 is a Root CA with an EC key on the NIST P-256 curve.  It will be used to issue a variety of certificate types, as defined in our CP and CPS.

We will have separate subordinate CAs to issue the following types of certificates:
- Extended Validation Server Authentication
- Code Signing
- Other types of certificates as covered by our CP and CPS (including Server Authentication and Email Protection)

We will not issue EV certificates from subordinates used to issue non-EV certificates and we will not issue code signing certificates from subordinates used to issue non-code signing certificates.

Certificate download URL: http://www.awstrust.com/repository/AmazonRootCA3.cer
Version: X.509 v3
SHA1 Fingerprint: 0D:44:DD:8C:3C:8C:1A:1A:58:75:64:81:E9:0F:2E:2A:FF:B3:D2:6E
Public key length (for RSA, modulus length) in bits: 256
Valid From: 2015-05-26
Valid To: 2040-05-26

CRL HTTP URL: http://crl.rootca3.amazontrust.com/rootca3.crl
CRL issuing frequency for subordinate end-entity certificates: at least once every seven days 
CRL issuing frequency for subordinate CA certificates: at least once every twelve months 
OCSP URL: http://ocsp.rootca3.amazontrust.com/

Class (domain-validated, identity/organizationally-validated or EV): DV, IV/OV, and EV for SSL certificates 
Certificate Policy URL: http://www.awstrust.com/repository/cp-1.0.1.pdf
CPS URL: http://www.awstrust.com/repository/cps-1.0.1.pdf
Requested Trust Indicators (email and/or SSL and/or code signing): Server Authentication (SSL), Email Protection, and Code Signing

Certificate #4 Details
----------------------
Certificate Name: Amazon Root CA 4
The Amazon Root CA 4 is a Root CA with an EC key on the NIST P-384 curve.  It will be used to issue a variety of certificate types, as defined in our CP and CPS.

We will have separate subordinate CAs to issue the following types of certificates:
- Extended Validation Server Authentication
- Code Signing
- Other types of certificates as covered by our CP and CPS (including Server Authentication and Email Protection)

We will not issue EV certificates from subordinates used to issue non-EV certificates and we will not issue code signing certificates from subordinates used to issue non-code signing certificates.

Certificate download URL: http://www.awstrust.com/repository/AmazonRootCA4.cer
Version: X.509 v3
SHA1 Fingerprint: F6:10:84:07:D6:F8:BB:67:98:0C:C2:E2:44:C2:EB:AE:1C:EF:63:BE
Public key length (for RSA, modulus length) in bits: 384
Valid From : 2015-05-26
Valid To : 2040-05-26

CRL HTTP URL: http://crl.rootca4.amazontrust.com/rootca4.crl
CRL issuing frequency for subordinate end-entity certificates: at least once every seven days 
CRL issuing frequency for subordinate CA certificates: at least once every twelve months 
OCSP URL: http://ocsp.rootca4.amazontrust.com/

Class (domain-validated, identity/organizationally-validated or EV): DV, IV/OV, and EV for SSL certificates 
Certificate Policy URL: http://www.awstrust.com/repository/cp-1.0.1.pdf
CPS URL: http://www.awstrust.com/repository/cps-1.0.1.pdf
Requested Trust Indicators (email and/or SSL and/or code signing): Server Authentication (SSL), Email Protection, and Code Signing
I will start the information verification phase for this request soon.
https://wiki.mozilla.org/CA:How_to_apply#Information_Verification
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
I'm sorry if the information shows up in the CPSes, but:

What's the maximum length of time that an OCSP response is valid, for each of the roots?  Do they constrain the maximum OCSP response validity time for subordinates?

Will any of them be used to issue intermediate certificates for external organizations to operate certifiers?
Why wouldn't you present your Certification download URL on an https: endpoint?
Flags: needinfo?(pzb)
What is the OID that is going to be used for EV certificates?
There could be other interests behind this. Several intelligence agencies/companies are involved with Amazon: 
http://www.defenseone.com/technology/2014/07/how-cia-partnered-amazon-and-changed-intelligence/88555/
http://www.speicherguide.de/news/amazon-tuetelt-mega-cloud-deal-mit-cia,-nsa,-fbi-co-ein-20203.aspx

How good was/is that audit?
(In reply to Marc Brooks from comment #3)
> Why wouldn't you present your Certification download URL on an https:
> endpoint?

This whole domain (www.awstrust.com) does not support HTTPS. :(
The repository is now (Cert issued yesterday 6/15) available over https. 

https://www.awstrust.com/repository


openssl x509 -inform der -subject -fingerprint -noout -startdate -enddate  -in AmazonRootCA1.cer
subject= /C=US/O=Amazon/CN=Amazon Root CA 1
SHA1 Fingerprint=8D:A7:F9:65:EC:5E:FC:37:91:0F:1C:6E:59:FD:C1:CC:6A:6E:DE:16
notBefore=May 26 00:00:00 2015 GMT
notAfter=Jan 17 00:00:00 2038 GMT

One minor error: the valid-to date for CA 1 is 17 not 7 January, this is not material.
Whiteboard: EV - Information Incomplete
Attached file 1172401-CAInformation.pdf (obsolete) — 
I have entered the information for this request into Salesforce.

Please review the attached document to make sure it is accurate and complete, and comment in this bug to provide corrections and the additional requested information.
Apologies for the delay.  Here is our updated application which should answer all the open questions from the information gathering document.

CA Details
----------

CA Name: Amazon
Websites: https://www.amazontrust.com/
One Paragraph Summary of CA:
The Amazon PKI is run by Amazon Trust Services ("Amazon").  Amazon is a commercial CA that will provide certificates to customers from around the world.  We will offer certificates for server authentication, client authentication, email (both signing and encrypting), and code signing.  We will offer both standard and extended validation server authentication certificates.  Customers of the Amazon PKI are the general public.  We do not require customers have a domain registration with Amazon, use domain suffixes where Amazon is the registrant, or have other services from Amazon.

This application includes four new root CAs.  It also includes one additional root CA already in the Mozilla program which we wish to have enabled for EV certificate issuance.

Audit Type (WebTrust, ETSI etc.): Point in Time Readiness Assessments for WebTrust for CA 2.0, BR 2.0, and EV 1.4.5
Auditor: EY
Auditor Website: http://www.ey.com/
Audit Document URL(s):
https://www.amazontrust.com/repository/AWS_WebTrustforCA.pdf
https://www.amazontrust.com/repository/AWS_WebTrustforBR.pdf
https://www.amazontrust.com/repository/AWS_WebTrustforEV.pdf
https://www.amazontrust.com/repository/SFSG2_WebTrustforCA.pdf
https://www.amazontrust.com/repository/SFSG2_WebTrustforBR.pdf
https://www.amazontrust.com/repository/SFSG2_WebTrustforEV.pdf

We have reviewed the "Potentially problematic CA practices" (https://wiki.mozilla.org/CA:Problematic_Practices#Potentially_problematic_CA_practices). We fully comply with the Mozilla CA program requirements, including complying with the CA/Browser Forum Guidelines.  These requirements forbid many of the problematic practices.

Amazon allows externally operated subordinate CAs as documented in section 4.2.2 of the ATS CPS.   Third parties cannot directly cause the issuance of certificates from Amazon operated CAs.

CPS section 3.2.2.2 documents our validation procedures for verifying any email addresses to be included certificates we issue.

Certificate #1 Details
----------------------
Certificate Name: Amazon Root CA 1
The Amazon Root CA 1 is a Root CA with a RSA key with a 2048 bit long modulus.  It will be used to issue a variety of certificate types, as defined in our CP and CPS.

We will not issue code signing certificates from subordinates used to issue non-code signing certificates.

Certificate download URL: https://www.amazontrust.com/repository/AmazonRootCA1.cer
Version: X.509 v3
SHA1 Fingerprint: 8D:A7:F9:65:EC:5E:FC:37:91:0F:1C:6E:59:FD:C1:CC:6A:6E:DE:16
Public key length (for RSA, modulus length) in bits: 2048
Valid From : 2015-05-26
Valid To : 2038-01-17

CRL HTTP URL: http://crl.rootca1.amazontrust.com/rootca1.crl
CRL issuing frequency for subordinate end-entity certificates: at least once every seven days (when CRLs are required)
CRL issuing frequency for subordinate CA certificates: at least once every twelve months 
OCSP URL: http://ocsp.rootca1.amazontrust.com/

Class (domain-validated, identity/organizationally-validated or EV): DV, IV/OV, and EV for SSL certificates 
EV policy OID(s) (if applicable): 2.23.140.1.1 
Certificate Policy URL: http://www.amazontrust.com/repository/cp.pdf
CPS URL: http://www.amazontrust.com/repository/cps.pdf
Requested Trust Indicators (email and/or SSL and/or code signing): Server Authentication (SSL), Email Protection, and Code Signing
URL of example website using certificate subordinate to this root (if applying for SSL): https://good.sca1a.amazontrust.com/

Has this root cross-signed with any other roots? Yes.  Starfield Services Root Certificate Authority - G2 issued a cross certificate with this root as the subject.

Certificate #2 Details
----------------------
Certificate Name: Amazon Root CA 2
The Amazon Root CA 2 is a Root CA with a RSA key with a 4096 bit long modulus.  It will be used to issue a variety of certificate types, as defined in our CP and CPS.

We will not issue code signing certificates from subordinates used to issue non-code signing certificates.

Certificate download URL: http://www.amazontrust.com/repository/AmazonRootCA2.cer
Version: X.509 v3
SHA1 Fingerprint: 5A:8C:EF:45:D7:A6:98:59:76:7A:8C:8B:44:96:B5:78:CF:47:4B:1A
Public key length (for RSA, modulus length) in bits: 4096
Valid From : 2015-05-26
Valid To : 2040-05-26

CRL HTTP URL: http://crl.rootca2.amazontrust.com/rootca2.crl
CRL issuing frequency for subordinate end-entity certificates: at least once every seven days (when CRLs are required)
CRL issuing frequency for subordinate CA certificates: at least once every twelve months 
OCSP URL: http://ocsp.rootca2.amazontrust.com/

Class (domain-validated, identity/organizationally-validated or EV): DV, IV/OV, and EV for SSL certificates 
EV policy OID(s) (if applicable): 2.23.140.1.1 
Certificate Policy URL: http://www.amazontrust.com/repository/cp.pdf
CPS URL: http://www.amazontrust.com/repository/cps.pdf
Requested Trust Indicators (email and/or SSL and/or code signing): Server Authentication (SSL), Email Protection, and Code Signing
URL of example website using certificate subordinate to this root (if applying for SSL): https://good.sca2a.amazontrust.com/

Has this root cross-signed with any other roots? Yes.  Starfield Services Root Certificate Authority - G2 issued a cross certificate with this root as the subject.

Certificate #3 Details
----------------------
Certificate Name: Amazon Root CA 3
The Amazon Root CA 3 is a Root CA with an EC key on the NIST P-256 curve.  It will be used to issue a variety of certificate types, as defined in our CP and CPS.

We will not issue code signing certificates from subordinates used to issue non-code signing certificates.

Certificate download URL: http://www.amazontrust.com/repository/AmazonRootCA3.cer
Version: X.509 v3
SHA1 Fingerprint: 0D:44:DD:8C:3C:8C:1A:1A:58:75:64:81:E9:0F:2E:2A:FF:B3:D2:6E
Public key length (for RSA, modulus length) in bits: 256
Valid From: 2015-05-26
Valid To: 2040-05-26

CRL HTTP URL: http://crl.rootca3.amazontrust.com/rootca3.crl
CRL issuing frequency for subordinate end-entity certificates: at least once every seven days (when CRLs are required)
CRL issuing frequency for subordinate CA certificates: at least once every twelve months 
OCSP URL: http://ocsp.rootca3.amazontrust.com/

Class (domain-validated, identity/organizationally-validated or EV): DV, IV/OV, and EV for SSL certificates 
EV policy OID(s) (if applicable): 2.23.140.1.1 
Certificate Policy URL: http://www.amazontrust.com/repository/cp.pdf
CPS URL: http://www.amazontrust.com/repository/cps.pdf
Requested Trust Indicators (email and/or SSL and/or code signing): Server Authentication (SSL), Email Protection, and Code Signing
URL of example website using certificate subordinate to this root (if applying for SSL): https://good.sca3a.amazontrust.com/

Has this root cross-signed with any other roots? Yes.  Starfield Services Root Certificate Authority - G2 issued a cross certificate with this root as the subject.

Certificate #4 Details
----------------------
Certificate Name: Amazon Root CA 4
The Amazon Root CA 4 is a Root CA with an EC key on the NIST P-384 curve.  It will be used to issue a variety of certificate types, as defined in our CP and CPS.

We will not issue code signing certificates from subordinates used to issue non-code signing certificates.

Certificate download URL: http://www.amazontrust.com/repository/AmazonRootCA4.cer
Version: X.509 v3
SHA1 Fingerprint: F6:10:84:07:D6:F8:BB:67:98:0C:C2:E2:44:C2:EB:AE:1C:EF:63:BE
Public key length (for RSA, modulus length) in bits: 384
Valid From : 2015-05-26
Valid To : 2040-05-26

CRL HTTP URL: http://crl.rootca4.amazontrust.com/rootca4.crl
CRL issuing frequency for subordinate end-entity certificates: at least once every seven days (when CRLs are required)
CRL issuing frequency for subordinate CA certificates: at least once every twelve months 
OCSP URL: http://ocsp.rootca4.amazontrust.com/

Class (domain-validated, identity/organizationally-validated or EV): DV, IV/OV, and EV for SSL certificates 
EV policy OID(s) (if applicable): 2.23.140.1.1 
Certificate Policy URL: http://www.amazontrust.com/repository/cp.pdf
CPS URL: http://www.amazontrust.com/repository/cps.pdf
Requested Trust Indicators (email and/or SSL and/or code signing): Server Authentication (SSL), Email Protection, and Code Signing
URL of example website using certificate subordinate to this root (if applying for SSL): https://good.sca4a.amazontrust.com/

Has this root cross-signed with any other roots? Yes.  Starfield Services Root Certificate Authority - G2 issued a cross certificate with this root as the subject.

Certificate #5 Details
----------------------
Certificate Name: Starfield Services Root Certificate Authority - G2
The Starfield Services Root Certificate Authority - G2 is a Root CA with a RSA key with a 2048 bit long modulus.  It will be used to issue a variety of certificate types, as defined in our CP and CPS.

We will not issue code signing certificates from subordinates used to issue non-code signing certificates.

Certificate download URL: https://www.amazontrust.com/repository/SFSRootCAG2.cer
Version: X.509 v3
SHA1 Fingerprint: 92:5A:8F:8D:2C:6D:04:E0:66:5F:59:6A:FF:22:D8:63:E8:25:6F:3F
Public key length (for RSA, modulus length) in bits: 2048
Valid From : 2009-09-01
Valid To : 2037-12-31

CRL HTTP URL: http://crl.rootg2.amazontrust.com/rootg2.crl
CRL issuing frequency for subordinate end-entity certificates: at least once every seven days (when CRLs are required)
CRL issuing frequency for subordinate CA certificates: at least once every twelve months 
OCSP URL: http://ocsp.rootg2.amazontrust.com/

Class (domain-validated, identity/organizationally-validated or EV): DV, IV/OV, and EV for SSL certificates 
EV policy OID(s) (if applicable): 2.23.140.1.1 
Certificate Policy URL: http://www.amazontrust.com/repository/cp.pdf
CPS URL: http://www.amazontrust.com/repository/cps.pdf
Requested Trust Indicators (email and/or SSL and/or code signing): Server Authentication (SSL), Email Protection, and Code Signing
URL of example website using certificate subordinate to this root (if applying for SSL): https://good.sca0a.amazontrust.com/

Has this root cross-signed with any other roots? Yes.  Starfield Services Root Certificate Authority and Starfield Class 2 Certification Authority have issued cross certificates with this root as the subject.
Flags: needinfo?(pzb)
Please test all of the example websites given in Comment #9 with the following:

1) https://certificate.revocationcheck.com/
Make sure there are no errors.

2) https://wiki.mozilla.org/PSM:EV_Testing_Easy_Version#EV-Readiness_Check
Comment in this bug to provide the successful output for each of the root certs to be enabled for EV treatment.
I think we can continue in our process as soon as you provide the information in Comment #10, but in the meantime...

(In reply to Peter Bowen from comment #9)
> Audit Type (WebTrust, ETSI etc.): Point in Time Readiness Assessments for
> WebTrust for CA 2.0, BR 2.0, and EV 1.4.5
> Auditor: EY
> Auditor Website: http://www.ey.com/
> Audit Document URL(s):
> https://www.amazontrust.com/repository/AWS_WebTrustforCA.pdf
> https://www.amazontrust.com/repository/AWS_WebTrustforBR.pdf
> https://www.amazontrust.com/repository/AWS_WebTrustforEV.pdf
> https://www.amazontrust.com/repository/SFSG2_WebTrustforCA.pdf
> https://www.amazontrust.com/repository/SFSG2_WebTrustforBR.pdf
> https://www.amazontrust.com/repository/SFSG2_WebTrustforEV.pdf


I have previously exchanged email with an EY partner to confirm the authenticity of these audit statements.

https://www.amazontrust.com/repository/AWS_WebTrustforCA.pdf
Currently says: "AWS has not issued any Subordinate CAs for the Amazon Root CA 1, Amazon Root CA 2, Amazon Root CA 3 and Amazon Root CA 4.  Since AWS does not currently operate subordinate CAs the criteria relevant to Subscriber information under Principle 6: Certificate Life Cycle Management Controls (properly authenticated) was not applicable."

https://www.amazontrust.com/repository/SFSG2_WebTrustforCA.pdf
Currently says: AWS has not issued any Subordinate CAs or cross-signed any CAs for the Starfield Services Root Certificate Authority - G2.  Since AWS does not 
currently operate subordinate CAs the criteria relevant to Subscriber information under Principle 6: Certificate Life Cycle Management Controls (properly authenticated) was not applicable.

So, clearly, we will need updated audit statements before this request can be approved.
Here is the output of the EV tool:

// CN=Amazon Root CA 1,O=Amazon,C=US
"2.23.140.1.1",
"Amazon",
SEC_OID_UNKNOWN,
{ 0x8E, 0xCD, 0xE6, 0x88, 0x4F, 0x3D, 0x87, 0xB1, 0x12, 0x5B, 0xA3, 
  0x1A, 0xC3, 0xFC, 0xB1, 0x3D, 0x70, 0x16, 0xDE, 0x7F, 0x57, 0xCC, 
  0x90, 0x4F, 0xE1, 0xCB, 0x97, 0xC6, 0xAE, 0x98, 0x19, 0x6E },
"MDkxCzAJBgNVBAYTAlVTMQ8wDQYDVQQKEwZBbWF6b24xGTAXBgNVBAMTEEFtYXpv"
"biBSb290IENBIDE=",
"Bmyfz5m/jAo54vB4ikPmljZbyg==",
Success!

// CN=Amazon Root CA 2,O=Amazon,C=US
"2.23.140.1.1",
"Amazon",
SEC_OID_UNKNOWN,
{ 0x1B, 0xA5, 0xB2, 0xAA, 0x8C, 0x65, 0x40, 0x1A, 0x82, 0x96, 0x01, 
  0x18, 0xF8, 0x0B, 0xEC, 0x4F, 0x62, 0x30, 0x4D, 0x83, 0xCE, 0xC4, 
  0x71, 0x3A, 0x19, 0xC3, 0x9C, 0x01, 0x1E, 0xA4, 0x6D, 0xB4 },
"MDkxCzAJBgNVBAYTAlVTMQ8wDQYDVQQKEwZBbWF6b24xGTAXBgNVBAMTEEFtYXpv"
"biBSb290IENBIDI=",
"Bmyf0pY1hp8KD+WGePhbJruKNw==",
Success!

// CN=Amazon Root CA 3,O=Amazon,C=US
"2.23.140.1.1",
"Amazon",
SEC_OID_UNKNOWN,
{ 0x18, 0xCE, 0x6C, 0xFE, 0x7B, 0xF1, 0x4E, 0x60, 0xB2, 0xE3, 0x47, 
  0xB8, 0xDF, 0xE8, 0x68, 0xCB, 0x31, 0xD0, 0x2E, 0xBB, 0x3A, 0xDA, 
  0x27, 0x15, 0x69, 0xF5, 0x03, 0x43, 0xB4, 0x6D, 0xB3, 0xA4 },
"MDkxCzAJBgNVBAYTAlVTMQ8wDQYDVQQKEwZBbWF6b24xGTAXBgNVBAMTEEFtYXpv"
"biBSb290IENBIDM=",
"Bmyf1XSXNmY/Owua2eiedgPySg==",
Success!

// CN=Amazon Root CA 4,O=Amazon,C=US
"2.23.140.1.1",
"Amazon",
SEC_OID_UNKNOWN,
{ 0xE3, 0x5D, 0x28, 0x41, 0x9E, 0xD0, 0x20, 0x25, 0xCF, 0xA6, 0x90, 
  0x38, 0xCD, 0x62, 0x39, 0x62, 0x45, 0x8D, 0xA5, 0xC6, 0x95, 0xFB, 
  0xDE, 0xA3, 0xC2, 0x2B, 0x0B, 0xFB, 0x25, 0x89, 0x70, 0x92 },
"MDkxCzAJBgNVBAYTAlVTMQ8wDQYDVQQKEwZBbWF6b24xGTAXBgNVBAMTEEFtYXpv"
"biBSb290IENBIDQ=",
"Bmyf18G7EEwpQ+Vxe3ssyBrBDg==",
Success!

// CN=Starfield Services Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US
"2.23.140.1.1",
"Amazon",
SEC_OID_UNKNOWN,
{ 0x56, 0x8D, 0x69, 0x05, 0xA2, 0xC8, 0x87, 0x08, 0xA4, 0xB3, 0x02, 
  0x51, 0x90, 0xED, 0xCF, 0xED, 0xB1, 0x97, 0x4A, 0x60, 0x6A, 0x13, 
  0xC6, 0xE5, 0x29, 0x0F, 0xCB, 0x2A, 0xE6, 0x3E, 0xDA, 0xB5 },
"MIGYMQswCQYDVQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2Nv"
"dHRzZGFsZTElMCMGA1UEChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjE7"
"MDkGA1UEAxMyU3RhcmZpZWxkIFNlcnZpY2VzIFJvb3QgQ2VydGlmaWNhdGUgQXV0"
"aG9yaXR5IC0gRzI=",
"AA==",
Success!
Attached file 1172401-CAInformation.pdf (obsolete) — 
I entered all of the new data into Salesforce.

Please review the attached document to make sure it is accurate and complete, and comment in this bug to provide any corrections.

Noted in the document: https://certificate.revocationcheck.com/ is still showing timeout errors for the test websites. Please fix.
Attachment #8624480 - Attachment is obsolete: true
All URLs are now working on certificate.revocationcheck.com.  The problem was an IPv6 issue which is now resolved.  No errors are being reported at this time.

Please update the CA Email Alias 1 to amazontrust [at] amazon.com.  This is our standard address.
ats-tsp-requests [at] amazon.com can be used to report certificate issues 24x7, but we prefer to not use it for routine contacts.

We have a set of period-of-time audits currently in progress.  As we now have subordinate CAs which issue subscriber certificates these reports are not expected to contain the statement above.  We understand that this inclusion request cannot be completed without the new reports, but we hope that the new reports will not block starting the public discussion.

        Attachment #8707200 -
        Attachment is obsolete: true

    
    

    
  
This request has been added to the queue for public discussion.
https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion
I will update this bug when I start the discussion.
Whiteboard: EV - Information Incomplete → EV -Ready for Public Discussion

    
    

    
  
The description from Peter Bowen mentions this:

"We do not require customers have a domain registration with Amazon, use domain suffixes where Amazon is the registrant, or have other services from Amazon."

However, the product detail pages and the documentation at AWS clearly state that certificates issued by AWS Certificate Manager can be used only for Elastic Load Balancer and CloudFront:

http://docs.aws.amazon.com/acm/latest/APIReference/API_GetCertificate.html
"Currently, ACM Certificates can be used only with Elastic Load Balancing and Amazon CloudFront."

https://docs.aws.amazon.com/acm/latest/userguide/gs-elb.html
"You do not install your ACM Certificate directly on the Amazon EC2 instances that contain your website or your application. Instead, you associate the ACM Certificate with an AWS service"

Will ACM-issued certificates at some point be usable outside AWS, as Peter's statement implies?

    
    

    
  
Amazon Trust Services has now received WebTrust seals and period of time audit reports.  This should resolve the item noted in comment 11.

https://cert.webtrust.org/ViewSeal?id=1998 (Trust Service Principles and Criteria for Certification Authorities Version 2.0)
https://cert.webtrust.org/ViewSeal?id=1999 (WebTrust Principles and Criteria for Certification Authorities - SSL Baseline with Network Security - Version 2.0)
https://cert.webtrust.org/ViewSeal?id=2000 (WebTrust Principles and Criteria for Certification Authorities - Extended Validation SSL - Version 1.4.5)

    
    

    
  


  

    
    

    
  
One clarification point with regards to hierarchy: When we offer Extended Validation Server Authentication certificates to third parties, we will establish a specific subordinate CA for this purpose.  For issuing EV certificates for testing we used subordinate CAs that have only issued certificates for testing and have only issued to affiliates of the CA or the CA itself.  The certificates for issued testing are a mix of Extended and Standard validation.

    
    

    
  
I am now opening the public discussion period for this request from Amazon to enable EV treatment for the currently-included “Starfield Services Root Certificate Authority - G2 certificate, and to include the following 4 new root certificates, turn on the Email and Websites trust bits for them, and enable EV treatment for all of them. 
- Amazon Root CA 1 (RSA key with a 2048 bit long modulus)
- Amazon Root CA 2 (RSA key with a 4096 bit long modulus)
- Amazon Root CA 3 (EC key on the NIST P-256 curve)
- Amazon Root CA 4 (EC key on the NIST P-384 curve) 

For a description of the public discussion phase, see https://wiki.mozilla.org/CA:How_to_apply#Public_discussion

Public discussion will be in the mozilla.dev.security.policy forum.
https://www.mozilla.org/en-US/about/forums/#dev-security-policy

The discussion thread is called "Amazon Root Inclusion Request".

Please actively review, respond, and contribute to the discussion.

A representative of this CA must promptly respond directly in the discussion thread to all questions that are posted.
Whiteboard: EV -Ready for Public Discussion → EV - In Public Discussion

    
    

    
  
The public comment period for this request is now over. 

This request has been evaluated as per Mozilla’s CA Certificate Inclusion Policy at

https://www.mozilla.org/about/governance/policies/security-group/certs/policy/inclusion/

Here follows a summary of the assessment. If anyone sees any factual errors, please point them out.

Inclusion Policy Section 4 [Technical]. 
I am not aware of instances where Amazon Trust Services (Amazon) has knowingly issued certificates for fraudulent use. If anyone knows of any such issues or instances, please note them in this bug.

Inclusion Policy Section 6 [Relevance and Policy].
Amazon appears to provide a service relevant to Mozilla users. Customers of the Amazon PKI are the general public. Amazon does not require that customers have a domain registration with Amazon, use domain suffixes where Amazon is the registrant, or have other services from Amazon.

Root Certificate Name: Amazon Root CA 1
O From Issuer Field: Amazon
Trust Bits: Email; Websites
EV Policy OID(s): 2.23.140.1.1
Root Certificate Download URL: https://www.amazontrust.com/repository/AmazonRootCA1.cer

Root Certificate Name: Amazon Root CA 2
O From Issuer Field: Amazon
Trust Bits: Email; Websites
EV Policy OID(s): 2.23.140.1.1
Root Certificate Download URL: http://www.amazontrust.com/repository/AmazonRootCA2.cer

Root Certificate Name: Amazon Root CA 3
O From Issuer Field: Amazon
Trust Bits: Email; Websites
EV Policy OID(s): 2.23.140.1.1
Root Certificate Download URL: http://www.amazontrust.com/repository/AmazonRootCA3.cer

Root Certificate Name: Amazon Root CA 4
O From Issuer Field: Amazon
Trust Bits: Email; Websites
EV Policy OID(s): 2.23.140.1.1
Root Certificate Download URL: http://www.amazontrust.com/repository/AmazonRootCA4.cer

Root Certificate Name: Starfield Services Root Certificate Authority - G2
O From Issuer Field: Starfield Technologies, Inc.
Trust Bits: Websites
EV Policy OID(s): 2.23.140.1.1
Root Certificate Download URL: This root cert is already included in NSS. 

CA Document Repository: https://www.amazontrust.com/repository/
CP: http://www.awstrust.com/repository/cp.pdf
CPS: http://www.awstrust.com/repository/cps.pdf
Subscriber Agreement: https://www.amazontrust.com/repository/sa-1.1.pdf

Certificate Revocation
CRL URL(s):
http://crl.rootca1.amazontrust.com/rootca1.crl
http://crl.rootca2.amazontrust.com/rootca2.crl
http://crl.rootca3.amazontrust.com/rootca3.crl
http://crl.rootca4.amazontrust.com/rootca4.crl
http://crl.rootg2.amazontrust.com/rootg2.crl
CP section 4.9.7: CRL issuing frequency for subscriber certificates is at least once every seven days
OCSP URL(s):
http://ocsp.rootca1.amazontrust.com/
http://ocsp.sca1a.amazontrust.com
http://ocsp.rootca2.amazontrust.com/
http://ocsp.sca2a.amazontrust.com
http://ocsp.rootca3.amazontrust.com/
http://ocsp.sca3a.amazontrust.com
http://ocsp.rootca4.amazontrust.com/
http://ocsp.sca4a.amazontrust.com
http://ocsp.rootg2.amazontrust.com
http://ocsp.sca0a.amazontrust.com
CP section 4.9.10: OCSP responses from this service MUST have a maximum expiration time of ten days

Inclusion Policy Section 7 [Validation]. 
Amazon appears to meet the minimum requirements for subscriber verification, as follows:

* SSL Verification Procedures are clearly described in CPS and CP section 3.2.2, and demonstrate that Amazon confirms that the certificate subscriber owns/controls the domain names to be included in the certificate.

* EV SSL Verification Procedures are clearly described in CP section 3.2.

* Email Verification Procedures are clearly described in CPS section 3.2.2, and show that Amazon confirms that the certificate subscriber owns/controls the email address to be included in the certificate.

* Code Signing Subscriber Verification Procedure: Mozilla is no longer accepting requests to enable the Code Signing trust bit.

Inclusion Policy Sections 11-14 [Audit]
Annual audits are performed by EY, according to the WebTrust criteria.
Standard Audit: https://cert.webtrust.org/SealFile?seal=1998&file=pdf
BR Audit: https://cert.webtrust.org/SealFile?seal=1999&file=pdf
EV Audit: https://cert.webtrust.org/SealFile?seal=2000&file=pdf

Inclusion Policy Section 18 [Certificate Hierarchy]
The Amazon Root CAs will have internally-operated subordinate CAs that will issue certs for SSL, Code Signing, Email, etc. There will be separate subCAs for EV certificate issuance. 
Externally-operated subCAs are permitted according to the CPS. CPS section 4.2.2 clarifies that externally-operated subCAs are either technically constrained or must be audited according to the WebTrust criteria.

Based on this assessment I intend to approve this request from Amazon to enable EV treatment for the currently-included “Starfield Services Root Certificate Authority - G2 certificate; and to include the following 4 new root certificates, turn on the Email and Websites trust bits for them, and enable EV treatment for all of them. 
- Amazon Root CA 1 (RSA key with a 2048 bit long modulus)
- Amazon Root CA 2 (RSA key with a 4096 bit long modulus)
- Amazon Root CA 3 (EC key on the NIST P-256 curve)
- Amazon Root CA 4 (EC key on the NIST P-384 curve)
Whiteboard: EV - In Public Discussion → EV - Pending Approval

    
    

    
  
As per the summary in Comment #22, and on behalf of Mozilla I approve this request from Amazon Trust Services (Amazon) to include the following root certificates:

** "Amazon Root CA 1" (websites, email), enable EV
** "Amazon Root CA 2" (websites, email), enable EV
** "Amazon Root CA 3" (websites, email), enable EV
** "Amazon Root CA 4" (websites, email), enable EV

And to enable EV treatment for the following root certificate that is already included:

** “Starfield Services Root Certificate Authority - G2" (websites, email), enable EV

I will file the NSS and PSM bugs for the approved changes.
Whiteboard: EV - Pending Approval → EV - Approved - awaiting NSS and PSM changes

    
  
Depends on: 1303377

    
  
Depends on: 1303383

    
    

    
  
I have filed bug #1303377 against NSS and bug #1303383 against PSM for the actual changes.

Peter, please add a comment in this bug when the Amazon CP and CPS have been updated to address the comments noted in the discussion.
https://groups.google.com/d/msg/mozilla.dev.security.policy/zZ5RHXCkpGM/a0mEu8-sBwAJ

    
  
Whiteboard: EV - Approved - awaiting NSS and PSM changes → In NSS 3.28.1, Firefox 51  - awaiting PSM changes for EV enablement

    
  
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Whiteboard: In NSS 3.28.1, Firefox 51  - awaiting PSM changes for EV enablement → In NSS 3.28.1, Firefox 51. EV-enabled in Firefox 54.

    
  
Product: mozilla.org → NSS

    
    

    
  
CA requested removal for Amazon Root CA 4: https://android.googlesource.com/platform/system/ca-certificates/+/refs/heads/oreo-r6-release ? 
Need confirmation (re-check) of this information.

Thanks,
Andrew.
Flags: needinfo?(pzb)

    
    

    
  
Sorry, I was wrong. All good this.
Flags: needinfo?(pzb)
Product: NSS → CA Program

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: