Closed
Bug 562399
Opened 14 years ago
Closed 13 years ago
Enable Camerfirma root certificates for EV in PSM
Categories
(Core :: Security: PSM, enhancement)
Core
Security: PSM
Tracking
()
VERIFIED
FIXED
People
(Reporter: kathleen.a.wilson, Assigned: KaiE)
References
Details
Per bug 406968 the request from Camerfirma has been approved to enable its "Chambers of Commerce Root - 2008" and "Global Chambersign Root - 2008" root certificates for EV use. Please make the corresponding changes to PSM. The relevant information is as follows. Friendly name: Chambers of Commerce Root - 2008 SHA1 Fingerprint: 78:6a:74:ac:76:ab:14:7f:9c:6a:30:50:ba:9e:a8:7e:fe:9a:ce:3c EV policy OID 1: 1.3.6.1.4.1.17326.10.14.2.1.2 EV policy OID 2: 1.3.6.1.4.1.17326.10.14.2.2.2 Test URL: https://server1.camerfirma.com:8081/ Friendly name: Global Chambersign Root - 2008 SHA1 Fingerprint: 4a:bd:ee:ec:95:0d:35:9c:89:ae:c7:52:a1:2c:5b:29:f6:d6:aa:0c EV policy OID 1: 1.3.6.1.4.1.17326.10.8.12.1.2 EV policy OID 2: 1.3.6.1.4.1.17326.10.8.12.2.2 Test URL: https://server2.camerfirma.com:8082/ If testing determines that it is problematic to have two EV Policy OIDs for a root, then Camerfirma would choose to use the first OID listed for each root.
|
Reporter | |
Comment 1•14 years ago
|
||
Ramiro, Please confirm that the above information is correct.
|
||
Comment 2•14 years ago
|
||
Yes it is correct. Regards Ramiro
|
|
Reporter | |
Comment 3•14 years ago
|
||
Thanks for confirming that the data in this bug is correct. This bug is dependent on bug 562395 because the root certificates need to be included in NSS before they can be enabled for EV in the PSM.
|
|
Reporter | |
Comment 4•14 years ago
|
||
As per https://bugzilla.mozilla.org/show_bug.cgi?id=562395#c10 the new test urls are: Chambers of Commerce Root – 2008 -- https://www.camerfirma.com Global Chambersign Root – 2008 -- https://server3.camerfirma.com
|
Assignee | |
Comment 5•14 years ago
|
||
I can't connect to https://www.camerfirma.com/ see also bug 562395 comment 15 for more details. I can connect to https://server3.camerfirma.com/ and I get the green EV status.
|
|
||
Comment 6•14 years ago
|
||
I can connect both of then, please try again. But I do not see the green EV status
|
|
Assignee | |
Comment 7•14 years ago
|
||
I made a new testbuild, now it includes the patch to enable roots for EV. http://hg.mozilla.org/try/pushloghtml?changeset=c73f0117a36e http://ftp.mozilla.org/pub/mozilla.org/firefox/tryserver-builds/kaie@kuix.de-c73f0117a36e/ I've learned that tryserver builds are automatically deleted quickly, after 4 days. I've mirrored the most important files here: http://kuix.de/mozilla/tryserver-roots-20101125/
|
|
Assignee | |
Comment 8•14 years ago
|
||
(In reply to comment #6) > I can connect both of then, please try again. But I do not see the green EV > status The old testbuild did not yet enable EV. The new testbuild from comment 7 now enables EV for your roots.
|
|
Assignee | |
Comment 9•14 years ago
|
||
This bug is about EV. Let's not mix bug 562395 and this one. Bug 562395 is about adding your roots to NSS. That bug is mostly done, as soon as you confirm (in bug 562395). This bug 562399 is about enabling your roots for EV. This is not yet done. You have requested to enable 4 combinations of {root, oid} for EV. I think the most recent information about your test sites is in bug 562395 comment 10. I will copy that information into this bug, in the next comment.
|
|
Assignee | |
Comment 10•14 years ago
|
||
Copying information from bug 562395 comment 10: The new test websites for these roots are as follows. Note that these websites are currently on servers that are used by Camerfirma developers for testing purposes, so it is possible that at times these may be temporarily offline. -- Chambers of Commerce Root – 2008 -- https://server1.camerfirma.com:8081 Policy OID in end-entity cert: 1.3.6.1.4.1.17326.10.11.2: (This is the OID for OV certs) https://www.camerfirma.com Policy OID in end-entity cert: 1.3.6.1.4.1.17326.10.14.2.1.2 (This is the EV Policy OID) I have successfully browsed to both of these websites in Firefox with OCSP enforced. The SSL certs fo both of these sites chain up to the intermediate CA “Camerfirma Corporate Server – 2009”. The AIA for both the end-entity certs and the intermediate cert has OCSP: URI: http://ocsp.camerfirma.com Note: The CA hierarchy for “Chambers of Commerce Root – 2008” is a little different than I described in https://bugzilla.mozilla.org/show_bug.cgi?id=406968#c92. Express Corporate Server and Corporate Server EV was in the old hierarchy. In the new, 2008, hierarchy the subCA "Corporate Server 2009" issues both OV and EV certificates with different Policy OID. -- Global Chambersign Root – 2008 -- https://server2.camerfirma.com:8082 Policy OID in end-entity cert: 1.3.6.1.4.1.17326.10.8.11.1.2 (This is the OID for OV certs) https://server3.camerfirma.com Policy OID in end-entity cert: 1.3.6.1.4.1.17326.10.8.12.1.2 (This is the EV Policy OID) I have successfully browsed to both of these websites in Firefox with OCSP enforced. The SSL certs chain up to “RACER – 2009”, which is signed by “AC Camerfirma – 2009”, which is signed by this root. The AIA for the end-entity and intermediate certs all have OCSP: URI: http://ocsp.camerfirma.com
|
|
Assignee | |
Comment 11•14 years ago
|
||
Looks like there have been confusing requests. This EV bug initially requested the 4 EV OIDs shown in this bug comment 0. I have used this information to produce the test build, because this is what Ramiro had confirmed in comment 2 ! This is different from the information in comment 10 ! The test site at https://server1.camerfirma.com:8081/ does not use an OID from the confirmed comment, it uses an OID from the non-confirmed comment 10. The test site at https://server2.camerfirma.com:8082/ does not use an OID from the confirmed comment, it uses another OID from the non-confirmed comment 10. If the initial information in this bug, and the initial confirmation from Ramiro in this bug is no longer correct, then I propose to close this bug, and start a fresh bug, because this one is now full of confusion.
|
|
Assignee | |
Comment 12•14 years ago
|
||
Marking bug INVALID. CA confirmed information that does not match attributes used in test sites. Non-matching information has been posted in a related bug 562395, which is apparently the new expectation of the CA, because of information found in test sites. The new expectation has not been stated in this EV bug, and has not been confirmed by a CA representative, and is different from the confirmed information in this bug. I would have expected the CA to be proactive and revoke their confirmation statement from comment 2. Before you ask me to work on this again, please make sure everything is well organized.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → INVALID
|
|
||
Comment 13•14 years ago
|
||
Kay sorry we have made changes since comment 2. comment 2 is revoked. I confirm next information: Friendly name: Chambers of Commerce Root - 2008 SHA1 Fingerprint: 78:6a:74:ac:76:ab:14:7f:9c:6a:30:50:ba:9e:a8:7e:fe:9a:ce:3c EV policy OID 1: 1.3.6.1.4.1.17326.10.14.2.1.2 EV policy OID 2: 1.3.6.1.4.1.17326.10.14.2.2.2 Test URL: https://www.camerfirma.com Policy OID in end-entity cert: 1.3.6.1.4.1.17326.10.14.2.1.2 (This is the EV Policy OID) I can not get the green flag (KO) Friendly name: Global Chambersign Root - 2008 SHA1 Fingerprint: 4a:bd:ee:ec:95:0d:35:9c:89:ae:c7:52:a1:2c:5b:29:f6:d6:aa:0c EV policy OID 1: 1.3.6.1.4.1.17326.10.8.12.1.2 EV policy OID 2: 1.3.6.1.4.1.17326.10.8.12.2.2 Test URL: https://server3.camerfirma.com Policy OID in end-entity cert: 1.3.6.1.4.1.17326.10.8.12.1.2 (This is the EV Policy OID) I can get the GREEN flag (OK) Friendly name: Chambers of Commerce Root - 2008 https://server1.camerfirma.com:8081 Policy OID in end-entity cert: 1.3.6.1.4.1.17326.10.11.2 (This is the OID for OV certs) Friendly name: Global Chambersign Root - 2008 https://server2.camerfirma.com:8082 Policy OID in end-entity cert: 1.3.6.1.4.1.17326.10.8.11.1.2 (This is the OID for OV certs) I hope this clarify the situation. Sorry again for the confusion. Regards Ramiro
|
|
Assignee | |
Comment 14•14 years ago
|
||
(In reply to comment #13) > > Friendly name: Chambers of Commerce Root - 2008 > SHA1 Fingerprint: 78:6a:74:ac:76:ab:14:7f:9c:6a:30:50:ba:9e:a8:7e:fe:9a:ce:3c > EV policy OID 1: 1.3.6.1.4.1.17326.10.14.2.1.2 > EV policy OID 2: 1.3.6.1.4.1.17326.10.14.2.2.2 > Test URL: https://www.camerfirma.com > Policy OID in end-entity cert: 1.3.6.1.4.1.17326.10.14.2.1.2 > (This is the EV Policy OID) Question (1): Does this mean, you request to enable Chamber-Commerce-2008 for EV, for both EV OIDs, but you provide a test URL only for one EV OID ? > Test URL: https://www.camerfirma.com > I can not get the green flag (KO) I *sometimes* get green EV status for this test url. - start with fresh profile - go to https://www.camerfirma.com - get blue domain indicator - use reload - now get green domain indicator I notice, on the initial conection, the decision blue is very quick. If I hit reload, the page loads for several seconds, until we get green. We must investigate why this happens. I don't have ideas. Someone must trace and debug. > Friendly name: Global Chambersign Root - 2008 > SHA1 Fingerprint: 4a:bd:ee:ec:95:0d:35:9c:89:ae:c7:52:a1:2c:5b:29:f6:d6:aa:0c > EV policy OID 1: 1.3.6.1.4.1.17326.10.8.12.1.2 > EV policy OID 2: 1.3.6.1.4.1.17326.10.8.12.2.2 > Test URL: https://server3.camerfirma.com > Policy OID in end-entity cert: 1.3.6.1.4.1.17326.10.8.12.1.2 > (This is the EV Policy OID) Question (2): Does this mean, you request to enable Global-Chamber-2008 for EV, for both EV OIDs, but you provide a test URL only for one EV OID ? > Friendly name: Chambers of Commerce Root - 2008 > https://server1.camerfirma.com:8081 > Policy OID in end-entity cert: 1.3.6.1.4.1.17326.10.11.2 > (This is the OID for OV certs) Question (3): Please help me understand, what is a "OV cert" ? Question (4): Do you request EV for Chamber-Commerce-2008 and OID 1.3.6.1.4.1.17326.10.11.2 ? > Friendly name: Global Chambersign Root - 2008 > https://server2.camerfirma.com:8082 > Policy OID in end-entity cert: 1.3.6.1.4.1.17326.10.8.11.1.2 > (This is the OID for OV certs) Question (5): Do you request EV for Global-Chamber-2008 and OID 1.3.6.1.4.1.17326.10.8.11.1.2 ? Question (6): I count 6 different OIDs in your comment. Do you really request EV status for 6 different OIDs?
|
|
||
Comment 15•14 years ago
|
||
Question (1): Does this mean, you request to enable Chamber-Commerce-2008 for EV, for both EV OIDs, but you provide a test URL only for one EV OID ? Yes, if it is possible I whould like to have activated both OID. Both certificates are just the same, but with diferent policy since the keys in ...1.2 are generated in software and the keys in ...2.2 are generates in a hw device. If it is not possible then activate only the ...1.2. Question (2): Does this mean, you request to enable Global-Chamber-2008 for EV, for both EV OIDs, but you provide a test URL only for one EV OID ? Yes as I said in question 1, certificate are completely the same but with diferent policy. Question (3): Please help me understand, what is a "OV cert" ? There are three kind of SSL certificates DV(Domain validation) OV(Organization validation) anf EV(Extended Validation). Only the EV have the green label. Question (4): Do you request EV for Chamber-Commerce-2008 and OID 1.3.6.1.4.1.17326.10.11.2 ? NO Question (5): Do you request EV for Global-Chamber-2008 and OID 1.3.6.1.4.1.17326.10.8.11.1.2 ? NO Question (6): I count 6 different OIDs in your comment. Do you really request EV status for 6 different OIDs? I have answered it, in previous questions. Regards Ramiro
|
|
||
Comment 16•14 years ago
|
||
I have downloaded a new version of Minenfield and now I can´t get the green label for https://www.camerfirma.com and https://server3.camerfirma.com. Regards Ramiro
|
|
Assignee | |
Comment 17•14 years ago
|
||
Thank you for the clarification regarding "OV" certs. OV is different than EV. You do NOT request green EV indicators for OV certs. Initially, in the first comment in this bug, you had requested: - EV for server1 - EV for server2 This is what had caused the confusion, because now you want: - no EV for server1 - no EV for server2 - EV for www - EV for server 3 After understanding this confusion, I conclude that most of the request from the initial comment is still correct. When comparing the initial comment in this bug with your latest comments, you still request EV for the same roots and OIDs. The only difference is the URLs for the test servers. This is how I understand your comment 13 and your comment 15. Based on this clarification I'm OK to reopen this bug and proceed to work on this request.
Status: RESOLVED → REOPENED
Resolution: INVALID → ---
|
|
Assignee | |
Comment 18•14 years ago
|
||
Camerfirma, please don't make any more changes to the existing test servers until this task has been completed and marked as resolved. Thanks
|
|
Assignee | |
Comment 19•14 years ago
|
||
(In reply to comment #15) > Does this mean, > you request to enable Chamber-Commerce-2008 for EV, for both EV OIDs, > but you provide a test URL only for one EV OID ? > > Yes, if it is possible I whould like to have activated both OID. I need a separate test URL for each combination of {root, OID} that you are requesting EV for. You are requesting EV for 4 combinations of {root, OID}, but you only provided test URLS for 2 combinations. If you really want all 4 combinations enabled for EV, then please provide test URLs for all 4 combinations. => Keep the existing test servers, and give us 2 additional test URLs. If you cannot provide the additional test servers, then tell me to proceed with only the existing 2 combinations.
|
|
||
Comment 20•14 years ago
|
||
Comment 17 OK you are right with the actual situation. Comment 18 OK no more changes will be made on test servers. Comment 19 Proceed with only the existing 2 combinations Regards Ramiro
|
|
Assignee | |
Comment 21•13 years ago
|
||
fixed by bug 614852 (for mozilla-central and upcoming ff 4) ff 3.5.x and ff 3.6.x not yet done
|
|
Assignee | |
Updated•13 years ago
|
Status: REOPENED → RESOLVED
Closed: 14 years ago → 13 years ago
Resolution: --- → FIXED
|
|
Reporter | |
Comment 22•13 years ago
|
||
Ramiro, What are the two test URLs that I can use to try this in my installation of FF4?
|
|
||
Comment 23•13 years ago
|
||
https://www.camerfirma.com EV https://server3.camerfirma.com EV https://server1.camerfirma.com:8081 non EV https://server2.camerfirma.com:8082 non EV
|
|
Reporter | |
Comment 24•13 years ago
|
||
Thanks. When I tried them yesterday I got an OCSP error, but they are working today. What sort of monitoring do you have on your OCSP service to make sure it can be noticed and recovered quickly if it goes down?
|
||
Comment 25•13 years ago
|
||
Verified fixed on Firefox 4.0b12pre. Will this be backported?
Status: RESOLVED → VERIFIED
|
|
||
Comment 26•13 years ago
|
||
Hi Kathleen I have no report about problems in our OCSP service. Can you give me more information about the error you have found?. We have two platforms providing OCSP service, and our system department have a application that messure the OCSP availability and response time. I can provide you with the figures about the ocsp service for the 17th of Feb. Regards Ramiro
|
|
Reporter | |
Comment 27•13 years ago
|
||
I just tried them again, and they're working. I haven't been able to reproduce the error. For the EV test sites I get the green bar. (I'm on FF 4.0b12)
You need to log in
before you can comment on or make changes to this bug.
Description
•