Open Bug 1023726 Opened 8 years ago Updated 7 months ago

LAWtrust Root CA certificate inclusion in NSS

Categories

(NSS :: CA Certificate Root Program, task, P4)

Tracking

(Not tracked)

ASSIGNED

People

(Reporter: nielvg, Assigned: bwilson)

References

Details

(Whiteboard: [ca-verifying] BW 2020-09-30 - Comment #21)

Attachments

(8 files, 1 obsolete file)

146.43 KB, application/pdf
Details
199.43 KB, application/pdf
Details
2.60 KB, text/plain
Details
2.77 KB, application/x-x509-ca-cert
Details
2.06 KB, application/x-x509-ca-cert
katekani
: review+
katekani
: data-review+
Details
2.08 KB, application/x-x509-ca-cert
katekani
: review+
katekani
: data-review+
Details
2.13 KB, application/x-x509-ca-cert
katekani
: review+
katekani
: data-review+
Details
345.88 KB, application/pdf
Details
LAWtrust would like to submit a request for the inclusion of their LAWtrust Root Certification Authority 2048 certificate in the NSS.
Severity: normal → critical
Assignee: nobody → kwilson
Product: NSS → mozilla.org
Version: 3.0 → other
Duplicate of this bug: 1104686
I wasn't notified about this bug, because it was in the wrong Component.

I will begin the Information Verification phase, and update this bug soon.
https://wiki.mozilla.org/CA:How_to_apply#Information_Verification
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
The attached document summarizes the information that has been verified.

Please search the document for "Need Response" and "Need Clarification" to find the parts where information and clarification is still needed.

Please review the full document for accuracy and completeness, and provide the necessary information in this bug.
Whiteboard: Information incomplete
Attached file Bugzilla 1023726.pdf
Attached is the response to the notes made in the bug 1023726
Attachment #8438194 - Attachment is obsolete: true
According to my notes...

This root currently has two internally-operated intermediate certificates:
1) LAWtrust Certification Authority 2048
2) LAWtrust AeSign Certification Authority 2048

The Root CA CPS only addresses subordinate CA certificates, so there will therefore be no mention of end-user certificates other than subordinate CA certificates. The CPS for the subordinate CAs chained into the LAWtrust root CA, will stipulate the rules in question, for example the AESign CPS in the LAWtrust repository.

On https://www.lawtrust.co.za/repository/ I found the documents for "LAWtrust AeSign Certification Authority 2048"
AeSign CPS: https://www.lawtrust.co.za/wp-content/uploads/LT_ISP_IS_AES_CPS_001-18-12-2013_signed.pdf
AeSign Charter:
https://www.lawtrust.co.za/wp-content/uploads/LAWtrust-AES-Charter_002-05-12-2014.pdf 

However, I have not been able to find the documents for "LAWtrust Certification Authority 2048". Please provide the URLs.

Also...
In AeSign CPS section 3.2.4: "In cases where the LAWtrust AeSign Certificate will be used for digitally signing and/or encrypting eMail the LAWtrust AeSign RA shall establish reasonable proof that the person submitting the certificate request controls the eMail account associated with the eMail address referenced in the LAWtrust AeSign Certificate."

Where is it documented HOW this is done?
Please see https://wiki.mozilla.org/CA:Recommended_Practices#Verifying_Email_Address_Control
Why is this bug report marked with Severity = Critical?
Severity: critical → enhancement
Attached file EndEntity-test123.cert
Attached file Intermediate.cert
Attachment #8611348 - Attachment mime type: application/x-x509-ca-cert → text/plain
Assignee: kwilson → frlee
Please note that nielvg is no longer driving this process.

Please forward all future responses to rian@lawtrust.co.za and bruce@lawtrust.co.za
Flags: needinfo?(frlee)
hi Rian,

thanks for informing. could you please double check if bruce has created a bugzilla account?

thank you very much
Flags: needinfo?(frlee)
Assignee: frlee → awu
Whiteboard: Information incomplete → [ca-verification]
Hi

I am not associated with LAWtrust and this request anymore. I have requested LAWtrust numerous times to remove me from the communications without success. Please remove me from any communication relating to this request. If you cannot remove me as the requester then please close this bug.

Kind regards
Niel van Greunen
(In reply to Niel van Greunen from comment #11)

My apologies. I do not know how to change the reporter of a Bugzilla Bug so that you will stop getting notifications. I have filed Bug #1345170 to get help on this.
Niel,
It looks like the best way for you to stop getting email about this bug is as follows:
1) Click the 'Edit' button at the top of this Bug's window
2) Check the box 'Never email me about this bug' at the bottom of the window (only appears in Edit mode)
3) Click the 'Save Changes' button at the bottom of the window
Whiteboard: [ca-verification] → [ca-verifying]
Product: mozilla.org → NSS
Bulk reassign, see https://bugzilla.mozilla.org/show_bug.cgi?id=1430324
Assignee: awu → kwilson

Good day

We would like to continue with this process of getting our Root into Mozilla. I am now the assigned resource to deal with all the questions and updates to this bug.

Kindly assign me as the owner of the bug.

Many thanks and kind regards

Assignee: kwilson → katekani
QA Contact: kwilson

The information for this root inclusion request is here:

https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000054

Katekani, you may directly update the information via the CCADB here:

https://ccadb.force.com/500o0000002EqPq

Please send me email if you have any questions or problems updating the Case and Root Case directly in the CCADB.

Add another comment to this Bugzilla Bug when the information in the Case and Root Case has been updated and is ready for me to review.

More information, and and example is available here:
https://wiki.mozilla.org/CA/Information_Checklist

Reviewed submission in the CCADB and request that LawTrust update its CPS and ensure that it has uploaded all subordinate CAs under the 2048 Root in the CCADB. Thanks, Ben

Flags: needinfo?(katekani)
Whiteboard: [ca-verifying] → [ca-verifying] BW 2020-08-27 - Comment #17
Attached file AeSignCA01.cer

Subordinate certificate : LAWtrust AeSign CA01

Flags: needinfo?(katekani)
Attachment #9178709 - Flags: review+
Attachment #9178709 - Flags: data-review+
Attached file AeSignCA02.cer

Subordinate CA certificate as requested : LAWtrust AeSign CA02

Attachment #9178710 - Flags: review+
Attachment #9178710 - Flags: data-review+
Attached file LT_AATL_CA01.cer

Subordinate CA Certificate as requested : LAWtrust AATL CA01

Attachment #9178711 - Flags: review+
Attachment #9178711 - Flags: data-review+

Dear Katekani,

Thanks for submitting the certificates and updating your CPs and CPSes. Am I correct in understanding that the following are the best (most specific) CP/CPS statements concerning the procedures you require for verifying email addresses?

From LT_ISP_IS_CPS_LT2048CA2_V006 2019-12-11.pdf:

3.2.3.2 Authentication of a personal identity eMail address
In cases where the LAWtrust2048 CA2 Certificate will be used for digitally signing and/or
encrypting eMail the LAWtrust2048 CA2 RA will establish reasonable proof that the person
or Entity submitting the certificate request controls the eMail account associated with the
eMail address referenced in the LAWtrust2048 CA2 Certificate.

From LT_ISP_AeSign_CEN-SSCD_CPS_V004 2020-08-25_final.pdf:

3.2.3.2 Authentication of a personal identity eMail address
In cases where the LAWtrust AeSign CEN-SSCD CA Certificate will be used for digitally
signing the RA-Agent will establish reasonable proof that the person or legal Entity
submitting the certificate request controls the eMail account associated with the eMail
address referenced in the LAWtrust AeSign CEN-SSCD CA Certificate.

And from LT_ISP_AATL_CEN-SSCD_CPS_V003 2020-08-26_final.pdf:

3.2.3.2 Authentication of a personal identity eMail address
In cases where the LAWtrust AATL CA01 Certificate will be used for digitally signing the
RA-Agent will establish reasonable proof that the person or legal Entity submitting the
certificate request controls the eMail account associated with the eMail address
referenced in the LAWtrust AATL CA01 Certificate.

Please refer to https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Email_Challenge-Response and https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Verifying_Email_Address_Control to see if this language can be improved in a way that adequately describes the email validation process that meets these requirements.

Many CAs include requirements in their CPs/CPSes that verification of the domain portion of the email address not be delegated, per section 2.2 of Mozilla Policy-https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#22-validation-practices. This still allows CAs to use methods of verifying domains for enterprise-type accounts - see section 3.2.2.4 of the CA/Browser Forum's Baseline Requirements - https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.7.2.pdf . Additionally, the challenge-response email process cited further above can then be used to verify full email addresses for other types of email verification.

Thanks again,
Ben

Whiteboard: [ca-verifying] BW 2020-08-27 - Comment #17 → [ca-verifying] BW 2020-09-30 - Comment #21

Dear Katekani,
Do you have any updates on your efforts?
Thanks,
Ben

Flags: needinfo?(katekani)

Good day Ben

We are currently undergoing our annual Webtrust audits. I plan to update the CP/CPS to be more specific. We are already doing this by sending an email to the email address to be included in the certificate. I just need to describe the procedure more clearly.

Many thanks and kind regards

Katekani

Flags: needinfo?(katekani)
Priority: -- → P4
Assignee: katekani → bwilson

This is the LAWtrust Webtrust Audit report for the 2020 calendar year. For root update submission

You need to log in before you can comment on or make changes to this bug.