Closed Bug 1024418 Opened 10 years ago Closed 5 years ago

Please add Signet/Orange Root CA certificate

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: jerzy.rudowski, Assigned: kathleen.a.wilson)

Details

(Whiteboard: [ca-verifying] - KW Comment #18 2018-04-10)

Attachments

(5 files, 1 obsolete file)

rootca_der.cer
1.45 KB, application/x-x509-ca-cert
Details
Initial CA Information Document
90.79 KB, application/pdf
Details
Updated information about the Orange Signet Certification Authority
86.42 KB, application/pdf
Details
Template- CA's BR Self Assessment.xlsx
38.79 KB, application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
Details
1024418-CA-Information-April-10-2018.pdf
150.57 KB, application/pdf
Details 
User Agent: Mozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.0 (Beta/Release)
Build ID: 20140212131424

Steps to reproduce:

Orange Polska provides PKI public certification services for its custormers under the brand name "Signet CC". Services are "WebTrust for CAs" certified, but issued end-entity certificates are not recognized as trusted in Mozilla products. Please, see e.g.:

https://ssl-test.signet.pl 



Actual results:

Certificate is not recognized as trusted and warning message is displayed.


Expected results:

Certificate should be recognized as trusted. Please, include Signet root certificate into Mozilla products.

Please find required information in attached file.
Attached file rootca_der.cer 
Signet Root CA certificate in .DER format.
I am accepting this bug, and will work on it as soon as possible, but I have a large backlog.
https://wiki.mozilla.org/CA:Schedule#Requests_in_the_Information_Gathering_and_Verification_Phase

I will update this bug when I begin the Information Verification phase.
https://wiki.mozilla.org/CA:How_to_apply#Information_Verification
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
The attached document summarizes the information that has been verified.

The items highlighted in yellow indicate where further information or
clarification is needed. Please review the full document for accuracy and
completeness, and provide the necessary information in this bug.
Whiteboard: Information incomplete -- OCSP, BR audit
(In reply to Kathleen Wilson from comment #3)

In attached document "General information about the Orange Signet Certification Authority UPDATED" I  have clarified/added some requested information.

Since currently Signet CC is not fully compliant with CAB Forum requirements, not all issues are addressed yet. 

I will inform you as soon as all requirements are fulfilled.
All updated/added information is highlighted in yellow.
Attachment #8439117 - Attachment is obsolete: true
Thank you for the update and for the translated documents.

Please comment in this bug when OCSP and the BR audit statement are available.
(In reply to Kathleen Wilson from comment #6)
> Thank you for the update and for the translated documents.
> 
> Please comment in this bug when OCSP and the BR audit statement are
> available.

Thank you for your comment. I think we'll be ready not earlier than by the end of this year.
There's no update from CA for more than 1.5 year. Closing this bug for now as Won't fix.
if CA ever provides further information, this bug will be re-opened.
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
Product: mozilla.org → NSS
Hello,

I would like to continue Jerzy topic and re-open this bug. 
We still want that our Certificate should be recognized as trusted. Please, include Signet root certificate into Mozilla products.

I’m sending you links for current Standard and SSL baseline audits for Signet Root CA.

Standard:
https://cert.webtrust.org/SealFile?seal=2236&file=pdf
SSL baseline:
https://cert.webtrust.org/SealFile?seal=2238&file=pdf

Please, take a look on this and give me a feedback is is sufficient.
(In reply to Francis Lee [:frlee] from comment #8)
> There's no update from CA for more than 1.5 year. Closing this bug for now
> as Won't fix.
> if CA ever provides further information, this bug will be re-opened.

Please, re-open bug.
Re-opening this bug, as requested by the CA.
Assignee: kwilson → awu
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---
Summary: Please add Signet Root CA certificate to NSS → Please add Signet/Orange Root CA certificate
Przemysław, 

Please clarify which root certificates you are requesting inclusion for at this time, and which trust bits (Websites and/or Email) you are requesting for each root cert.

If requesting the Websites trust bit, then please perform the BR Self Assessment, and attach the resulting BR-self-assessment document to this bug.

https://wiki.mozilla.org/CA/BR_Self-Assessment
Whiteboard: Information incomplete -- OCSP, BR audit → [ca-verifying] - Need BR Self Assessment
(In reply to Kathleen Wilson from comment #12)
> Przemysław, 
> 
> Please clarify which root certificates you are requesting inclusion for at
> this time, and which trust bits (Websites and/or Email) you are requesting
> for each root cert.
> 
> If requesting the Websites trust bit, then please perform the BR Self
> Assessment, and attach the resulting BR-self-assessment document to this bug.
> 
> https://wiki.mozilla.org/CA/BR_Self-Assessment

Dear Kathleen,

Both links are related with CA Signet Certificat Webtrust and SSL Baseline is strictly connected with Websites, so we just requesting trust bits for Websites.

I was trying to complete a BR Self Assesment but I can't open Template for BR Self-Assessment from link https://wiki.mozilla.org/CA/BR_Self-Assessment.

Can you help me wtih this issue? Maybe there is another way to get Template?
(In reply to Przemysław Cabaj from comment #13)
> I was trying to complete a BR Self Assesment but I can't open Template for
> BR Self-Assessment from link https://wiki.mozilla.org/CA/BR_Self-Assessment.
> 
> Can you help me wtih this issue? Maybe there is another way to get Template?


Are you able to open it in Google Docs by clicking on the "Template for BR Self-Assessment" link in the wiki page?

If yes, then within the Google Doc, click on File-> Download as -> Microsoft Excel
Dear Kathleen,

I'm attaching the result of BR-self-assessment document to this bug as a next step in  CA Certificate Root Program.
Whiteboard: [ca-verifying] - Need BR Self Assessment → [ca-verifying] - BR Self Assessment Received
Hi,

Thanks to provide BR Self Assessment!

Could I know CPS v1.3 is the up-to-date version? it shows "Under approval" in CPS for v1.3, please confirm and provide updated one, and also indicate the release date of this document, thank you!

Best Regards,
Aaron
Bulk reassign, see https://bugzilla.mozilla.org/show_bug.cgi?id=1430324
Assignee: awu → kwilson
The attached document shows the information that has been verified, and where further information is needed (search for 'NEED').

Note to the CA: If you are watching the discussions in the mozilla.dev.security.policy forum, you may have noticed that Mozilla has begun rejecting requests for inclusion of root certs whose CA Hierarchies have not been BR-compliant and BR-audited from creation. Therefore, please evaluate your root and CA hierarchy to determine if it would be more productive for you to create a new root certificate with a fully-BR-compliant CA hierarchy before continuing with this request.
Whiteboard: [ca-verifying] - BR Self Assessment Received → [ca-verifying] - KW Comment #18 2018-04-10

Closing this request per lack of response to Comment #18.
If the CA chooses to create a new root certificate, they may start a new root inclusion request as described here:
https://wiki.mozilla.org/CA/Application_Instructions#Create_Root_Inclusion.2FUpdate_Request

Status: REOPENED → RESOLVED
Closed: 8 years ago5 years ago
QA Contact: kwilson
Resolution: --- → WONTFIX
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: