Add MULTICERT Root Certificate

ASSIGNED
Assigned to

Status

NSS
CA Certificate Root Program
ASSIGNED
3 years ago
4 months ago

People

(Reporter: ca.forum, Assigned: Kathleen Wilson)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [ca-ready-for-discussion-new 2016-02-12] - Need BR Self Assessment)

Attachments

(11 attachments)

(Reporter)

Description

3 years ago
Created attachment 8457990 [details]
GeneralinformationabouttheCA.pdf

User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36
(Reporter)

Comment 1

3 years ago
Created attachment 8457996 [details]
Accreditation of MULTICERT Root CA by Gabinete Nacional de Segurança

Comment 2

3 years ago
Super CA?
(Assignee)

Comment 3

3 years ago
I am accepting this bug, and will work on it as soon as possible, but I have a large backlog.
https://wiki.mozilla.org/CA:Schedule#Requests_in_the_Information_Gathering_and_Verification_Phase

I will update this bug when I begin the Information Verification phase.
https://wiki.mozilla.org/CA:How_to_apply#Information_Verification



(In reply to him from comment #2)
> Super CA?

I don't know.

Sara, please see the description of a Super-CA, and clarify.
https://wiki.mozilla.org/CA:SubordinateCA_checklist#Super-CAs
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
(Reporter)

Comment 4

3 years ago
Yes, it is a Super CA. This is a Offline SuperCA which issue certificate for other MULTICERT Subordinate CA's. 

All CA's, including SuperCA, are audited annually.
(Reporter)

Comment 5

3 years ago
Website for testing
https://promotor.teste.multicert.com/

Comment 6

3 years ago
It is not a requirement (at least of the CA/B Baseline) but do you plan on adding the CA Issuers extension?
(Reporter)

Comment 7

3 years ago
We're not using at the moment. However, we are planing to include this extension in the certificate profiles as soon as possible.
(Assignee)

Comment 8

3 years ago
Created attachment 8490165 [details]
Initial CA Information Document

The attached document summarizes the information that has been verified.

The items highlighted in yellow indicate where further information or
clarification is needed. Please review the full document for accuracy and
completeness, and provide the necessary information in this bug.
(Assignee)

Updated

3 years ago
Whiteboard: Information incomplete
(Reporter)

Comment 9

2 years ago
Created attachment 8641726 [details]
New document with reviewed information and new audit statements.

New document with reviewed information and new audit statements.
(Reporter)

Updated

2 years ago
Whiteboard: Information incomplete → Information incomplete - New Information
(Assignee)

Comment 10

2 years ago
Please attach the audit statements directly to this bug.

>> This does respect to our subordinates MULTICERT CA 002 and MULTICERT CA 001 wich are, for now,
signed by Baltimore as well.

Does this mean that the subordinate "MULTICERT CA 002" is signed by both "MULTICERT Root Certification Authority 01" and "Baltimore CybertTrust Root"?
(Assignee)

Updated

2 years ago
Whiteboard: Information incomplete - New Information → Information incomplete
(Assignee)

Comment 11

2 years ago
Created attachment 8650001 [details]
1040072-CAInformation.pdf

I have entered the information for this request into Salesforce.

Please review the attached document to make sure it is accurate and complete, and comment in this bug to provide corrections and the additional requested information (search for NEED in the pdf).
(Reporter)

Comment 12

2 years ago
(In reply to Kathleen Wilson from comment #10)
> Please attach the audit statements directly to this bug.
> 
> >> This does respect to our subordinates MULTICERT CA 002 and MULTICERT CA 001 wich are, for now,
> signed by Baltimore as well.
> 
> Does this mean that the subordinate "MULTICERT CA 002" is signed by both
> "MULTICERT Root Certification Authority 01" and "Baltimore CybertTrust Root"?

Yes Kathleen. For now, MULTICERT CA 001 and 002 are signed by both MULTICERT and Baltimore Root CA's.
(Reporter)

Comment 13

2 years ago
Created attachment 8651751 [details]
ETSI 101 456 Audit
(Reporter)

Comment 14

2 years ago
Created attachment 8651752 [details]
ETSI 102 042 /BR Audit
(Assignee)

Comment 15

2 years ago
(In reply to ca.forum from comment #14)
> Created attachment 8651752 [details]
> ETSI 102 042 /BR Audit

When audit statements are provided by the Certification Authority rather than having an audit statement posted on the auditor's website, the Mozilla process requires doing an independent verification of the authenticity of the audit statements that have been provided. Therefore, I have sent email to sgs.portugal@sgs.com to confirm the authenticity of the audit statement.


As per Comment #11, the following items are still needed:

1) NEED to resolve all errors listed here:
https://certificate.revocationcheck.com/promotor.teste.multicert.com

2) NEED: Please carefully read sections 8 through 14 of https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/
and confirm that all future subCAs of MULTICERT will be required to be audited by an independent, competent party according to the ETSI or WebTrust audit criteria as per sections 11 through 14 of Mozilla's policy (unless they are technically constrained as described in section 9 of Mozilla policy).
Is this audit requirement in your CP/CPS? 

3) NEED URLs and section/page number information pointing directly to the sections of the CP/CPS documents that describe the procedures for verifying that the email address to be included in the certificate is owned/controlled by the certificate subscriber.
as per item #4 of https://wiki.mozilla.org/CA:Information_checklist#Verification_Policies_and_Practices

4) NEED URL to a web page or a Bugzilla Bug Number that lists all of your publicly disclosed subordinate CA certificates as per item #4 of
https://wiki.mozilla.org/CA:Information_checklist#CA_Hierarchy_information_for_each_root_certificate
(Reporter)

Comment 16

2 years ago
1) NEED to resolve all errors listed here:
https://certificate.revocationcheck.com/promotor.teste.multicert.com

[MULTICERT] MULTICERT Certification Authority exists since 2008 and was always signed by Baltimore. Last year, MULTICERT wage on its own Root Certification Authority.  Thinking on our clients, We decide to maintain the Baltimore Root while our root was not recognized in every systems. 
 
That’s why you have that problem in the OCSP. The url promotor.teste.multicert.com is using a ssl certificate and the server has the MULTICERT chain configured. However, in order to have a correct response to our client, we have, in the OCSP service, a responder with the Baltimore Chain.  


2) NEED: Please carefully read sections 8 through 14 of https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/
and confirm that all future subCAs of MULTICERT will be required to be audited by an independent, competent party according to the ETSI or WebTrust audit criteria as per sections 11 through 14 of Mozilla's policy (unless they are technically constrained as described in section 9 of Mozilla policy).
Is this audit requirement in your CP/CPS? 

[MULTICERT]http://pkiroot.multicert.com/pol/CPS_MULTICERT_PJ.ECRAIZ_24.1.1_0001_en.pdf --> Chapter 9


3) NEED URLs and section/page number information pointing directly to the sections of the CP/CPS documents that describe the procedures for verifying that the email address to be included in the certificate is owned/controlled by the certificate subscriber.
as per item #4 of https://wiki.mozilla.org/CA:Information_checklist#Verification_Policies_and_Practices

[MULTICERT] We are implementing this issue at the moment. The due   date is the 31 December. Until there, a new CP and CPS will be launched. 

4) NEED URL to a web page or a Bugzilla Bug Number that lists all of your publicly disclosed subordinate CA certificates as per item #4 of
https://wiki.mozilla.org/CA:Information_checklist#CA_Hierarchy_information_for_each_root_certificate

[MULTICERT]  https://pki.multicert.com/index.html. You can find here all the subordinate CA’s belonging to MULTICERT PKI.
(Reporter)

Comment 17

2 years ago
About the ETSI 102 042 Audit Statement, is this issue closed?
(Assignee)

Comment 18

2 years ago
(In reply to ca.forum from comment #16)
> 1) NEED to resolve all errors listed here:
> https://certificate.revocationcheck.com/promotor.teste.multicert.com
> 
> [MULTICERT] MULTICERT Certification Authority exists since 2008 and was
> always signed by Baltimore. Last year, MULTICERT wage on its own Root
> Certification Authority.  Thinking on our clients, We decide to maintain the
> Baltimore Root while our root was not recognized in every systems. 
>  
> That’s why you have that problem in the OCSP. The url
> promotor.teste.multicert.com is using a ssl certificate and the server has
> the MULTICERT chain configured. However, in order to have a correct response
> to our client, we have, in the OCSP service, a responder with the Baltimore
> Chain.  
> 


I don't understand.

Do you have your own OCSP service?

Can you set up a test server that does not have any dependency on the Baltimore Chain or OCSP service?
(Reporter)

Comment 19

2 years ago
We do have our own OCSP, however we must have the Baltimore chain configured in the OCSP service until we have our Root CA available in Mozilla trusted store.

However, we are trying to set up a testing environment like you ask.
(Reporter)

Comment 20

2 years ago
The new test server wihtout any depency from Baltimore is available for testing.

https://promotor.teste.multicert.com
(Assignee)

Comment 21

2 years ago
(In reply to ca.forum from comment #20)
> The new test server wihtout any depency from Baltimore is available for
> testing.
> 
> https://promotor.teste.multicert.com


Still getting errors:
https://certificate.revocationcheck.com/promotor.teste.multicert.com
(Reporter)

Comment 22

2 years ago
We can not explain why this error occurs.

We have study the OCSP response for promotor.teste.multicert.com as well for www.cgd.com using https://certificate.revocationcheck.com.

The problem existing with multicert ocsp signature doesn’t happens with cgd ocsp signature. In order to find out what this error is, we had download both OCSP requests and responses from this site and analyzed them with OpenSSL. 

The signature is performed the same way. Apparently the site doesn’t publish the multicert OCSP signing certificate, but, if you use the OpenSSL to decode the OCSP response, you'll be able to get it.
In other hand, we issue millions of ocsp responses, and we have no complains.
You may find attached all the results.
Is this site (https://certificate.revocationcheck.com) owned by Mozilla?
(Reporter)

Comment 23

2 years ago
Created attachment 8686677 [details]
OCSP_Clarification.pdf

We can not explain why this error occurs.

We have study the OCSP response for promotor.teste.multicert.com as well for www.cgd.com using https://certificate.revocationcheck.com.

The problem existing with multicert ocsp signature doesn’t happens with cgd ocsp signature. In order to find out what this error is, we had download both OCSP requests and responses from this site and analyzed them with OpenSSL. 

The signature is performed the same way. Apparently the site doesn’t publish the multicert OCSP signing certificate, but, if you use the OpenSSL to decode the OCSP response, you'll be able to get it.
In other hand, we issue millions of ocsp responses, and we have no complains.
You may find attached all the results.
Is this site (https://certificate.revocationcheck.com) owned by Mozilla?
(Assignee)

Comment 24

2 years ago
(In reply to ca.forum from comment #23)
> Is this site (https://certificate.revocationcheck.com) owned by Mozilla?

I have sent email to the owner of the revocationcheck site to see if he can determine what the cause of the error is.

In the meantime, please let me know when the updated CP/CPS are available as per Comment #16.
> 3) NEED URLs and section/page number information pointing directly to the
> sections of the CP/CPS documents that describe the procedures for verifying
> that the email address to be included in the certificate is owned/controlled
> by the certificate subscriber.
> as per item #4 of
> https://wiki.mozilla.org/CA:
> Information_checklist#Verification_Policies_and_Practices
> 
> [MULTICERT] We are implementing this issue at the moment. The due   date is
> the 31 December. Until there, a new CP and CPS will be launched.
(Assignee)

Comment 25

2 years ago
(In reply to Kathleen Wilson from comment #24)
> (In reply to ca.forum from comment #23)
> > Is this site (https://certificate.revocationcheck.com) owned by Mozilla?
> 
> I have sent email to the owner of the revocationcheck site to see if he can
> determine what the cause of the error is.

Here's his reply: The server returns a response signed with a "1.3.14.3.2.29" signature algorithm instead of "1.2.840.113549.1.1.5".

> 
> In the meantime, please let me know when the updated CP/CPS are available as
> per Comment #16.
> > 3) NEED URLs and section/page number information pointing directly to the
> > sections of the CP/CPS documents that describe the procedures for verifying
> > that the email address to be included in the certificate is owned/controlled
> > by the certificate subscriber.
> > as per item #4 of
> > https://wiki.mozilla.org/CA:
> > Information_checklist#Verification_Policies_and_Practices
> > 
> > [MULTICERT] We are implementing this issue at the moment. The due   date is
> > the 31 December. Until there, a new CP and CPS will be launched.
(Reporter)

Comment 26

2 years ago
(In reply to Kathleen Wilson from comment #25)
> (In reply to Kathleen Wilson from comment #24)
> > (In reply to ca.forum from comment #23)
> > > Is this site (https://certificate.revocationcheck.com) owned by Mozilla?
> > 
> > I have sent email to the owner of the revocationcheck site to see if he can
> > determine what the cause of the error is.
> 
> Here's his reply: The server returns a response signed with a
> "1.3.14.3.2.29" signature algorithm instead of "1.2.840.113549.1.1.5".

MULTICERT - Problem resolved. Please Check at https://certificate.revocationcheck.com. Don't forget to clear the browser chache.
> 
> > 
> > In the meantime, please let me know when the updated CP/CPS are available as
> > per Comment #16.
> > > 3) NEED URLs and section/page number information pointing directly to the
> > > sections of the CP/CPS documents that describe the procedures for verifying
> > > that the email address to be included in the certificate is owned/controlled
> > > by the certificate subscriber.
> > > as per item #4 of
> > > https://wiki.mozilla.org/CA:
> > > Information_checklist#Verification_Policies_and_Practices
> > > 
> > > [MULTICERT] We are implementing this issue at the moment. The due   date is
> > > the 31 December. Until there, a new CP and CPS will be launched.

[MULTICERT] . We are implementing a new feature to automatically confirm the user email. 31 of January is the due date.
(Assignee)

Comment 27

2 years ago
(In reply to ca.forum from comment #13)
> Created attachment 8651751 [details]
> ETSI 101 456 Audit

(In reply to ca.forum from comment #14)
> Created attachment 8651752 [details]
> ETSI 102 042 /BR Audit

I have exchanged email with the auditor to confirm the authenticity of these audit statements.
(Assignee)

Comment 28

2 years ago
(In reply to ca.forum from comment #26)
> [MULTICERT] . We are implementing a new feature to automatically confirm the
> user email. 31 of January is the due date.

Please update this bug when the updated CP/CPS is available.
(Reporter)

Comment 29

2 years ago
We are now confirming User email on the Subject registration. 

Please see page 21 at the url https://pki.multicert.com/pol/cp/MULTICERT_PJ.CA3_24.1.2_0002_en.pdf.
(Assignee)

Comment 30

2 years ago
(In reply to ca.forum from comment #29)
> We are now confirming User email on the Subject registration. 
> 
> Please see page 21 at the url
> https://pki.multicert.com/pol/cp/MULTICERT_PJ.CA3_24.1.2_0002_en.pdf.

Thanks!

I was just testing BR compliance, and got an error...

http://cert-checker.allizom.org/
Root Cert: http://pkiroot.multicert.com/cert/MCRootCA.cer
Test Website: https://promotor.teste.multicert.com/

/C=PT/O=MC/OU=Certificado SSL/CN=promotor.teste.multicert.com
...
    Error
        BR certificates with organizationName must include either localityName or stateOrProvinceName

Please comment in this bug when the error has been resolved.
(Reporter)

Comment 31

2 years ago
Problem solved.

This issue was related to a certificate profile we have for testing the production certificate chain. We had issued a few certificates for chain testing and this one was, in a wrong way, included in this tests.

We have just correct this situation by issuing a new certificate in the right profile, which is online now.
(Assignee)

Comment 32

2 years ago
Created attachment 8719085 [details]
1040072-CAInformation-Complete.pdf
(Assignee)

Comment 33

2 years ago
This request has been added to the queue for public discussion.
https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion
I will update this bug when I start the discussion.
Whiteboard: Information incomplete → Ready for Public Discussion
(Reporter)

Comment 34

a year ago
Created attachment 8746964 [details]
New ETSI 102 042 /BR Audit Statment 2016
(Assignee)

Comment 35

a year ago
(In reply to ca.forum from comment #34)
> Created attachment 8746964 [details]
> New ETSI 102 042 /BR Audit Statment 2016

As per Mozilla's process, I have exchanged email with the auditor to confirm the authenticity of this audit statement.
(Reporter)

Comment 36

a year ago
Created attachment 8758103 [details]
New ETSI 101 456 GNS Statement 2016

Updated

5 months ago
Whiteboard: Ready for Public Discussion → [ca-ready-for-discussion-new 2016-02-12]
(Assignee)

Comment 37

5 months ago
MULTICERT, Please perform the BR Self Assessment, and attach the resulting BR-self-assessment document to this bug.

Note:
Current version of the BRs: https://cabforum.org/baseline-requirements-documents/
Until a version of the BRs is published that describes all of the allowed methods of domain validation, use version 1.4.1 for section 3.2.2.4 (Domain validation): https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.1.pdf

= Background = 

We are adding a BR-self-assessment step to Mozilla's root inclusion/change process.

Description of this new step is here:
https://wiki.mozilla.org/CA:BRs-Self-Assessment

It includes a link to a template for CA's BR Self Assessment, which is a Google Doc:
https://docs.google.com/spreadsheets/d/1ni41Czial_mggcax8GuCBlInCt1mNOsqbEPzftuAuNQ/edit?usp=sharing

Phase-in plan is here:
https://groups.google.com/d/msg/mozilla.dev.security.policy/Y-PxWRCIcck/Fi9y6vOACQAJ
In particular, note:
+ For the CAs currently in the queue for discussion, I would ask them to perform this BR Self Assessment before I would start their discussion.
Whiteboard: [ca-ready-for-discussion-new 2016-02-12] → [ca-ready-for-discussion-new 2016-02-12] - Need BR Self Assessment

Updated

4 months ago
Product: mozilla.org → NSS
You need to log in before you can comment on or make changes to this bug.