Closed Bug 1092963 Opened 5 years ago Closed 4 months ago

Add Renewed A-Trust-Root-05 root certificate

Categories

(NSS :: CA Certificate Root Program, task)

task
Not set

Tracking

(Not tracked)

RESOLVED WONTFIX

People

(Reporter: klein, Assigned: kwilson)

Details

(Whiteboard: [ca-discussion-hold] -- EV - pending translation of updated CP/CPS)

Attachments

(7 files)

CA Details
----------

CA Name: A-Trust-Root-05
Website: https://www.a-trust.at
Original Root Inclusion: https://bugzilla.mozilla.org/show_bug.cgi?id=530797
One Paragraph Summary of CA, including the following:
Used to issue Austrian Citizen Cards and A-Trust SSL (EV) certificates, customers from Central Europe.

Audit Type (WebTrust, ETSI etc.): WebTrust and WebTrust EV
Auditor: Ernst & Young (Austria)
Auditor Website: http://www.ey.com/
Audit Document URL(s): 
CA: https://cert.webtrust.org/ViewSeal?id=1753
EV: https://cert.webtrust.org/ViewSeal?id=1754

Certificate Details
-------------------

Certificate Name: A-Trust-Root-05
SSL and EV certificates are issued in the following hierarchy:
A-Trust-Root-05   (http://www.a-trust.at/certs/A-Trust-Root-05.crt)
   a-sign-SSL-05   (http://www.a-trust.at/certs/a-sign-ssl-05.crt)
   a-sign-SSL-EV-05   (http://www.a-trust.at/certs/a-sign-ssl-ev-05.crt)
       User certificates 

Certificate download URL (on CA website): http://www.a-trust.at/certs/A-Trust-Root-05.crt
Version: 3
Fingerprint: 2e66c984 1181c08f b1dfabd4 ff8d5cc72b e08f02
Public key length (for RSA, modulus length) in bits: 4096
Valid From (YYYY-MM-DD): 2013-09-23
Valid To (YYYY-MM-DD): 2023-09-20

CRL HTTP URL: http://crl.a-trust.at/crl/A-Trust-Root-05
CRL issuing frequency for subordinate end-entity certificates: 2 hours or on change
CRL issuing frequency for subordinate CA certificates: 2 hours or on change
OCSP URL: http://ocsp.a-trust.at/ocsp

Class (domain-validated, identity/organizationally-validated or EV): all
Certificate Policy URL: https://www.a-trust.at/docs/cp/a-sign-ssl-ev/a-sign-ssl-ev.pdf
CPS URL: https://www.a-trust.at/docs/cps/a-sign-ssl-ev/a-sign-ssl-ev_cps.pdf
Requested Trust Indicators (email and/or SSL and/or code signing): SSL with EV
URL of example website using certificate subordinate to this root
(if applying for SSL): https://ca-train.a-trust.at/
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: EV - Information incomplete
The attached document summarizes the information that has been verified.

The items highlighted in yellow indicate where further information or
clarification is needed. Please review the full document for accuracy and
completeness, and provide the necessary information in this bug.
The responses are enlocsed in the attached document.
Attached file Result EV Check
Result EV Check
Attached image Result EV Check JPG
Result EV Check JPG
Attached file CPS Translations
CPS Translations
I've entered the data for this request into SalesForce.

Please review the attached document to ensure it is correct and complete, and provide corrections and remaining needed information by posting comments in this bug.
Audit Statements:
https://www.a-trust.at/downloads/Assertion_EV.PDF
https://www.a-trust.at/downloads/Assertion_WT.PDF

The next CPS that will be covered by our next Audit (May 2015) will include our commitment to comply with the BRs.

The translations already provided cover both regular SSL certificates and EV certificates (verifying domain ownership), our checks are similar for both types.
(In reply to klein from comment #7)
> Audit Statements:
> https://www.a-trust.at/downloads/Assertion_EV.PDF
> https://www.a-trust.at/downloads/Assertion_WT.PDF
> 

When I open these links I see Assertions by A-Trust Management, and I don't see the auditor's statements.
(In reply to klein from comment #7)
> The translations already provided cover both regular SSL certificates and EV
> certificates (verifying domain ownership), our checks are similar for both
> types.

The provided translations says:
> 3.1.8 Check of Domain or IP Address
> The holder of a domain is verified using the databases provided by the 
> applicable authority (such as www.nic.at, www.denic.de,...).
> The use of IP adresses in EV certficates is not permitted.

Please see https://wiki.mozilla.org/CA:Recommended_Practices#Verifying_Domain_Name_Ownership
"It is not sufficient for the CP/CPS to just state that WHOIS is checked. The CP/CPS needs to have a high level description of how the WHOIS information is used. What information must match with that provided by the certificate subscriber? Is a phone call made or email sent to the technical or administrative contact field of the domain's WHOIS record? If an email is sent, does it include non-predictable information that the technical or administrative contact must use to respond?"
and
"It is not sufficient to simply reference section 11 of the CA/Brower Forum's Baseline Requirements (BR). BR #11.1.1 lists several ways in which the CA may confirm that the certificate subscriber owns/controls the domain name to be included in the certificate. Simply referencing section 11 of the BRs does not specify which of those options the CA uses, and is insufficient for describing how the CA conforms to the BRs. BR #8.2.1 says: "The CA SHALL develop, implement, enforce, and annually update a Certificate Policy and/or Certification Practice Statement that describes in detail how the CA implements the latest version of these Requirements."
We received an updated audit letter including the BRs - https://cert.webtrust.org/ViewSeal?id=1803 (https://cert.webtrust.org/SealFile?seal=1803&file=pdf).

The section concerning verification of Domain Ownership (CPS 3.1.8) includes an optional check through the Administrative contact returned by the WHOIS - query. The new CPS that is covered by the next Audit (already in progress) will remove the "optional" so that the check is required with each issued certificate, Translation:

....

A-Trust obtains a confirmation regarding the use of the domain from the administrative contact in the result of the WHOIS-query. This confirmation can be given by E-Mail or on the phone.

If the administrative contact is not the applicant, A-Trust requires a statement of authority from the administrative contract as well as a scan of a valid ID (CPS 3.1.9).
Thanks for providing the link to the BR audit statement.

Will your updated CPS also contain a commitment to comply with the BRs?
https://wiki.mozilla.org/CA:BaselineRequirements#CA_Conformance_to_the_BRs
"The CA's CP or CPS documents must include a commitment to comply with the BRs, as described in BR section 8.3."

When will the new version of your CPS be available?
Yes, the commitment to comply will be added in the introduction of our CPS (1.1):

A-Trust hält sich bei der Ausstellung von SSL (EV) Zertifikaten an die Vorgaben der aktuellen Version der "Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates" des Certifcate Authority/Browser Forums (CA/B Forum, https://www.cabforum.org). 

->

When issuing SSL (EV) certificates, A-Trust conforms to the "Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates" published by the Certifcate Authority/Browser Forum (CA/B Forum, https://www.cabforum.org).


The new CPS is currently under review by our auditor, we expect to finish the process next week and we will release the new version accordingly.
(In reply to klein from comment #12)
> The new CPS is currently under review by our auditor, we expect to finish
> the process next week and we will release the new version accordingly.

Please update this bug with the new CPS is available on your website.
Extended Validation certificate without subjectAltName?

https://ca-train.a-trust.at/

-----BEGIN CERTIFICATE-----
MIIGKjCCBBKgAwIBAgIDFeW2MA0GCSqGSIb3DQEBCwUAMIGNMQswCQYDVQQGEwJB
VDFIMEYGA1UECgw/QS1UcnVzdCBHZXMuIGYuIFNpY2hlcmhlaXRzc3lzdGVtZSBp
bSBlbGVrdHIuIERhdGVudmVya2VociBHbWJIMRkwFwYDVQQLDBBhLXNpZ24tU1NM
LUVWLTA1MRkwFwYDVQQDDBBhLXNpZ24tU1NMLUVWLTA1MB4XDTE0MTAzMTE1MjM0
OFoXDTE3MDEzMTE0MjM0OFowgbwxCzAJBgNVBAYTAkFUMRUwEwYDVQQKDAxBLVRy
dXN0IEdtYkgxFjAUBgNVBAsMDUN1c3RvbWVyIENhcmUxHDAaBgNVBAMME2NhLXRy
YWluLmEtdHJ1c3QuYXQxEDAOBgNVBAUTBzE5NTczOGExGzAZBgNVBA8TElYxLjAs
IENsYXVzZSA1LihYKTETMBEGCysGAQQBgjc8AgEDEwJBVDENMAsGA1UEBwwEV2ll
bjENMAsGA1UECAwEV2llbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
ANPsmH1ceJEc2OPNqdgIbtPdXKsizja8KzX59/QekptOQLrer/0lIwZzj4A3gVyN
KjfQtuByKzVEcS7BDi+vg4tYQPGO28vkJlQsdQCXiYKPtOwT5pKpusHWuyKurDhd
3r+ixzCWxhhYuHkczB3FyPk9yuYdl2zESqWpJaDt63r4p+EDM3o8NS7IGK0FvlCU
Sdv3yf8gTqyZl+1lXVlPeiXDekDcPs8d3F2+Aj6DWGbwnKER50a2EBABp5t+Ci9w
7T1atnOkLgmoQZQH/xTE7N4Xp/IP2aFSzHBjxYMgRdxoYPouhBbsAxYlX/vg2Hhc
cjT3DLEIjW+GIw1H+F2PWccCAwEAAaOCAWAwggFcMBEGA1UdDgQKBAhDIVX2fMX0
kjAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwEwYDVR0jBAww
CoAISMeTa7qkrj8wCQYDVR0TBAIwADB1BggrBgEFBQcBAQRpMGcwPAYIKwYBBQUH
MAKGMGh0dHA6Ly93d3cuYS10cnVzdC5hdC9jZXJ0cy9hLXNpZ24tc3NsLWV2LTA1
LmNydDAnBggrBgEFBQcwAYYbaHR0cDovL29jc3AuYS10cnVzdC5hdC9vY3NwME4G
A1UdIARHMEUwQwYGKigAEQEWMDkwNwYIKwYBBQUHAgEWK2h0dHA6Ly93d3cuYS10
cnVzdC5hdC9kb2NzL2NwL2Etc2lnbi1zc2wtZXYwOwYDVR0fBDQwMjAwoC6gLIYq
aHR0cDovL2NybC5hLXRydXN0LmF0L2NybC9hLXNpZ24tU1NMLUVWLTA1MA0GCSqG
SIb3DQEBCwUAA4ICAQAJulOdcjtWXFzriG7irbvhhFN/cOW+COw3BrPcEREdEJED
WxLEyC4tFQd38lx2R9l14L7nggudw6nV3KVJRLX3qW/1UAfBZl8abm+pLuw8NeeD
Y4AAn++/E84P3nuEOFHu9CMZroHTYCYbNAtviD4rJv5vPkQ6HC1r6VCUgY6zkUYI
x/giWdlCVHyaf3lj4Mf5m8ZeXOawjs+afp1X8d74dpO8hf7y3zMCm0hu/TDeg47S
il3CLB9rj5k8Jc6KkpRj2gQ2713rDb8oDlkg32P/1xP0YDklCldFKS9WhYTLwneQ
8t854dEqdEmGDRdCiK0VSZ8UtYE9Cu6tqC8jdKgWO0Gm9ZFkHGksYIZt4W7ve3mn
6W8vYD4g2TH/Gffxwb0nNc6jzjiPzM3RphFKOs6V1TuYWAFb8g0viKeJ/0JNgYNX
3bVXEQvAgmrIvd51QmtuZuGgurUYPrnYXXD3MPQ58Nf924TXqIOBv/mimIWLEuoP
LRGSKpkEAHRG3rHsotzUxj4zkhP2YD4EvXK2J8wmWT/VzKrg2SkU9wlDXh3r2f9r
lEBEKiylqipaGQ3FBu54ChQWLJJ4ouhgHURWTjo8aBLNGJ8H+SwSrA6LNJbXsSVb
ODl+UWTpOC+Y5h1jo8Y9jr7m0gYLnqUeLIVeJ48YqEARt85RZbmt3Z8/r/h54w==
-----END CERTIFICATE-----
Flags: needinfo?(klein)
The new CPS is available on the A-Trust Website: https://www.a-trust.at/docs/cps/a-sign-ssl-ev/a-sign-ssl-ev_cps.pdf

The changes are as stated and translated above
Flags: needinfo?(klein)
@Adm Selec  we had an old version of our certificate there, it has already been replaced
(In reply to klein from comment #12)
> Yes, the commitment to comply will be added in the introduction of our CPS
> (1.1):
> 
> A-Trust hält sich bei der Ausstellung von SSL (EV) Zertifikaten an die
> Vorgaben der aktuellen Version der "Baseline Requirements for the Issuance
> and Management of Publicly-Trusted Certificates" des Certifcate
> Authority/Browser Forums (CA/B Forum, https://www.cabforum.org). 
> 


I'm still not finding this in https://www.a-trust.at/docs/cps/a-sign-ssl-ev/a-sign-ssl-ev_cps.pdf

I'm also concerned about there still being an old version of the EV CPS here:
https://www.a-trust.at/Default.aspx?TabID=175&dir=/docs/cp/a-sign-ssl#Certificate-Policies
and here
https://www.a-trust.at/Default.aspx?TabID=175&dir=/docs/cp/a-sign-ssl-ev#Certificate-Policies


Also, the commitment to comply with the Baseline Requirements is needed for non-EV SSL certs, as well as EV SSL certs.


And please respond to Comment #14. 
Regarding your response to https://wiki.mozilla.org/CA:Recommended_Practices#CA_Recommended_Practices
you had said:
* DNS names go in SAN - "every DNS name in SAN, additionaly one DNS name in Subject"
Yet, there appears to be an SSL cert (additionally it is EV) without the SAN?
The change wasn't included when we created the CPS, thanks for pointing it out - a new version containing the paragraph is now online. I also changed the wording a bit to avoid confusion - "SSL (EV)" was changed to "SSL and SSL EV".

The old version of the policy was removed from our website.

The security measure to check for missing SANs was not in place for the mentioned test certificate. The service is working as intended now and no SSL or SSL EV certificates are issued without every DNS name included in the SAN. The initial statement is correct, every certificate issued will have one DNS name in the Subject and all others (if applicable) in the SAN. The DNS name from the subject is always included in the SAN.
I just wanted to check if you need any additional information from our side
There are some errors being reported by https://certificate.revocationcheck.com/ 
for the test website https://ca-train.a-trust.at/

Please update this bug when the errors have been resolved.
We made a few adjustments to our ocsp service and ca-train.a-trust.at now passes all tests @ revocationcheck.com.
This request has been added to the queue for public discussion.
https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion
I will update this bug when I start the discussion.

In the meantime, please update this bug when the 2015 audit statements are available.
Whiteboard: EV - Information incomplete → EV - Ready for Public Discussion
Maybe I'm missing it, but I cannot find the list of root and intermediate certificates that each of the audit statements covers. So, I'm unable to confirm that the "A-Trust-Root-05" and "A-Trust-nQual-03" root certificates and their intermediate certificates are covered by these audit statements.
I contacted our auditor and will keep the post updated.
I am now opening the public discussion period for this request from A-Trust to include the ‘A-Trust-Root-05’ root certificate, turn on the Websites trust bit, and enable EV treatment.

For a description of the public discussion phase, see https://wiki.mozilla.org/CA:How_to_apply#Public_discussion

Public discussion will be in the mozilla.dev.security.policy forum.
https://www.mozilla.org/en-US/about/forums/#dev-security-policy

The discussion thread is called "A-Trust Root Renewal Request".

Please actively review, respond, and contribute to the discussion.

A representative of A-Trust must promptly respond directly in the discussion thread to all questions that are posted.
Whiteboard: EV - Ready for Public Discussion → EV - In public discussion
Discussion on hold until the CA provides translations (into English) of the *new* CP and CPS documents pertaining to the 'A-Trust-Root-05' root certificate, non-EV TLS/SSL certificates, and EV TLS/SSL certificates. (i.e. the version of the documents that are being used for the audit covering the period of March 2015 through February 2016.
Whiteboard: EV - In public discussion → EV - Discussion on hold pending translation of updated CP/CPS
Whiteboard: EV - Discussion on hold pending translation of updated CP/CPS → [ca-discussion-hold] -- EV - pending translation of updated CP/CPS
Product: mozilla.org → NSS

Closing this request per delayed response to Comment #28.
If the CA chooses to create a new root certificate, they may start a new root inclusion request as described here:
https://wiki.mozilla.org/CA/Application_Instructions#Create_Root_Inclusion.2FUpdate_Request

Status: ASSIGNED → RESOLVED
Closed: 4 months ago
QA Contact: kwilson
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.