bugzilla.mozilla.org has resumed normal operation. Attachments prior to 2014 will be unavailable for a few days. This is tracked in Bug 1475801.
Please report any other irregularities here.

Add Renewed A-Trust-Root-05 root certificate

ASSIGNED
Assigned to

Status

NSS
CA Certificate Root Program
--
enhancement
ASSIGNED
4 years ago
a year ago

People

(Reporter: klein, Assigned: Kathleen Wilson)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [ca-discussion-hold] -- EV - pending translation of updated CP/CPS)

Attachments

(7 attachments)

(Reporter)

Description

4 years ago
CA Details
----------

CA Name: A-Trust-Root-05
Website: https://www.a-trust.at
Original Root Inclusion: https://bugzilla.mozilla.org/show_bug.cgi?id=530797
One Paragraph Summary of CA, including the following:
Used to issue Austrian Citizen Cards and A-Trust SSL (EV) certificates, customers from Central Europe.

Audit Type (WebTrust, ETSI etc.): WebTrust and WebTrust EV
Auditor: Ernst & Young (Austria)
Auditor Website: http://www.ey.com/
Audit Document URL(s): 
CA: https://cert.webtrust.org/ViewSeal?id=1753
EV: https://cert.webtrust.org/ViewSeal?id=1754

Certificate Details
-------------------

Certificate Name: A-Trust-Root-05
SSL and EV certificates are issued in the following hierarchy:
A-Trust-Root-05   (http://www.a-trust.at/certs/A-Trust-Root-05.crt)
   a-sign-SSL-05   (http://www.a-trust.at/certs/a-sign-ssl-05.crt)
   a-sign-SSL-EV-05   (http://www.a-trust.at/certs/a-sign-ssl-ev-05.crt)
       User certificates 

Certificate download URL (on CA website): http://www.a-trust.at/certs/A-Trust-Root-05.crt
Version: 3
Fingerprint: 2e66c984 1181c08f b1dfabd4 ff8d5cc72b e08f02
Public key length (for RSA, modulus length) in bits: 4096
Valid From (YYYY-MM-DD): 2013-09-23
Valid To (YYYY-MM-DD): 2023-09-20

CRL HTTP URL: http://crl.a-trust.at/crl/A-Trust-Root-05
CRL issuing frequency for subordinate end-entity certificates: 2 hours or on change
CRL issuing frequency for subordinate CA certificates: 2 hours or on change
OCSP URL: http://ocsp.a-trust.at/ocsp

Class (domain-validated, identity/organizationally-validated or EV): all
Certificate Policy URL: https://www.a-trust.at/docs/cp/a-sign-ssl-ev/a-sign-ssl-ev.pdf
CPS URL: https://www.a-trust.at/docs/cps/a-sign-ssl-ev/a-sign-ssl-ev_cps.pdf
Requested Trust Indicators (email and/or SSL and/or code signing): SSL with EV
URL of example website using certificate subordinate to this root
(if applying for SSL): https://ca-train.a-trust.at/
(Assignee)

Updated

4 years ago
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: EV - Information incomplete
(Assignee)

Comment 1

4 years ago
Created attachment 8517704 [details]
Initial CA Information Document

The attached document summarizes the information that has been verified.

The items highlighted in yellow indicate where further information or
clarification is needed. Please review the full document for accuracy and
completeness, and provide the necessary information in this bug.
(Reporter)

Comment 2

3 years ago
Created attachment 8584403 [details]
answers to open questions

The responses are enlocsed in the attached document.
(Reporter)

Comment 3

3 years ago
Created attachment 8584404 [details]
Result EV Check

Result EV Check
(Reporter)

Comment 4

3 years ago
Created attachment 8584405 [details]
Result EV Check JPG

Result EV Check JPG
(Reporter)

Comment 5

3 years ago
Created attachment 8584406 [details]
CPS Translations

CPS Translations
(Assignee)

Comment 6

3 years ago
Created attachment 8589901 [details]
1092963-CAInformation.pdf

I've entered the data for this request into SalesForce.

Please review the attached document to ensure it is correct and complete, and provide corrections and remaining needed information by posting comments in this bug.
(Reporter)

Comment 7

3 years ago
Audit Statements:
https://www.a-trust.at/downloads/Assertion_EV.PDF
https://www.a-trust.at/downloads/Assertion_WT.PDF

The next CPS that will be covered by our next Audit (May 2015) will include our commitment to comply with the BRs.

The translations already provided cover both regular SSL certificates and EV certificates (verifying domain ownership), our checks are similar for both types.
(Assignee)

Comment 8

3 years ago
(In reply to klein from comment #7)
> Audit Statements:
> https://www.a-trust.at/downloads/Assertion_EV.PDF
> https://www.a-trust.at/downloads/Assertion_WT.PDF
> 

When I open these links I see Assertions by A-Trust Management, and I don't see the auditor's statements.
(Assignee)

Comment 9

3 years ago
(In reply to klein from comment #7)
> The translations already provided cover both regular SSL certificates and EV
> certificates (verifying domain ownership), our checks are similar for both
> types.

The provided translations says:
> 3.1.8 Check of Domain or IP Address
> The holder of a domain is verified using the databases provided by the 
> applicable authority (such as www.nic.at, www.denic.de,...).
> The use of IP adresses in EV certficates is not permitted.

Please see https://wiki.mozilla.org/CA:Recommended_Practices#Verifying_Domain_Name_Ownership
"It is not sufficient for the CP/CPS to just state that WHOIS is checked. The CP/CPS needs to have a high level description of how the WHOIS information is used. What information must match with that provided by the certificate subscriber? Is a phone call made or email sent to the technical or administrative contact field of the domain's WHOIS record? If an email is sent, does it include non-predictable information that the technical or administrative contact must use to respond?"
and
"It is not sufficient to simply reference section 11 of the CA/Brower Forum's Baseline Requirements (BR). BR #11.1.1 lists several ways in which the CA may confirm that the certificate subscriber owns/controls the domain name to be included in the certificate. Simply referencing section 11 of the BRs does not specify which of those options the CA uses, and is insufficient for describing how the CA conforms to the BRs. BR #8.2.1 says: "The CA SHALL develop, implement, enforce, and annually update a Certificate Policy and/or Certification Practice Statement that describes in detail how the CA implements the latest version of these Requirements."
(Reporter)

Comment 10

3 years ago
We received an updated audit letter including the BRs - https://cert.webtrust.org/ViewSeal?id=1803 (https://cert.webtrust.org/SealFile?seal=1803&file=pdf).

The section concerning verification of Domain Ownership (CPS 3.1.8) includes an optional check through the Administrative contact returned by the WHOIS - query. The new CPS that is covered by the next Audit (already in progress) will remove the "optional" so that the check is required with each issued certificate, Translation:

....

A-Trust obtains a confirmation regarding the use of the domain from the administrative contact in the result of the WHOIS-query. This confirmation can be given by E-Mail or on the phone.

If the administrative contact is not the applicant, A-Trust requires a statement of authority from the administrative contract as well as a scan of a valid ID (CPS 3.1.9).
(Assignee)

Comment 11

3 years ago
Thanks for providing the link to the BR audit statement.

Will your updated CPS also contain a commitment to comply with the BRs?
https://wiki.mozilla.org/CA:BaselineRequirements#CA_Conformance_to_the_BRs
"The CA's CP or CPS documents must include a commitment to comply with the BRs, as described in BR section 8.3."

When will the new version of your CPS be available?
(Reporter)

Comment 12

3 years ago
Yes, the commitment to comply will be added in the introduction of our CPS (1.1):

A-Trust hält sich bei der Ausstellung von SSL (EV) Zertifikaten an die Vorgaben der aktuellen Version der "Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates" des Certifcate Authority/Browser Forums (CA/B Forum, https://www.cabforum.org). 

->

When issuing SSL (EV) certificates, A-Trust conforms to the "Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates" published by the Certifcate Authority/Browser Forum (CA/B Forum, https://www.cabforum.org).


The new CPS is currently under review by our auditor, we expect to finish the process next week and we will release the new version accordingly.
(Assignee)

Comment 13

3 years ago
(In reply to klein from comment #12)
> The new CPS is currently under review by our auditor, we expect to finish
> the process next week and we will release the new version accordingly.

Please update this bug with the new CPS is available on your website.

Comment 14

3 years ago
Extended Validation certificate without subjectAltName?

https://ca-train.a-trust.at/

-----BEGIN CERTIFICATE-----
MIIGKjCCBBKgAwIBAgIDFeW2MA0GCSqGSIb3DQEBCwUAMIGNMQswCQYDVQQGEwJB
VDFIMEYGA1UECgw/QS1UcnVzdCBHZXMuIGYuIFNpY2hlcmhlaXRzc3lzdGVtZSBp
bSBlbGVrdHIuIERhdGVudmVya2VociBHbWJIMRkwFwYDVQQLDBBhLXNpZ24tU1NM
LUVWLTA1MRkwFwYDVQQDDBBhLXNpZ24tU1NMLUVWLTA1MB4XDTE0MTAzMTE1MjM0
OFoXDTE3MDEzMTE0MjM0OFowgbwxCzAJBgNVBAYTAkFUMRUwEwYDVQQKDAxBLVRy
dXN0IEdtYkgxFjAUBgNVBAsMDUN1c3RvbWVyIENhcmUxHDAaBgNVBAMME2NhLXRy
YWluLmEtdHJ1c3QuYXQxEDAOBgNVBAUTBzE5NTczOGExGzAZBgNVBA8TElYxLjAs
IENsYXVzZSA1LihYKTETMBEGCysGAQQBgjc8AgEDEwJBVDENMAsGA1UEBwwEV2ll
bjENMAsGA1UECAwEV2llbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
ANPsmH1ceJEc2OPNqdgIbtPdXKsizja8KzX59/QekptOQLrer/0lIwZzj4A3gVyN
KjfQtuByKzVEcS7BDi+vg4tYQPGO28vkJlQsdQCXiYKPtOwT5pKpusHWuyKurDhd
3r+ixzCWxhhYuHkczB3FyPk9yuYdl2zESqWpJaDt63r4p+EDM3o8NS7IGK0FvlCU
Sdv3yf8gTqyZl+1lXVlPeiXDekDcPs8d3F2+Aj6DWGbwnKER50a2EBABp5t+Ci9w
7T1atnOkLgmoQZQH/xTE7N4Xp/IP2aFSzHBjxYMgRdxoYPouhBbsAxYlX/vg2Hhc
cjT3DLEIjW+GIw1H+F2PWccCAwEAAaOCAWAwggFcMBEGA1UdDgQKBAhDIVX2fMX0
kjAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwEwYDVR0jBAww
CoAISMeTa7qkrj8wCQYDVR0TBAIwADB1BggrBgEFBQcBAQRpMGcwPAYIKwYBBQUH
MAKGMGh0dHA6Ly93d3cuYS10cnVzdC5hdC9jZXJ0cy9hLXNpZ24tc3NsLWV2LTA1
LmNydDAnBggrBgEFBQcwAYYbaHR0cDovL29jc3AuYS10cnVzdC5hdC9vY3NwME4G
A1UdIARHMEUwQwYGKigAEQEWMDkwNwYIKwYBBQUHAgEWK2h0dHA6Ly93d3cuYS10
cnVzdC5hdC9kb2NzL2NwL2Etc2lnbi1zc2wtZXYwOwYDVR0fBDQwMjAwoC6gLIYq
aHR0cDovL2NybC5hLXRydXN0LmF0L2NybC9hLXNpZ24tU1NMLUVWLTA1MA0GCSqG
SIb3DQEBCwUAA4ICAQAJulOdcjtWXFzriG7irbvhhFN/cOW+COw3BrPcEREdEJED
WxLEyC4tFQd38lx2R9l14L7nggudw6nV3KVJRLX3qW/1UAfBZl8abm+pLuw8NeeD
Y4AAn++/E84P3nuEOFHu9CMZroHTYCYbNAtviD4rJv5vPkQ6HC1r6VCUgY6zkUYI
x/giWdlCVHyaf3lj4Mf5m8ZeXOawjs+afp1X8d74dpO8hf7y3zMCm0hu/TDeg47S
il3CLB9rj5k8Jc6KkpRj2gQ2713rDb8oDlkg32P/1xP0YDklCldFKS9WhYTLwneQ
8t854dEqdEmGDRdCiK0VSZ8UtYE9Cu6tqC8jdKgWO0Gm9ZFkHGksYIZt4W7ve3mn
6W8vYD4g2TH/Gffxwb0nNc6jzjiPzM3RphFKOs6V1TuYWAFb8g0viKeJ/0JNgYNX
3bVXEQvAgmrIvd51QmtuZuGgurUYPrnYXXD3MPQ58Nf924TXqIOBv/mimIWLEuoP
LRGSKpkEAHRG3rHsotzUxj4zkhP2YD4EvXK2J8wmWT/VzKrg2SkU9wlDXh3r2f9r
lEBEKiylqipaGQ3FBu54ChQWLJJ4ouhgHURWTjo8aBLNGJ8H+SwSrA6LNJbXsSVb
ODl+UWTpOC+Y5h1jo8Y9jr7m0gYLnqUeLIVeJ48YqEARt85RZbmt3Z8/r/h54w==
-----END CERTIFICATE-----
Flags: needinfo?(klein)
(Reporter)

Comment 15

3 years ago
The new CPS is available on the A-Trust Website: https://www.a-trust.at/docs/cps/a-sign-ssl-ev/a-sign-ssl-ev_cps.pdf

The changes are as stated and translated above
Flags: needinfo?(klein)
(Reporter)

Comment 16

3 years ago
@Adm Selec  we had an old version of our certificate there, it has already been replaced
(Assignee)

Comment 17

3 years ago
(In reply to klein from comment #12)
> Yes, the commitment to comply will be added in the introduction of our CPS
> (1.1):
> 
> A-Trust hält sich bei der Ausstellung von SSL (EV) Zertifikaten an die
> Vorgaben der aktuellen Version der "Baseline Requirements for the Issuance
> and Management of Publicly-Trusted Certificates" des Certifcate
> Authority/Browser Forums (CA/B Forum, https://www.cabforum.org). 
> 


I'm still not finding this in https://www.a-trust.at/docs/cps/a-sign-ssl-ev/a-sign-ssl-ev_cps.pdf

I'm also concerned about there still being an old version of the EV CPS here:
https://www.a-trust.at/Default.aspx?TabID=175&dir=/docs/cp/a-sign-ssl#Certificate-Policies
and here
https://www.a-trust.at/Default.aspx?TabID=175&dir=/docs/cp/a-sign-ssl-ev#Certificate-Policies


Also, the commitment to comply with the Baseline Requirements is needed for non-EV SSL certs, as well as EV SSL certs.


And please respond to Comment #14. 
Regarding your response to https://wiki.mozilla.org/CA:Recommended_Practices#CA_Recommended_Practices
you had said:
* DNS names go in SAN - "every DNS name in SAN, additionaly one DNS name in Subject"
Yet, there appears to be an SSL cert (additionally it is EV) without the SAN?
(Reporter)

Comment 18

3 years ago
The change wasn't included when we created the CPS, thanks for pointing it out - a new version containing the paragraph is now online. I also changed the wording a bit to avoid confusion - "SSL (EV)" was changed to "SSL and SSL EV".

The old version of the policy was removed from our website.

The security measure to check for missing SANs was not in place for the mentioned test certificate. The service is working as intended now and no SSL or SSL EV certificates are issued without every DNS name included in the SAN. The initial statement is correct, every certificate issued will have one DNS name in the Subject and all others (if applicable) in the SAN. The DNS name from the subject is always included in the SAN.
(Reporter)

Comment 19

3 years ago
I just wanted to check if you need any additional information from our side
(Assignee)

Comment 20

3 years ago
There are some errors being reported by https://certificate.revocationcheck.com/ 
for the test website https://ca-train.a-trust.at/

Please update this bug when the errors have been resolved.
(Reporter)

Comment 21

3 years ago
We made a few adjustments to our ocsp service and ca-train.a-trust.at now passes all tests @ revocationcheck.com.
(Assignee)

Comment 22

3 years ago
Created attachment 8668186 [details]
1092963-CAInformation-Complete.pdf
(Assignee)

Comment 23

3 years ago
This request has been added to the queue for public discussion.
https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion
I will update this bug when I start the discussion.

In the meantime, please update this bug when the 2015 audit statements are available.
Whiteboard: EV - Information incomplete → EV - Ready for Public Discussion
(Assignee)

Comment 25

3 years ago
Maybe I'm missing it, but I cannot find the list of root and intermediate certificates that each of the audit statements covers. So, I'm unable to confirm that the "A-Trust-Root-05" and "A-Trust-nQual-03" root certificates and their intermediate certificates are covered by these audit statements.
(Reporter)

Comment 26

3 years ago
I contacted our auditor and will keep the post updated.
(Assignee)

Comment 27

3 years ago
I am now opening the public discussion period for this request from A-Trust to include the ‘A-Trust-Root-05’ root certificate, turn on the Websites trust bit, and enable EV treatment.

For a description of the public discussion phase, see https://wiki.mozilla.org/CA:How_to_apply#Public_discussion

Public discussion will be in the mozilla.dev.security.policy forum.
https://www.mozilla.org/en-US/about/forums/#dev-security-policy

The discussion thread is called "A-Trust Root Renewal Request".

Please actively review, respond, and contribute to the discussion.

A representative of A-Trust must promptly respond directly in the discussion thread to all questions that are posted.
Whiteboard: EV - Ready for Public Discussion → EV - In public discussion
(Assignee)

Comment 28

2 years ago
Discussion on hold until the CA provides translations (into English) of the *new* CP and CPS documents pertaining to the 'A-Trust-Root-05' root certificate, non-EV TLS/SSL certificates, and EV TLS/SSL certificates. (i.e. the version of the documents that are being used for the audit covering the period of March 2015 through February 2016.
Whiteboard: EV - In public discussion → EV - Discussion on hold pending translation of updated CP/CPS

Updated

a year ago
Whiteboard: EV - Discussion on hold pending translation of updated CP/CPS → [ca-discussion-hold] -- EV - pending translation of updated CP/CPS

Updated

a year ago
Product: mozilla.org → NSS
You need to log in before you can comment on or make changes to this bug.