Closed Bug 1092963 Opened 5 years ago Closed 4 months ago
Add Renewed A-Trust-Root-05 root certificate
85.32 KB, application/pdf
210.35 KB, application/pdf
605 bytes, text/plain
54.64 KB, image/jpeg
2.71 KB, text/plain
141.89 KB, application/pdf
163.87 KB, application/pdf
CA Details ---------- CA Name: A-Trust-Root-05 Website: https://www.a-trust.at Original Root Inclusion: https://bugzilla.mozilla.org/show_bug.cgi?id=530797 One Paragraph Summary of CA, including the following: Used to issue Austrian Citizen Cards and A-Trust SSL (EV) certificates, customers from Central Europe. Audit Type (WebTrust, ETSI etc.): WebTrust and WebTrust EV Auditor: Ernst & Young (Austria) Auditor Website: http://www.ey.com/ Audit Document URL(s): CA: https://cert.webtrust.org/ViewSeal?id=1753 EV: https://cert.webtrust.org/ViewSeal?id=1754 Certificate Details ------------------- Certificate Name: A-Trust-Root-05 SSL and EV certificates are issued in the following hierarchy: A-Trust-Root-05 (http://www.a-trust.at/certs/A-Trust-Root-05.crt) a-sign-SSL-05 (http://www.a-trust.at/certs/a-sign-ssl-05.crt) a-sign-SSL-EV-05 (http://www.a-trust.at/certs/a-sign-ssl-ev-05.crt) User certificates Certificate download URL (on CA website): http://www.a-trust.at/certs/A-Trust-Root-05.crt Version: 3 Fingerprint: 2e66c984 1181c08f b1dfabd4 ff8d5cc72b e08f02 Public key length (for RSA, modulus length) in bits: 4096 Valid From (YYYY-MM-DD): 2013-09-23 Valid To (YYYY-MM-DD): 2023-09-20 CRL HTTP URL: http://crl.a-trust.at/crl/A-Trust-Root-05 CRL issuing frequency for subordinate end-entity certificates: 2 hours or on change CRL issuing frequency for subordinate CA certificates: 2 hours or on change OCSP URL: http://ocsp.a-trust.at/ocsp Class (domain-validated, identity/organizationally-validated or EV): all Certificate Policy URL: https://www.a-trust.at/docs/cp/a-sign-ssl-ev/a-sign-ssl-ev.pdf CPS URL: https://www.a-trust.at/docs/cps/a-sign-ssl-ev/a-sign-ssl-ev_cps.pdf Requested Trust Indicators (email and/or SSL and/or code signing): SSL with EV URL of example website using certificate subordinate to this root (if applying for SSL): https://ca-train.a-trust.at/
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: EV - Information incomplete
The attached document summarizes the information that has been verified. The items highlighted in yellow indicate where further information or clarification is needed. Please review the full document for accuracy and completeness, and provide the necessary information in this bug.
The responses are enlocsed in the attached document.
Result EV Check
Result EV Check JPG
I've entered the data for this request into SalesForce. Please review the attached document to ensure it is correct and complete, and provide corrections and remaining needed information by posting comments in this bug.
Audit Statements: https://www.a-trust.at/downloads/Assertion_EV.PDF https://www.a-trust.at/downloads/Assertion_WT.PDF The next CPS that will be covered by our next Audit (May 2015) will include our commitment to comply with the BRs. The translations already provided cover both regular SSL certificates and EV certificates (verifying domain ownership), our checks are similar for both types.
(In reply to klein from comment #7) > Audit Statements: > https://www.a-trust.at/downloads/Assertion_EV.PDF > https://www.a-trust.at/downloads/Assertion_WT.PDF > When I open these links I see Assertions by A-Trust Management, and I don't see the auditor's statements.
(In reply to klein from comment #7) > The translations already provided cover both regular SSL certificates and EV > certificates (verifying domain ownership), our checks are similar for both > types. The provided translations says: > 3.1.8 Check of Domain or IP Address > The holder of a domain is verified using the databases provided by the > applicable authority (such as www.nic.at, www.denic.de,...). > The use of IP adresses in EV certficates is not permitted. Please see https://wiki.mozilla.org/CA:Recommended_Practices#Verifying_Domain_Name_Ownership "It is not sufficient for the CP/CPS to just state that WHOIS is checked. The CP/CPS needs to have a high level description of how the WHOIS information is used. What information must match with that provided by the certificate subscriber? Is a phone call made or email sent to the technical or administrative contact field of the domain's WHOIS record? If an email is sent, does it include non-predictable information that the technical or administrative contact must use to respond?" and "It is not sufficient to simply reference section 11 of the CA/Brower Forum's Baseline Requirements (BR). BR #11.1.1 lists several ways in which the CA may confirm that the certificate subscriber owns/controls the domain name to be included in the certificate. Simply referencing section 11 of the BRs does not specify which of those options the CA uses, and is insufficient for describing how the CA conforms to the BRs. BR #8.2.1 says: "The CA SHALL develop, implement, enforce, and annually update a Certificate Policy and/or Certification Practice Statement that describes in detail how the CA implements the latest version of these Requirements."
We received an updated audit letter including the BRs - https://cert.webtrust.org/ViewSeal?id=1803 (https://cert.webtrust.org/SealFile?seal=1803&file=pdf). The section concerning verification of Domain Ownership (CPS 3.1.8) includes an optional check through the Administrative contact returned by the WHOIS - query. The new CPS that is covered by the next Audit (already in progress) will remove the "optional" so that the check is required with each issued certificate, Translation: .... A-Trust obtains a confirmation regarding the use of the domain from the administrative contact in the result of the WHOIS-query. This confirmation can be given by E-Mail or on the phone. If the administrative contact is not the applicant, A-Trust requires a statement of authority from the administrative contract as well as a scan of a valid ID (CPS 3.1.9).
Thanks for providing the link to the BR audit statement. Will your updated CPS also contain a commitment to comply with the BRs? https://wiki.mozilla.org/CA:BaselineRequirements#CA_Conformance_to_the_BRs "The CA's CP or CPS documents must include a commitment to comply with the BRs, as described in BR section 8.3." When will the new version of your CPS be available?
Yes, the commitment to comply will be added in the introduction of our CPS (1.1): A-Trust hält sich bei der Ausstellung von SSL (EV) Zertifikaten an die Vorgaben der aktuellen Version der "Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates" des Certifcate Authority/Browser Forums (CA/B Forum, https://www.cabforum.org). -> When issuing SSL (EV) certificates, A-Trust conforms to the "Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates" published by the Certifcate Authority/Browser Forum (CA/B Forum, https://www.cabforum.org). The new CPS is currently under review by our auditor, we expect to finish the process next week and we will release the new version accordingly.
(In reply to klein from comment #12) > The new CPS is currently under review by our auditor, we expect to finish > the process next week and we will release the new version accordingly. Please update this bug with the new CPS is available on your website.
Extended Validation certificate without subjectAltName? https://ca-train.a-trust.at/ -----BEGIN CERTIFICATE----- MIIGKjCCBBKgAwIBAgIDFeW2MA0GCSqGSIb3DQEBCwUAMIGNMQswCQYDVQQGEwJB VDFIMEYGA1UECgw/QS1UcnVzdCBHZXMuIGYuIFNpY2hlcmhlaXRzc3lzdGVtZSBp bSBlbGVrdHIuIERhdGVudmVya2VociBHbWJIMRkwFwYDVQQLDBBhLXNpZ24tU1NM LUVWLTA1MRkwFwYDVQQDDBBhLXNpZ24tU1NMLUVWLTA1MB4XDTE0MTAzMTE1MjM0 OFoXDTE3MDEzMTE0MjM0OFowgbwxCzAJBgNVBAYTAkFUMRUwEwYDVQQKDAxBLVRy dXN0IEdtYkgxFjAUBgNVBAsMDUN1c3RvbWVyIENhcmUxHDAaBgNVBAMME2NhLXRy YWluLmEtdHJ1c3QuYXQxEDAOBgNVBAUTBzE5NTczOGExGzAZBgNVBA8TElYxLjAs IENsYXVzZSA1LihYKTETMBEGCysGAQQBgjc8AgEDEwJBVDENMAsGA1UEBwwEV2ll bjENMAsGA1UECAwEV2llbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB ANPsmH1ceJEc2OPNqdgIbtPdXKsizja8KzX59/QekptOQLrer/0lIwZzj4A3gVyN KjfQtuByKzVEcS7BDi+vg4tYQPGO28vkJlQsdQCXiYKPtOwT5pKpusHWuyKurDhd 3r+ixzCWxhhYuHkczB3FyPk9yuYdl2zESqWpJaDt63r4p+EDM3o8NS7IGK0FvlCU Sdv3yf8gTqyZl+1lXVlPeiXDekDcPs8d3F2+Aj6DWGbwnKER50a2EBABp5t+Ci9w 7T1atnOkLgmoQZQH/xTE7N4Xp/IP2aFSzHBjxYMgRdxoYPouhBbsAxYlX/vg2Hhc cjT3DLEIjW+GIw1H+F2PWccCAwEAAaOCAWAwggFcMBEGA1UdDgQKBAhDIVX2fMX0 kjAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwEwYDVR0jBAww CoAISMeTa7qkrj8wCQYDVR0TBAIwADB1BggrBgEFBQcBAQRpMGcwPAYIKwYBBQUH MAKGMGh0dHA6Ly93d3cuYS10cnVzdC5hdC9jZXJ0cy9hLXNpZ24tc3NsLWV2LTA1 LmNydDAnBggrBgEFBQcwAYYbaHR0cDovL29jc3AuYS10cnVzdC5hdC9vY3NwME4G A1UdIARHMEUwQwYGKigAEQEWMDkwNwYIKwYBBQUHAgEWK2h0dHA6Ly93d3cuYS10 cnVzdC5hdC9kb2NzL2NwL2Etc2lnbi1zc2wtZXYwOwYDVR0fBDQwMjAwoC6gLIYq aHR0cDovL2NybC5hLXRydXN0LmF0L2NybC9hLXNpZ24tU1NMLUVWLTA1MA0GCSqG SIb3DQEBCwUAA4ICAQAJulOdcjtWXFzriG7irbvhhFN/cOW+COw3BrPcEREdEJED WxLEyC4tFQd38lx2R9l14L7nggudw6nV3KVJRLX3qW/1UAfBZl8abm+pLuw8NeeD Y4AAn++/E84P3nuEOFHu9CMZroHTYCYbNAtviD4rJv5vPkQ6HC1r6VCUgY6zkUYI x/giWdlCVHyaf3lj4Mf5m8ZeXOawjs+afp1X8d74dpO8hf7y3zMCm0hu/TDeg47S il3CLB9rj5k8Jc6KkpRj2gQ2713rDb8oDlkg32P/1xP0YDklCldFKS9WhYTLwneQ 8t854dEqdEmGDRdCiK0VSZ8UtYE9Cu6tqC8jdKgWO0Gm9ZFkHGksYIZt4W7ve3mn 6W8vYD4g2TH/Gffxwb0nNc6jzjiPzM3RphFKOs6V1TuYWAFb8g0viKeJ/0JNgYNX 3bVXEQvAgmrIvd51QmtuZuGgurUYPrnYXXD3MPQ58Nf924TXqIOBv/mimIWLEuoP LRGSKpkEAHRG3rHsotzUxj4zkhP2YD4EvXK2J8wmWT/VzKrg2SkU9wlDXh3r2f9r lEBEKiylqipaGQ3FBu54ChQWLJJ4ouhgHURWTjo8aBLNGJ8H+SwSrA6LNJbXsSVb ODl+UWTpOC+Y5h1jo8Y9jr7m0gYLnqUeLIVeJ48YqEARt85RZbmt3Z8/r/h54w== -----END CERTIFICATE-----
The new CPS is available on the A-Trust Website: https://www.a-trust.at/docs/cps/a-sign-ssl-ev/a-sign-ssl-ev_cps.pdf The changes are as stated and translated above
@Adm Selec we had an old version of our certificate there, it has already been replaced
(In reply to klein from comment #12) > Yes, the commitment to comply will be added in the introduction of our CPS > (1.1): > > A-Trust hält sich bei der Ausstellung von SSL (EV) Zertifikaten an die > Vorgaben der aktuellen Version der "Baseline Requirements for the Issuance > and Management of Publicly-Trusted Certificates" des Certifcate > Authority/Browser Forums (CA/B Forum, https://www.cabforum.org). > I'm still not finding this in https://www.a-trust.at/docs/cps/a-sign-ssl-ev/a-sign-ssl-ev_cps.pdf I'm also concerned about there still being an old version of the EV CPS here: https://www.a-trust.at/Default.aspx?TabID=175&dir=/docs/cp/a-sign-ssl#Certificate-Policies and here https://www.a-trust.at/Default.aspx?TabID=175&dir=/docs/cp/a-sign-ssl-ev#Certificate-Policies Also, the commitment to comply with the Baseline Requirements is needed for non-EV SSL certs, as well as EV SSL certs. And please respond to Comment #14. Regarding your response to https://wiki.mozilla.org/CA:Recommended_Practices#CA_Recommended_Practices you had said: * DNS names go in SAN - "every DNS name in SAN, additionaly one DNS name in Subject" Yet, there appears to be an SSL cert (additionally it is EV) without the SAN?
The change wasn't included when we created the CPS, thanks for pointing it out - a new version containing the paragraph is now online. I also changed the wording a bit to avoid confusion - "SSL (EV)" was changed to "SSL and SSL EV". The old version of the policy was removed from our website. The security measure to check for missing SANs was not in place for the mentioned test certificate. The service is working as intended now and no SSL or SSL EV certificates are issued without every DNS name included in the SAN. The initial statement is correct, every certificate issued will have one DNS name in the Subject and all others (if applicable) in the SAN. The DNS name from the subject is always included in the SAN.
I just wanted to check if you need any additional information from our side
There are some errors being reported by https://certificate.revocationcheck.com/ for the test website https://ca-train.a-trust.at/ Please update this bug when the errors have been resolved.
We made a few adjustments to our ocsp service and ca-train.a-trust.at now passes all tests @ revocationcheck.com.
This request has been added to the queue for public discussion. https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion I will update this bug when I start the discussion. In the meantime, please update this bug when the 2015 audit statements are available.
Whiteboard: EV - Information incomplete → EV - Ready for Public Discussion
Hi! The final statements are ready: https://cert.webtrust.org/ViewSeal?id=1933 https://cert.webtrust.org/ViewSeal?id=1934 https://cert.webtrust.org/ViewSeal?id=1932
Maybe I'm missing it, but I cannot find the list of root and intermediate certificates that each of the audit statements covers. So, I'm unable to confirm that the "A-Trust-Root-05" and "A-Trust-nQual-03" root certificates and their intermediate certificates are covered by these audit statements.
I contacted our auditor and will keep the post updated.
I am now opening the public discussion period for this request from A-Trust to include the ‘A-Trust-Root-05’ root certificate, turn on the Websites trust bit, and enable EV treatment. For a description of the public discussion phase, see https://wiki.mozilla.org/CA:How_to_apply#Public_discussion Public discussion will be in the mozilla.dev.security.policy forum. https://www.mozilla.org/en-US/about/forums/#dev-security-policy The discussion thread is called "A-Trust Root Renewal Request". Please actively review, respond, and contribute to the discussion. A representative of A-Trust must promptly respond directly in the discussion thread to all questions that are posted.
Whiteboard: EV - Ready for Public Discussion → EV - In public discussion
Discussion on hold until the CA provides translations (into English) of the *new* CP and CPS documents pertaining to the 'A-Trust-Root-05' root certificate, non-EV TLS/SSL certificates, and EV TLS/SSL certificates. (i.e. the version of the documents that are being used for the audit covering the period of March 2015 through February 2016.
Whiteboard: EV - In public discussion → EV - Discussion on hold pending translation of updated CP/CPS
Whiteboard: EV - Discussion on hold pending translation of updated CP/CPS → [ca-discussion-hold] -- EV - pending translation of updated CP/CPS
Status: ASSIGNED → RESOLVED
Closed: 4 months ago
QA Contact: kwilson
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.