Last Comment Bug 1172401 - Add Amazon root certificates
: Add Amazon root certificates
Status: ASSIGNED
EV - In Public Discussion
:
Product: mozilla.org
Classification: Other
Component: CA Certificates (show other bugs)
: other
: All All
: -- enhancement with 4 votes (vote)
: ---
Assigned To: Kathleen Wilson
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-06-07 23:05 PDT by Peter Bowen
Modified: 2016-08-28 06:46 PDT (History)
34 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
1172401-CAInformation.pdf (290.66 KB, application/pdf)
2015-06-18 14:28 PDT, Kathleen Wilson
no flags Details
1172401-CAInformation.pdf (410.55 KB, application/pdf)
2016-01-12 15:52 PST, Kathleen Wilson
no flags Details
1172401-CAInformation.pdf (410.94 KB, application/pdf)
2016-01-14 11:20 PST, Kathleen Wilson
no flags Details
1172401-CAInformation-Complete.pdf (431.63 KB, application/pdf)
2016-03-23 16:43 PDT, Kathleen Wilson
no flags Details

Description Peter Bowen 2015-06-07 23:05:43 PDT
CA Details
----------

CA Name: Amazon
Websites: https://aws.amazon.com/ and http://www.awstrust.com/repository/
One Paragraph Summary of CA:
The Amazon PKI is run by Amazon Web Services.  Amazon is a commercial CA that will provide certificates to customers from around the world.  We will offer certificates for server authentication, client authentication, email (both signing and encrypting), and code signing.  We will offer both standard and extended validation server authentication certificates.  Customers of the Amazon PKI are the general public.  We do not require customers that customers have a domain registration with Amazon, use domain suffixes where Amazon is the registrant, or have other services from Amazon.

Audit Type (WebTrust, ETSI etc.): Point in Time Readiness Assessments for WebTrust for CA 2.0, BR 2.0, and EV 1.4.5
Auditor: EY
Auditor Website: http://www.ey.com/
Audit Document URL(s):

Certificate #1 Details
----------------------
Certificate Name: Amazon Root CA 1
The Amazon Root CA 1 is a Root CA with a RSA key with a 2048 bit long modulus.  It will be used to issue a variety of certificate types, as defined in our CP and CPS.

We will have separate subordinate CAs to issue the following types of certificates:
- Extended Validation Server Authentication
- Code Signing
- Other types of certificates as covered by our CP and CPS (including Server Authentication and Email Protection)

We will not issue EV certificates from subordinates used to issue non-EV certificates and we will not issue code signing certificates from subordinates used to issue non-code signing certificates.

Certificate download URL: http://www.awstrust.com/repository/AmazonRootCA1.cer
Version: X.509 v3
SHA1 Fingerprint: 8D:A7:F9:65:EC:5E:FC:37:91:0F:1C:6E:59:FD:C1:CC:6A:6E:DE:16
Public key length (for RSA, modulus length) in bits: 2048
Valid From : 2015-05-26
Valid To : 2038-01-07

CRL HTTP URL: http://crl.rootca1.amazontrust.com/rootca1.crl
CRL issuing frequency for subordinate end-entity certificates: at least once every seven days 
CRL issuing frequency for subordinate CA certificates: at least once every twelve months 
OCSP URL: http://ocsp.rootca1.amazontrust.com/

Class (domain-validated, identity/organizationally-validated or EV): DV, IV/OV, and EV for SSL certificates 
Certificate Policy URL: http://www.awstrust.com/repository/cp-1.0.1.pdf
CPS URL: http://www.awstrust.com/repository/cps-1.0.1.pdf
Requested Trust Indicators (email and/or SSL and/or code signing): Server Authentication (SSL), Email Protection, and Code Signing

Certificate #2 Details
----------------------
Certificate Name: Amazon Root CA 2
The Amazon Root CA 2 is a Root CA with a RSA key with a 4096 bit long modulus.  It will be used to issue a variety of certificate types, as defined in our CP and CPS.

We will have separate subordinate CAs to issue the following types of certificates:
- Extended Validation Server Authentication
- Code Signing
- Other types of certificates as covered by our CP and CPS (including Server Authentication and Email Protection)

We will not issue EV certificates from subordinates used to issue non-EV certificates and we will not issue code signing certificates from subordinates used to issue non-code signing certificates.

Certificate download URL: http://www.awstrust.com/repository/AmazonRootCA2.cer
Version: X.509 v3
SHA1 Fingerprint: 5A:8C:EF:45:D7:A6:98:59:76:7A:8C:8B:44:96:B5:78:CF:47:4B:1A
Public key length (for RSA, modulus length) in bits: 4096
Valid From : 2015-05-26
Valid To : 2040-05-26

CRL HTTP URL: http://crl.rootca2.amazontrust.com/rootca2.crl
CRL issuing frequency for subordinate end-entity certificates: at least once every seven days 
CRL issuing frequency for subordinate CA certificates: at least once every twelve months 
OCSP URL: http://ocsp.rootca2.amazontrust.com/

Class (domain-validated, identity/organizationally-validated or EV): DV, IV/OV, and EV for SSL certificates 
Certificate Policy URL: http://www.awstrust.com/repository/cp-1.0.1.pdf
CPS URL: http://www.awstrust.com/repository/cps-1.0.1.pdf
Requested Trust Indicators (email and/or SSL and/or code signing): Server Authentication (SSL), Email Protection, and Code Signing

Certificate #3 Details
----------------------
Certificate Name: Amazon Root CA 3
The Amazon Root CA 3 is a Root CA with an EC key on the NIST P-256 curve.  It will be used to issue a variety of certificate types, as defined in our CP and CPS.

We will have separate subordinate CAs to issue the following types of certificates:
- Extended Validation Server Authentication
- Code Signing
- Other types of certificates as covered by our CP and CPS (including Server Authentication and Email Protection)

We will not issue EV certificates from subordinates used to issue non-EV certificates and we will not issue code signing certificates from subordinates used to issue non-code signing certificates.

Certificate download URL: http://www.awstrust.com/repository/AmazonRootCA3.cer
Version: X.509 v3
SHA1 Fingerprint: 0D:44:DD:8C:3C:8C:1A:1A:58:75:64:81:E9:0F:2E:2A:FF:B3:D2:6E
Public key length (for RSA, modulus length) in bits: 256
Valid From: 2015-05-26
Valid To: 2040-05-26

CRL HTTP URL: http://crl.rootca3.amazontrust.com/rootca3.crl
CRL issuing frequency for subordinate end-entity certificates: at least once every seven days 
CRL issuing frequency for subordinate CA certificates: at least once every twelve months 
OCSP URL: http://ocsp.rootca3.amazontrust.com/

Class (domain-validated, identity/organizationally-validated or EV): DV, IV/OV, and EV for SSL certificates 
Certificate Policy URL: http://www.awstrust.com/repository/cp-1.0.1.pdf
CPS URL: http://www.awstrust.com/repository/cps-1.0.1.pdf
Requested Trust Indicators (email and/or SSL and/or code signing): Server Authentication (SSL), Email Protection, and Code Signing

Certificate #4 Details
----------------------
Certificate Name: Amazon Root CA 4
The Amazon Root CA 4 is a Root CA with an EC key on the NIST P-384 curve.  It will be used to issue a variety of certificate types, as defined in our CP and CPS.

We will have separate subordinate CAs to issue the following types of certificates:
- Extended Validation Server Authentication
- Code Signing
- Other types of certificates as covered by our CP and CPS (including Server Authentication and Email Protection)

We will not issue EV certificates from subordinates used to issue non-EV certificates and we will not issue code signing certificates from subordinates used to issue non-code signing certificates.

Certificate download URL: http://www.awstrust.com/repository/AmazonRootCA4.cer
Version: X.509 v3
SHA1 Fingerprint: F6:10:84:07:D6:F8:BB:67:98:0C:C2:E2:44:C2:EB:AE:1C:EF:63:BE
Public key length (for RSA, modulus length) in bits: 384
Valid From : 2015-05-26
Valid To : 2040-05-26

CRL HTTP URL: http://crl.rootca4.amazontrust.com/rootca4.crl
CRL issuing frequency for subordinate end-entity certificates: at least once every seven days 
CRL issuing frequency for subordinate CA certificates: at least once every twelve months 
OCSP URL: http://ocsp.rootca4.amazontrust.com/

Class (domain-validated, identity/organizationally-validated or EV): DV, IV/OV, and EV for SSL certificates 
Certificate Policy URL: http://www.awstrust.com/repository/cp-1.0.1.pdf
CPS URL: http://www.awstrust.com/repository/cps-1.0.1.pdf
Requested Trust Indicators (email and/or SSL and/or code signing): Server Authentication (SSL), Email Protection, and Code Signing
Comment 1 Kathleen Wilson 2015-06-08 09:19:53 PDT
I will start the information verification phase for this request soon.
https://wiki.mozilla.org/CA:How_to_apply#Information_Verification
Comment 2 Kyle Hamilton 2015-06-08 10:24:20 PDT
I'm sorry if the information shows up in the CPSes, but:

What's the maximum length of time that an OCSP response is valid, for each of the roots?  Do they constrain the maximum OCSP response validity time for subordinates?

Will any of them be used to issue intermediate certificates for external organizations to operate certifiers?
Comment 3 Marc Brooks 2015-06-08 11:40:58 PDT
Why wouldn't you present your Certification download URL on an https: endpoint?
Comment 4 Yuhong Bao 2015-06-08 16:36:32 PDT
What is the OID that is going to be used for EV certificates?
Comment 5 kmindi 2015-06-09 11:50:55 PDT
There could be other interests behind this. Several intelligence agencies/companies are involved with Amazon: 
http://www.defenseone.com/technology/2014/07/how-cia-partnered-amazon-and-changed-intelligence/88555/
http://www.speicherguide.de/news/amazon-tuetelt-mega-cloud-deal-mit-cia,-nsa,-fbi-co-ein-20203.aspx

How good was/is that audit?
Comment 6 PhistucK 2015-06-13 01:09:56 PDT
(In reply to Marc Brooks from comment #3)
> Why wouldn't you present your Certification download URL on an https:
> endpoint?

This whole domain (www.awstrust.com) does not support HTTPS. :(
Comment 7 brian howson 2015-06-16 09:02:27 PDT
The repository is now (Cert issued yesterday 6/15) available over https. 

https://www.awstrust.com/repository


openssl x509 -inform der -subject -fingerprint -noout -startdate -enddate  -in AmazonRootCA1.cer
subject= /C=US/O=Amazon/CN=Amazon Root CA 1
SHA1 Fingerprint=8D:A7:F9:65:EC:5E:FC:37:91:0F:1C:6E:59:FD:C1:CC:6A:6E:DE:16
notBefore=May 26 00:00:00 2015 GMT
notAfter=Jan 17 00:00:00 2038 GMT

One minor error: the valid-to date for CA 1 is 17 not 7 January, this is not material.
Comment 8 Kathleen Wilson 2015-06-18 14:28:28 PDT
Created attachment 8624480 [details]
1172401-CAInformation.pdf

I have entered the information for this request into Salesforce.

Please review the attached document to make sure it is accurate and complete, and comment in this bug to provide corrections and the additional requested information.
Comment 9 Peter Bowen 2015-12-17 14:31:27 PST
Apologies for the delay.  Here is our updated application which should answer all the open questions from the information gathering document.

CA Details
----------

CA Name: Amazon
Websites: https://www.amazontrust.com/
One Paragraph Summary of CA:
The Amazon PKI is run by Amazon Trust Services ("Amazon").  Amazon is a commercial CA that will provide certificates to customers from around the world.  We will offer certificates for server authentication, client authentication, email (both signing and encrypting), and code signing.  We will offer both standard and extended validation server authentication certificates.  Customers of the Amazon PKI are the general public.  We do not require customers have a domain registration with Amazon, use domain suffixes where Amazon is the registrant, or have other services from Amazon.

This application includes four new root CAs.  It also includes one additional root CA already in the Mozilla program which we wish to have enabled for EV certificate issuance.

Audit Type (WebTrust, ETSI etc.): Point in Time Readiness Assessments for WebTrust for CA 2.0, BR 2.0, and EV 1.4.5
Auditor: EY
Auditor Website: http://www.ey.com/
Audit Document URL(s):
https://www.amazontrust.com/repository/AWS_WebTrustforCA.pdf
https://www.amazontrust.com/repository/AWS_WebTrustforBR.pdf
https://www.amazontrust.com/repository/AWS_WebTrustforEV.pdf
https://www.amazontrust.com/repository/SFSG2_WebTrustforCA.pdf
https://www.amazontrust.com/repository/SFSG2_WebTrustforBR.pdf
https://www.amazontrust.com/repository/SFSG2_WebTrustforEV.pdf

We have reviewed the "Potentially problematic CA practices" (https://wiki.mozilla.org/CA:Problematic_Practices#Potentially_problematic_CA_practices). We fully comply with the Mozilla CA program requirements, including complying with the CA/Browser Forum Guidelines.  These requirements forbid many of the problematic practices.

Amazon allows externally operated subordinate CAs as documented in section 4.2.2 of the ATS CPS.   Third parties cannot directly cause the issuance of certificates from Amazon operated CAs.

CPS section 3.2.2.2 documents our validation procedures for verifying any email addresses to be included certificates we issue.

Certificate #1 Details
----------------------
Certificate Name: Amazon Root CA 1
The Amazon Root CA 1 is a Root CA with a RSA key with a 2048 bit long modulus.  It will be used to issue a variety of certificate types, as defined in our CP and CPS.

We will not issue code signing certificates from subordinates used to issue non-code signing certificates.

Certificate download URL: https://www.amazontrust.com/repository/AmazonRootCA1.cer
Version: X.509 v3
SHA1 Fingerprint: 8D:A7:F9:65:EC:5E:FC:37:91:0F:1C:6E:59:FD:C1:CC:6A:6E:DE:16
Public key length (for RSA, modulus length) in bits: 2048
Valid From : 2015-05-26
Valid To : 2038-01-17

CRL HTTP URL: http://crl.rootca1.amazontrust.com/rootca1.crl
CRL issuing frequency for subordinate end-entity certificates: at least once every seven days (when CRLs are required)
CRL issuing frequency for subordinate CA certificates: at least once every twelve months 
OCSP URL: http://ocsp.rootca1.amazontrust.com/

Class (domain-validated, identity/organizationally-validated or EV): DV, IV/OV, and EV for SSL certificates 
EV policy OID(s) (if applicable): 2.23.140.1.1 
Certificate Policy URL: http://www.amazontrust.com/repository/cp.pdf
CPS URL: http://www.amazontrust.com/repository/cps.pdf
Requested Trust Indicators (email and/or SSL and/or code signing): Server Authentication (SSL), Email Protection, and Code Signing
URL of example website using certificate subordinate to this root (if applying for SSL): https://good.sca1a.amazontrust.com/

Has this root cross-signed with any other roots? Yes.  Starfield Services Root Certificate Authority - G2 issued a cross certificate with this root as the subject.

Certificate #2 Details
----------------------
Certificate Name: Amazon Root CA 2
The Amazon Root CA 2 is a Root CA with a RSA key with a 4096 bit long modulus.  It will be used to issue a variety of certificate types, as defined in our CP and CPS.

We will not issue code signing certificates from subordinates used to issue non-code signing certificates.

Certificate download URL: http://www.amazontrust.com/repository/AmazonRootCA2.cer
Version: X.509 v3
SHA1 Fingerprint: 5A:8C:EF:45:D7:A6:98:59:76:7A:8C:8B:44:96:B5:78:CF:47:4B:1A
Public key length (for RSA, modulus length) in bits: 4096
Valid From : 2015-05-26
Valid To : 2040-05-26

CRL HTTP URL: http://crl.rootca2.amazontrust.com/rootca2.crl
CRL issuing frequency for subordinate end-entity certificates: at least once every seven days (when CRLs are required)
CRL issuing frequency for subordinate CA certificates: at least once every twelve months 
OCSP URL: http://ocsp.rootca2.amazontrust.com/

Class (domain-validated, identity/organizationally-validated or EV): DV, IV/OV, and EV for SSL certificates 
EV policy OID(s) (if applicable): 2.23.140.1.1 
Certificate Policy URL: http://www.amazontrust.com/repository/cp.pdf
CPS URL: http://www.amazontrust.com/repository/cps.pdf
Requested Trust Indicators (email and/or SSL and/or code signing): Server Authentication (SSL), Email Protection, and Code Signing
URL of example website using certificate subordinate to this root (if applying for SSL): https://good.sca2a.amazontrust.com/

Has this root cross-signed with any other roots? Yes.  Starfield Services Root Certificate Authority - G2 issued a cross certificate with this root as the subject.

Certificate #3 Details
----------------------
Certificate Name: Amazon Root CA 3
The Amazon Root CA 3 is a Root CA with an EC key on the NIST P-256 curve.  It will be used to issue a variety of certificate types, as defined in our CP and CPS.

We will not issue code signing certificates from subordinates used to issue non-code signing certificates.

Certificate download URL: http://www.amazontrust.com/repository/AmazonRootCA3.cer
Version: X.509 v3
SHA1 Fingerprint: 0D:44:DD:8C:3C:8C:1A:1A:58:75:64:81:E9:0F:2E:2A:FF:B3:D2:6E
Public key length (for RSA, modulus length) in bits: 256
Valid From: 2015-05-26
Valid To: 2040-05-26

CRL HTTP URL: http://crl.rootca3.amazontrust.com/rootca3.crl
CRL issuing frequency for subordinate end-entity certificates: at least once every seven days (when CRLs are required)
CRL issuing frequency for subordinate CA certificates: at least once every twelve months 
OCSP URL: http://ocsp.rootca3.amazontrust.com/

Class (domain-validated, identity/organizationally-validated or EV): DV, IV/OV, and EV for SSL certificates 
EV policy OID(s) (if applicable): 2.23.140.1.1 
Certificate Policy URL: http://www.amazontrust.com/repository/cp.pdf
CPS URL: http://www.amazontrust.com/repository/cps.pdf
Requested Trust Indicators (email and/or SSL and/or code signing): Server Authentication (SSL), Email Protection, and Code Signing
URL of example website using certificate subordinate to this root (if applying for SSL): https://good.sca3a.amazontrust.com/

Has this root cross-signed with any other roots? Yes.  Starfield Services Root Certificate Authority - G2 issued a cross certificate with this root as the subject.

Certificate #4 Details
----------------------
Certificate Name: Amazon Root CA 4
The Amazon Root CA 4 is a Root CA with an EC key on the NIST P-384 curve.  It will be used to issue a variety of certificate types, as defined in our CP and CPS.

We will not issue code signing certificates from subordinates used to issue non-code signing certificates.

Certificate download URL: http://www.amazontrust.com/repository/AmazonRootCA4.cer
Version: X.509 v3
SHA1 Fingerprint: F6:10:84:07:D6:F8:BB:67:98:0C:C2:E2:44:C2:EB:AE:1C:EF:63:BE
Public key length (for RSA, modulus length) in bits: 384
Valid From : 2015-05-26
Valid To : 2040-05-26

CRL HTTP URL: http://crl.rootca4.amazontrust.com/rootca4.crl
CRL issuing frequency for subordinate end-entity certificates: at least once every seven days (when CRLs are required)
CRL issuing frequency for subordinate CA certificates: at least once every twelve months 
OCSP URL: http://ocsp.rootca4.amazontrust.com/

Class (domain-validated, identity/organizationally-validated or EV): DV, IV/OV, and EV for SSL certificates 
EV policy OID(s) (if applicable): 2.23.140.1.1 
Certificate Policy URL: http://www.amazontrust.com/repository/cp.pdf
CPS URL: http://www.amazontrust.com/repository/cps.pdf
Requested Trust Indicators (email and/or SSL and/or code signing): Server Authentication (SSL), Email Protection, and Code Signing
URL of example website using certificate subordinate to this root (if applying for SSL): https://good.sca4a.amazontrust.com/

Has this root cross-signed with any other roots? Yes.  Starfield Services Root Certificate Authority - G2 issued a cross certificate with this root as the subject.

Certificate #5 Details
----------------------
Certificate Name: Starfield Services Root Certificate Authority - G2
The Starfield Services Root Certificate Authority - G2 is a Root CA with a RSA key with a 2048 bit long modulus.  It will be used to issue a variety of certificate types, as defined in our CP and CPS.

We will not issue code signing certificates from subordinates used to issue non-code signing certificates.

Certificate download URL: https://www.amazontrust.com/repository/SFSRootCAG2.cer
Version: X.509 v3
SHA1 Fingerprint: 92:5A:8F:8D:2C:6D:04:E0:66:5F:59:6A:FF:22:D8:63:E8:25:6F:3F
Public key length (for RSA, modulus length) in bits: 2048
Valid From : 2009-09-01
Valid To : 2037-12-31

CRL HTTP URL: http://crl.rootg2.amazontrust.com/rootg2.crl
CRL issuing frequency for subordinate end-entity certificates: at least once every seven days (when CRLs are required)
CRL issuing frequency for subordinate CA certificates: at least once every twelve months 
OCSP URL: http://ocsp.rootg2.amazontrust.com/

Class (domain-validated, identity/organizationally-validated or EV): DV, IV/OV, and EV for SSL certificates 
EV policy OID(s) (if applicable): 2.23.140.1.1 
Certificate Policy URL: http://www.amazontrust.com/repository/cp.pdf
CPS URL: http://www.amazontrust.com/repository/cps.pdf
Requested Trust Indicators (email and/or SSL and/or code signing): Server Authentication (SSL), Email Protection, and Code Signing
URL of example website using certificate subordinate to this root (if applying for SSL): https://good.sca0a.amazontrust.com/

Has this root cross-signed with any other roots? Yes.  Starfield Services Root Certificate Authority and Starfield Class 2 Certification Authority have issued cross certificates with this root as the subject.
Comment 10 Kathleen Wilson 2016-01-11 16:45:21 PST
Please test all of the example websites given in Comment #9 with the following:

1) https://certificate.revocationcheck.com/
Make sure there are no errors.

2) https://wiki.mozilla.org/PSM:EV_Testing_Easy_Version#EV-Readiness_Check
Comment in this bug to provide the successful output for each of the root certs to be enabled for EV treatment.
Comment 11 Kathleen Wilson 2016-01-12 10:54:37 PST
I think we can continue in our process as soon as you provide the information in Comment #10, but in the meantime...

(In reply to Peter Bowen from comment #9)
> Audit Type (WebTrust, ETSI etc.): Point in Time Readiness Assessments for
> WebTrust for CA 2.0, BR 2.0, and EV 1.4.5
> Auditor: EY
> Auditor Website: http://www.ey.com/
> Audit Document URL(s):
> https://www.amazontrust.com/repository/AWS_WebTrustforCA.pdf
> https://www.amazontrust.com/repository/AWS_WebTrustforBR.pdf
> https://www.amazontrust.com/repository/AWS_WebTrustforEV.pdf
> https://www.amazontrust.com/repository/SFSG2_WebTrustforCA.pdf
> https://www.amazontrust.com/repository/SFSG2_WebTrustforBR.pdf
> https://www.amazontrust.com/repository/SFSG2_WebTrustforEV.pdf


I have previously exchanged email with an EY partner to confirm the authenticity of these audit statements.

https://www.amazontrust.com/repository/AWS_WebTrustforCA.pdf
Currently says: "AWS has not issued any Subordinate CAs for the Amazon Root CA 1, Amazon Root CA 2, Amazon Root CA 3 and Amazon Root CA 4.  Since AWS does not currently operate subordinate CAs the criteria relevant to Subscriber information under Principle 6: Certificate Life Cycle Management Controls (properly authenticated) was not applicable."

https://www.amazontrust.com/repository/SFSG2_WebTrustforCA.pdf
Currently says: AWS has not issued any Subordinate CAs or cross-signed any CAs for the Starfield Services Root Certificate Authority - G2.  Since AWS does not 
currently operate subordinate CAs the criteria relevant to Subscriber information under Principle 6: Certificate Life Cycle Management Controls (properly authenticated) was not applicable.

So, clearly, we will need updated audit statements before this request can be approved.
Comment 12 Peter Bowen 2016-01-12 13:13:30 PST
Here is the output of the EV tool:

// CN=Amazon Root CA 1,O=Amazon,C=US
"2.23.140.1.1",
"Amazon",
SEC_OID_UNKNOWN,
{ 0x8E, 0xCD, 0xE6, 0x88, 0x4F, 0x3D, 0x87, 0xB1, 0x12, 0x5B, 0xA3, 
  0x1A, 0xC3, 0xFC, 0xB1, 0x3D, 0x70, 0x16, 0xDE, 0x7F, 0x57, 0xCC, 
  0x90, 0x4F, 0xE1, 0xCB, 0x97, 0xC6, 0xAE, 0x98, 0x19, 0x6E },
"MDkxCzAJBgNVBAYTAlVTMQ8wDQYDVQQKEwZBbWF6b24xGTAXBgNVBAMTEEFtYXpv"
"biBSb290IENBIDE=",
"Bmyfz5m/jAo54vB4ikPmljZbyg==",
Success!

// CN=Amazon Root CA 2,O=Amazon,C=US
"2.23.140.1.1",
"Amazon",
SEC_OID_UNKNOWN,
{ 0x1B, 0xA5, 0xB2, 0xAA, 0x8C, 0x65, 0x40, 0x1A, 0x82, 0x96, 0x01, 
  0x18, 0xF8, 0x0B, 0xEC, 0x4F, 0x62, 0x30, 0x4D, 0x83, 0xCE, 0xC4, 
  0x71, 0x3A, 0x19, 0xC3, 0x9C, 0x01, 0x1E, 0xA4, 0x6D, 0xB4 },
"MDkxCzAJBgNVBAYTAlVTMQ8wDQYDVQQKEwZBbWF6b24xGTAXBgNVBAMTEEFtYXpv"
"biBSb290IENBIDI=",
"Bmyf0pY1hp8KD+WGePhbJruKNw==",
Success!

// CN=Amazon Root CA 3,O=Amazon,C=US
"2.23.140.1.1",
"Amazon",
SEC_OID_UNKNOWN,
{ 0x18, 0xCE, 0x6C, 0xFE, 0x7B, 0xF1, 0x4E, 0x60, 0xB2, 0xE3, 0x47, 
  0xB8, 0xDF, 0xE8, 0x68, 0xCB, 0x31, 0xD0, 0x2E, 0xBB, 0x3A, 0xDA, 
  0x27, 0x15, 0x69, 0xF5, 0x03, 0x43, 0xB4, 0x6D, 0xB3, 0xA4 },
"MDkxCzAJBgNVBAYTAlVTMQ8wDQYDVQQKEwZBbWF6b24xGTAXBgNVBAMTEEFtYXpv"
"biBSb290IENBIDM=",
"Bmyf1XSXNmY/Owua2eiedgPySg==",
Success!

// CN=Amazon Root CA 4,O=Amazon,C=US
"2.23.140.1.1",
"Amazon",
SEC_OID_UNKNOWN,
{ 0xE3, 0x5D, 0x28, 0x41, 0x9E, 0xD0, 0x20, 0x25, 0xCF, 0xA6, 0x90, 
  0x38, 0xCD, 0x62, 0x39, 0x62, 0x45, 0x8D, 0xA5, 0xC6, 0x95, 0xFB, 
  0xDE, 0xA3, 0xC2, 0x2B, 0x0B, 0xFB, 0x25, 0x89, 0x70, 0x92 },
"MDkxCzAJBgNVBAYTAlVTMQ8wDQYDVQQKEwZBbWF6b24xGTAXBgNVBAMTEEFtYXpv"
"biBSb290IENBIDQ=",
"Bmyf18G7EEwpQ+Vxe3ssyBrBDg==",
Success!

// CN=Starfield Services Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US
"2.23.140.1.1",
"Amazon",
SEC_OID_UNKNOWN,
{ 0x56, 0x8D, 0x69, 0x05, 0xA2, 0xC8, 0x87, 0x08, 0xA4, 0xB3, 0x02, 
  0x51, 0x90, 0xED, 0xCF, 0xED, 0xB1, 0x97, 0x4A, 0x60, 0x6A, 0x13, 
  0xC6, 0xE5, 0x29, 0x0F, 0xCB, 0x2A, 0xE6, 0x3E, 0xDA, 0xB5 },
"MIGYMQswCQYDVQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2Nv"
"dHRzZGFsZTElMCMGA1UEChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjE7"
"MDkGA1UEAxMyU3RhcmZpZWxkIFNlcnZpY2VzIFJvb3QgQ2VydGlmaWNhdGUgQXV0"
"aG9yaXR5IC0gRzI=",
"AA==",
Success!
Comment 13 Kathleen Wilson 2016-01-12 15:52:37 PST
Created attachment 8707200 [details]
1172401-CAInformation.pdf

I entered all of the new data into Salesforce.

Please review the attached document to make sure it is accurate and complete, and comment in this bug to provide any corrections.

Noted in the document: https://certificate.revocationcheck.com/ is still showing timeout errors for the test websites. Please fix.
Comment 14 Peter Bowen 2016-01-13 18:50:36 PST
All URLs are now working on certificate.revocationcheck.com.  The problem was an IPv6 issue which is now resolved.  No errors are being reported at this time.

Please update the CA Email Alias 1 to amazontrust [at] amazon.com.  This is our standard address.
ats-tsp-requests [at] amazon.com can be used to report certificate issues 24x7, but we prefer to not use it for routine contacts.

We have a set of period-of-time audits currently in progress.  As we now have subordinate CAs which issue subscriber certificates these reports are not expected to contain the statement above.  We understand that this inclusion request cannot be completed without the new reports, but we hope that the new reports will not block starting the public discussion.
Comment 15 Kathleen Wilson 2016-01-14 11:20:42 PST
Created attachment 8708008 [details]
1172401-CAInformation.pdf
Comment 16 Kathleen Wilson 2016-01-14 11:25:19 PST
This request has been added to the queue for public discussion.
https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion
I will update this bug when I start the discussion.
Comment 17 Steve Riley 2016-01-25 15:46:11 PST
The description from Peter Bowen mentions this:

"We do not require customers have a domain registration with Amazon, use domain suffixes where Amazon is the registrant, or have other services from Amazon."

However, the product detail pages and the documentation at AWS clearly state that certificates issued by AWS Certificate Manager can be used only for Elastic Load Balancer and CloudFront:

http://docs.aws.amazon.com/acm/latest/APIReference/API_GetCertificate.html
"Currently, ACM Certificates can be used only with Elastic Load Balancing and Amazon CloudFront."

https://docs.aws.amazon.com/acm/latest/userguide/gs-elb.html
"You do not install your ACM Certificate directly on the Amazon EC2 instances that contain your website or your application. Instead, you associate the ACM Certificate with an AWS service"

Will ACM-issued certificates at some point be usable outside AWS, as Peter's statement implies?
Comment 18 Peter Bowen 2016-03-17 13:56:28 PDT
Amazon Trust Services has now received WebTrust seals and period of time audit reports.  This should resolve the item noted in comment 11.

https://cert.webtrust.org/ViewSeal?id=1998 (Trust Service Principles and Criteria for Certification Authorities Version 2.0)
https://cert.webtrust.org/ViewSeal?id=1999 (WebTrust Principles and Criteria for Certification Authorities - SSL Baseline with Network Security - Version 2.0)
https://cert.webtrust.org/ViewSeal?id=2000 (WebTrust Principles and Criteria for Certification Authorities - Extended Validation SSL - Version 1.4.5)
Comment 19 Kathleen Wilson 2016-03-23 16:43:47 PDT
Created attachment 8734171 [details]
1172401-CAInformation-Complete.pdf
Comment 20 Peter Bowen 2016-03-23 19:09:27 PDT
One clarification point with regards to hierarchy: When we offer Extended Validation Server Authentication certificates to third parties, we will establish a specific subordinate CA for this purpose.  For issuing EV certificates for testing we used subordinate CAs that have only issued certificates for testing and have only issued to affiliates of the CA or the CA itself.  The certificates for issued testing are a mix of Extended and Standard validation.
Comment 21 Kathleen Wilson 2016-08-04 17:42:36 PDT
I am now opening the public discussion period for this request from Amazon to enable EV treatment for the currently-included “Starfield Services Root Certificate Authority - G2 certificate, and to include the following 4 new root certificates, turn on the Email and Websites trust bits for them, and enable EV treatment for all of them. 
- Amazon Root CA 1 (RSA key with a 2048 bit long modulus)
- Amazon Root CA 2 (RSA key with a 4096 bit long modulus)
- Amazon Root CA 3 (EC key on the NIST P-256 curve)
- Amazon Root CA 4 (EC key on the NIST P-384 curve) 

For a description of the public discussion phase, see https://wiki.mozilla.org/CA:How_to_apply#Public_discussion

Public discussion will be in the mozilla.dev.security.policy forum.
https://www.mozilla.org/en-US/about/forums/#dev-security-policy

The discussion thread is called "Amazon Root Inclusion Request".

Please actively review, respond, and contribute to the discussion.

A representative of this CA must promptly respond directly in the discussion thread to all questions that are posted.

Note You need to log in before you can comment on or make changes to this bug.