Note: There are a few cases of duplicates in user autocompletion which are being worked on.

Add Amazon root certificates

RESOLVED FIXED

Status

NSS
CA Certificate Root Program
--
enhancement
RESOLVED FIXED
2 years ago
3 months ago

People

(Reporter: Peter Bowen, Assigned: Kathleen Wilson)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: In NSS 3.28.1, Firefox 51. EV-enabled in Firefox 54.)

Attachments

(2 attachments, 2 obsolete attachments)

(Reporter)

Description

2 years ago
CA Details
----------

CA Name: Amazon
Websites: https://aws.amazon.com/ and http://www.awstrust.com/repository/
One Paragraph Summary of CA:
The Amazon PKI is run by Amazon Web Services.  Amazon is a commercial CA that will provide certificates to customers from around the world.  We will offer certificates for server authentication, client authentication, email (both signing and encrypting), and code signing.  We will offer both standard and extended validation server authentication certificates.  Customers of the Amazon PKI are the general public.  We do not require customers that customers have a domain registration with Amazon, use domain suffixes where Amazon is the registrant, or have other services from Amazon.

Audit Type (WebTrust, ETSI etc.): Point in Time Readiness Assessments for WebTrust for CA 2.0, BR 2.0, and EV 1.4.5
Auditor: EY
Auditor Website: http://www.ey.com/
Audit Document URL(s):

Certificate #1 Details
----------------------
Certificate Name: Amazon Root CA 1
The Amazon Root CA 1 is a Root CA with a RSA key with a 2048 bit long modulus.  It will be used to issue a variety of certificate types, as defined in our CP and CPS.

We will have separate subordinate CAs to issue the following types of certificates:
- Extended Validation Server Authentication
- Code Signing
- Other types of certificates as covered by our CP and CPS (including Server Authentication and Email Protection)

We will not issue EV certificates from subordinates used to issue non-EV certificates and we will not issue code signing certificates from subordinates used to issue non-code signing certificates.

Certificate download URL: http://www.awstrust.com/repository/AmazonRootCA1.cer
Version: X.509 v3
SHA1 Fingerprint: 8D:A7:F9:65:EC:5E:FC:37:91:0F:1C:6E:59:FD:C1:CC:6A:6E:DE:16
Public key length (for RSA, modulus length) in bits: 2048
Valid From : 2015-05-26
Valid To : 2038-01-07

CRL HTTP URL: http://crl.rootca1.amazontrust.com/rootca1.crl
CRL issuing frequency for subordinate end-entity certificates: at least once every seven days 
CRL issuing frequency for subordinate CA certificates: at least once every twelve months 
OCSP URL: http://ocsp.rootca1.amazontrust.com/

Class (domain-validated, identity/organizationally-validated or EV): DV, IV/OV, and EV for SSL certificates 
Certificate Policy URL: http://www.awstrust.com/repository/cp-1.0.1.pdf
CPS URL: http://www.awstrust.com/repository/cps-1.0.1.pdf
Requested Trust Indicators (email and/or SSL and/or code signing): Server Authentication (SSL), Email Protection, and Code Signing

Certificate #2 Details
----------------------
Certificate Name: Amazon Root CA 2
The Amazon Root CA 2 is a Root CA with a RSA key with a 4096 bit long modulus.  It will be used to issue a variety of certificate types, as defined in our CP and CPS.

We will have separate subordinate CAs to issue the following types of certificates:
- Extended Validation Server Authentication
- Code Signing
- Other types of certificates as covered by our CP and CPS (including Server Authentication and Email Protection)

We will not issue EV certificates from subordinates used to issue non-EV certificates and we will not issue code signing certificates from subordinates used to issue non-code signing certificates.

Certificate download URL: http://www.awstrust.com/repository/AmazonRootCA2.cer
Version: X.509 v3
SHA1 Fingerprint: 5A:8C:EF:45:D7:A6:98:59:76:7A:8C:8B:44:96:B5:78:CF:47:4B:1A
Public key length (for RSA, modulus length) in bits: 4096
Valid From : 2015-05-26
Valid To : 2040-05-26

CRL HTTP URL: http://crl.rootca2.amazontrust.com/rootca2.crl
CRL issuing frequency for subordinate end-entity certificates: at least once every seven days 
CRL issuing frequency for subordinate CA certificates: at least once every twelve months 
OCSP URL: http://ocsp.rootca2.amazontrust.com/

Class (domain-validated, identity/organizationally-validated or EV): DV, IV/OV, and EV for SSL certificates 
Certificate Policy URL: http://www.awstrust.com/repository/cp-1.0.1.pdf
CPS URL: http://www.awstrust.com/repository/cps-1.0.1.pdf
Requested Trust Indicators (email and/or SSL and/or code signing): Server Authentication (SSL), Email Protection, and Code Signing

Certificate #3 Details
----------------------
Certificate Name: Amazon Root CA 3
The Amazon Root CA 3 is a Root CA with an EC key on the NIST P-256 curve.  It will be used to issue a variety of certificate types, as defined in our CP and CPS.

We will have separate subordinate CAs to issue the following types of certificates:
- Extended Validation Server Authentication
- Code Signing
- Other types of certificates as covered by our CP and CPS (including Server Authentication and Email Protection)

We will not issue EV certificates from subordinates used to issue non-EV certificates and we will not issue code signing certificates from subordinates used to issue non-code signing certificates.

Certificate download URL: http://www.awstrust.com/repository/AmazonRootCA3.cer
Version: X.509 v3
SHA1 Fingerprint: 0D:44:DD:8C:3C:8C:1A:1A:58:75:64:81:E9:0F:2E:2A:FF:B3:D2:6E
Public key length (for RSA, modulus length) in bits: 256
Valid From: 2015-05-26
Valid To: 2040-05-26

CRL HTTP URL: http://crl.rootca3.amazontrust.com/rootca3.crl
CRL issuing frequency for subordinate end-entity certificates: at least once every seven days 
CRL issuing frequency for subordinate CA certificates: at least once every twelve months 
OCSP URL: http://ocsp.rootca3.amazontrust.com/

Class (domain-validated, identity/organizationally-validated or EV): DV, IV/OV, and EV for SSL certificates 
Certificate Policy URL: http://www.awstrust.com/repository/cp-1.0.1.pdf
CPS URL: http://www.awstrust.com/repository/cps-1.0.1.pdf
Requested Trust Indicators (email and/or SSL and/or code signing): Server Authentication (SSL), Email Protection, and Code Signing

Certificate #4 Details
----------------------
Certificate Name: Amazon Root CA 4
The Amazon Root CA 4 is a Root CA with an EC key on the NIST P-384 curve.  It will be used to issue a variety of certificate types, as defined in our CP and CPS.

We will have separate subordinate CAs to issue the following types of certificates:
- Extended Validation Server Authentication
- Code Signing
- Other types of certificates as covered by our CP and CPS (including Server Authentication and Email Protection)

We will not issue EV certificates from subordinates used to issue non-EV certificates and we will not issue code signing certificates from subordinates used to issue non-code signing certificates.

Certificate download URL: http://www.awstrust.com/repository/AmazonRootCA4.cer
Version: X.509 v3
SHA1 Fingerprint: F6:10:84:07:D6:F8:BB:67:98:0C:C2:E2:44:C2:EB:AE:1C:EF:63:BE
Public key length (for RSA, modulus length) in bits: 384
Valid From : 2015-05-26
Valid To : 2040-05-26

CRL HTTP URL: http://crl.rootca4.amazontrust.com/rootca4.crl
CRL issuing frequency for subordinate end-entity certificates: at least once every seven days 
CRL issuing frequency for subordinate CA certificates: at least once every twelve months 
OCSP URL: http://ocsp.rootca4.amazontrust.com/

Class (domain-validated, identity/organizationally-validated or EV): DV, IV/OV, and EV for SSL certificates 
Certificate Policy URL: http://www.awstrust.com/repository/cp-1.0.1.pdf
CPS URL: http://www.awstrust.com/repository/cps-1.0.1.pdf
Requested Trust Indicators (email and/or SSL and/or code signing): Server Authentication (SSL), Email Protection, and Code Signing
(Assignee)

Comment 1

2 years ago
I will start the information verification phase for this request soon.
https://wiki.mozilla.org/CA:How_to_apply#Information_Verification
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true

Comment 2

2 years ago
I'm sorry if the information shows up in the CPSes, but:

What's the maximum length of time that an OCSP response is valid, for each of the roots?  Do they constrain the maximum OCSP response validity time for subordinates?

Will any of them be used to issue intermediate certificates for external organizations to operate certifiers?

Comment 3

2 years ago
Why wouldn't you present your Certification download URL on an https: endpoint?
Flags: needinfo?(pzb)

Comment 4

2 years ago
What is the OID that is going to be used for EV certificates?

Comment 5

2 years ago
There could be other interests behind this. Several intelligence agencies/companies are involved with Amazon: 
http://www.defenseone.com/technology/2014/07/how-cia-partnered-amazon-and-changed-intelligence/88555/
http://www.speicherguide.de/news/amazon-tuetelt-mega-cloud-deal-mit-cia,-nsa,-fbi-co-ein-20203.aspx

How good was/is that audit?

Comment 6

2 years ago
(In reply to Marc Brooks from comment #3)
> Why wouldn't you present your Certification download URL on an https:
> endpoint?

This whole domain (www.awstrust.com) does not support HTTPS. :(

Comment 7

2 years ago
The repository is now (Cert issued yesterday 6/15) available over https. 

https://www.awstrust.com/repository


openssl x509 -inform der -subject -fingerprint -noout -startdate -enddate  -in AmazonRootCA1.cer
subject= /C=US/O=Amazon/CN=Amazon Root CA 1
SHA1 Fingerprint=8D:A7:F9:65:EC:5E:FC:37:91:0F:1C:6E:59:FD:C1:CC:6A:6E:DE:16
notBefore=May 26 00:00:00 2015 GMT
notAfter=Jan 17 00:00:00 2038 GMT

One minor error: the valid-to date for CA 1 is 17 not 7 January, this is not material.
(Assignee)

Updated

2 years ago
Whiteboard: EV - Information Incomplete
(Assignee)

Comment 8

2 years ago
Created attachment 8624480 [details]
1172401-CAInformation.pdf

I have entered the information for this request into Salesforce.

Please review the attached document to make sure it is accurate and complete, and comment in this bug to provide corrections and the additional requested information.
(Reporter)

Comment 9

2 years ago
Apologies for the delay.  Here is our updated application which should answer all the open questions from the information gathering document.

CA Details
----------

CA Name: Amazon
Websites: https://www.amazontrust.com/
One Paragraph Summary of CA:
The Amazon PKI is run by Amazon Trust Services ("Amazon").  Amazon is a commercial CA that will provide certificates to customers from around the world.  We will offer certificates for server authentication, client authentication, email (both signing and encrypting), and code signing.  We will offer both standard and extended validation server authentication certificates.  Customers of the Amazon PKI are the general public.  We do not require customers have a domain registration with Amazon, use domain suffixes where Amazon is the registrant, or have other services from Amazon.

This application includes four new root CAs.  It also includes one additional root CA already in the Mozilla program which we wish to have enabled for EV certificate issuance.

Audit Type (WebTrust, ETSI etc.): Point in Time Readiness Assessments for WebTrust for CA 2.0, BR 2.0, and EV 1.4.5
Auditor: EY
Auditor Website: http://www.ey.com/
Audit Document URL(s):
https://www.amazontrust.com/repository/AWS_WebTrustforCA.pdf
https://www.amazontrust.com/repository/AWS_WebTrustforBR.pdf
https://www.amazontrust.com/repository/AWS_WebTrustforEV.pdf
https://www.amazontrust.com/repository/SFSG2_WebTrustforCA.pdf
https://www.amazontrust.com/repository/SFSG2_WebTrustforBR.pdf
https://www.amazontrust.com/repository/SFSG2_WebTrustforEV.pdf

We have reviewed the "Potentially problematic CA practices" (https://wiki.mozilla.org/CA:Problematic_Practices#Potentially_problematic_CA_practices). We fully comply with the Mozilla CA program requirements, including complying with the CA/Browser Forum Guidelines.  These requirements forbid many of the problematic practices.

Amazon allows externally operated subordinate CAs as documented in section 4.2.2 of the ATS CPS.   Third parties cannot directly cause the issuance of certificates from Amazon operated CAs.

CPS section 3.2.2.2 documents our validation procedures for verifying any email addresses to be included certificates we issue.

Certificate #1 Details
----------------------
Certificate Name: Amazon Root CA 1
The Amazon Root CA 1 is a Root CA with a RSA key with a 2048 bit long modulus.  It will be used to issue a variety of certificate types, as defined in our CP and CPS.

We will not issue code signing certificates from subordinates used to issue non-code signing certificates.

Certificate download URL: https://www.amazontrust.com/repository/AmazonRootCA1.cer
Version: X.509 v3
SHA1 Fingerprint: 8D:A7:F9:65:EC:5E:FC:37:91:0F:1C:6E:59:FD:C1:CC:6A:6E:DE:16
Public key length (for RSA, modulus length) in bits: 2048
Valid From : 2015-05-26
Valid To : 2038-01-17

CRL HTTP URL: http://crl.rootca1.amazontrust.com/rootca1.crl
CRL issuing frequency for subordinate end-entity certificates: at least once every seven days (when CRLs are required)
CRL issuing frequency for subordinate CA certificates: at least once every twelve months 
OCSP URL: http://ocsp.rootca1.amazontrust.com/

Class (domain-validated, identity/organizationally-validated or EV): DV, IV/OV, and EV for SSL certificates 
EV policy OID(s) (if applicable): 2.23.140.1.1 
Certificate Policy URL: http://www.amazontrust.com/repository/cp.pdf
CPS URL: http://www.amazontrust.com/repository/cps.pdf
Requested Trust Indicators (email and/or SSL and/or code signing): Server Authentication (SSL), Email Protection, and Code Signing
URL of example website using certificate subordinate to this root (if applying for SSL): https://good.sca1a.amazontrust.com/

Has this root cross-signed with any other roots? Yes.  Starfield Services Root Certificate Authority - G2 issued a cross certificate with this root as the subject.

Certificate #2 Details
----------------------
Certificate Name: Amazon Root CA 2
The Amazon Root CA 2 is a Root CA with a RSA key with a 4096 bit long modulus.  It will be used to issue a variety of certificate types, as defined in our CP and CPS.

We will not issue code signing certificates from subordinates used to issue non-code signing certificates.

Certificate download URL: http://www.amazontrust.com/repository/AmazonRootCA2.cer
Version: X.509 v3
SHA1 Fingerprint: 5A:8C:EF:45:D7:A6:98:59:76:7A:8C:8B:44:96:B5:78:CF:47:4B:1A
Public key length (for RSA, modulus length) in bits: 4096
Valid From : 2015-05-26
Valid To : 2040-05-26

CRL HTTP URL: http://crl.rootca2.amazontrust.com/rootca2.crl
CRL issuing frequency for subordinate end-entity certificates: at least once every seven days (when CRLs are required)
CRL issuing frequency for subordinate CA certificates: at least once every twelve months 
OCSP URL: http://ocsp.rootca2.amazontrust.com/

Class (domain-validated, identity/organizationally-validated or EV): DV, IV/OV, and EV for SSL certificates 
EV policy OID(s) (if applicable): 2.23.140.1.1 
Certificate Policy URL: http://www.amazontrust.com/repository/cp.pdf
CPS URL: http://www.amazontrust.com/repository/cps.pdf
Requested Trust Indicators (email and/or SSL and/or code signing): Server Authentication (SSL), Email Protection, and Code Signing
URL of example website using certificate subordinate to this root (if applying for SSL): https://good.sca2a.amazontrust.com/

Has this root cross-signed with any other roots? Yes.  Starfield Services Root Certificate Authority - G2 issued a cross certificate with this root as the subject.

Certificate #3 Details
----------------------
Certificate Name: Amazon Root CA 3
The Amazon Root CA 3 is a Root CA with an EC key on the NIST P-256 curve.  It will be used to issue a variety of certificate types, as defined in our CP and CPS.

We will not issue code signing certificates from subordinates used to issue non-code signing certificates.

Certificate download URL: http://www.amazontrust.com/repository/AmazonRootCA3.cer
Version: X.509 v3
SHA1 Fingerprint: 0D:44:DD:8C:3C:8C:1A:1A:58:75:64:81:E9:0F:2E:2A:FF:B3:D2:6E
Public key length (for RSA, modulus length) in bits: 256
Valid From: 2015-05-26
Valid To: 2040-05-26

CRL HTTP URL: http://crl.rootca3.amazontrust.com/rootca3.crl
CRL issuing frequency for subordinate end-entity certificates: at least once every seven days (when CRLs are required)
CRL issuing frequency for subordinate CA certificates: at least once every twelve months 
OCSP URL: http://ocsp.rootca3.amazontrust.com/

Class (domain-validated, identity/organizationally-validated or EV): DV, IV/OV, and EV for SSL certificates 
EV policy OID(s) (if applicable): 2.23.140.1.1 
Certificate Policy URL: http://www.amazontrust.com/repository/cp.pdf
CPS URL: http://www.amazontrust.com/repository/cps.pdf
Requested Trust Indicators (email and/or SSL and/or code signing): Server Authentication (SSL), Email Protection, and Code Signing
URL of example website using certificate subordinate to this root (if applying for SSL): https://good.sca3a.amazontrust.com/

Has this root cross-signed with any other roots? Yes.  Starfield Services Root Certificate Authority - G2 issued a cross certificate with this root as the subject.

Certificate #4 Details
----------------------
Certificate Name: Amazon Root CA 4
The Amazon Root CA 4 is a Root CA with an EC key on the NIST P-384 curve.  It will be used to issue a variety of certificate types, as defined in our CP and CPS.

We will not issue code signing certificates from subordinates used to issue non-code signing certificates.

Certificate download URL: http://www.amazontrust.com/repository/AmazonRootCA4.cer
Version: X.509 v3
SHA1 Fingerprint: F6:10:84:07:D6:F8:BB:67:98:0C:C2:E2:44:C2:EB:AE:1C:EF:63:BE
Public key length (for RSA, modulus length) in bits: 384
Valid From : 2015-05-26
Valid To : 2040-05-26

CRL HTTP URL: http://crl.rootca4.amazontrust.com/rootca4.crl
CRL issuing frequency for subordinate end-entity certificates: at least once every seven days (when CRLs are required)
CRL issuing frequency for subordinate CA certificates: at least once every twelve months 
OCSP URL: http://ocsp.rootca4.amazontrust.com/

Class (domain-validated, identity/organizationally-validated or EV): DV, IV/OV, and EV for SSL certificates 
EV policy OID(s) (if applicable): 2.23.140.1.1 
Certificate Policy URL: http://www.amazontrust.com/repository/cp.pdf
CPS URL: http://www.amazontrust.com/repository/cps.pdf
Requested Trust Indicators (email and/or SSL and/or code signing): Server Authentication (SSL), Email Protection, and Code Signing
URL of example website using certificate subordinate to this root (if applying for SSL): https://good.sca4a.amazontrust.com/

Has this root cross-signed with any other roots? Yes.  Starfield Services Root Certificate Authority - G2 issued a cross certificate with this root as the subject.

Certificate #5 Details
----------------------
Certificate Name: Starfield Services Root Certificate Authority - G2
The Starfield Services Root Certificate Authority - G2 is a Root CA with a RSA key with a 2048 bit long modulus.  It will be used to issue a variety of certificate types, as defined in our CP and CPS.

We will not issue code signing certificates from subordinates used to issue non-code signing certificates.

Certificate download URL: https://www.amazontrust.com/repository/SFSRootCAG2.cer
Version: X.509 v3
SHA1 Fingerprint: 92:5A:8F:8D:2C:6D:04:E0:66:5F:59:6A:FF:22:D8:63:E8:25:6F:3F
Public key length (for RSA, modulus length) in bits: 2048
Valid From : 2009-09-01
Valid To : 2037-12-31

CRL HTTP URL: http://crl.rootg2.amazontrust.com/rootg2.crl
CRL issuing frequency for subordinate end-entity certificates: at least once every seven days (when CRLs are required)
CRL issuing frequency for subordinate CA certificates: at least once every twelve months 
OCSP URL: http://ocsp.rootg2.amazontrust.com/

Class (domain-validated, identity/organizationally-validated or EV): DV, IV/OV, and EV for SSL certificates 
EV policy OID(s) (if applicable): 2.23.140.1.1 
Certificate Policy URL: http://www.amazontrust.com/repository/cp.pdf
CPS URL: http://www.amazontrust.com/repository/cps.pdf
Requested Trust Indicators (email and/or SSL and/or code signing): Server Authentication (SSL), Email Protection, and Code Signing
URL of example website using certificate subordinate to this root (if applying for SSL): https://good.sca0a.amazontrust.com/

Has this root cross-signed with any other roots? Yes.  Starfield Services Root Certificate Authority and Starfield Class 2 Certification Authority have issued cross certificates with this root as the subject.
Flags: needinfo?(pzb)
(Assignee)

Comment 10

2 years ago
Please test all of the example websites given in Comment #9 with the following:

1) https://certificate.revocationcheck.com/
Make sure there are no errors.

2) https://wiki.mozilla.org/PSM:EV_Testing_Easy_Version#EV-Readiness_Check
Comment in this bug to provide the successful output for each of the root certs to be enabled for EV treatment.
(Assignee)

Comment 11

2 years ago
I think we can continue in our process as soon as you provide the information in Comment #10, but in the meantime...

(In reply to Peter Bowen from comment #9)
> Audit Type (WebTrust, ETSI etc.): Point in Time Readiness Assessments for
> WebTrust for CA 2.0, BR 2.0, and EV 1.4.5
> Auditor: EY
> Auditor Website: http://www.ey.com/
> Audit Document URL(s):
> https://www.amazontrust.com/repository/AWS_WebTrustforCA.pdf
> https://www.amazontrust.com/repository/AWS_WebTrustforBR.pdf
> https://www.amazontrust.com/repository/AWS_WebTrustforEV.pdf
> https://www.amazontrust.com/repository/SFSG2_WebTrustforCA.pdf
> https://www.amazontrust.com/repository/SFSG2_WebTrustforBR.pdf
> https://www.amazontrust.com/repository/SFSG2_WebTrustforEV.pdf


I have previously exchanged email with an EY partner to confirm the authenticity of these audit statements.

https://www.amazontrust.com/repository/AWS_WebTrustforCA.pdf
Currently says: "AWS has not issued any Subordinate CAs for the Amazon Root CA 1, Amazon Root CA 2, Amazon Root CA 3 and Amazon Root CA 4.  Since AWS does not currently operate subordinate CAs the criteria relevant to Subscriber information under Principle 6: Certificate Life Cycle Management Controls (properly authenticated) was not applicable."

https://www.amazontrust.com/repository/SFSG2_WebTrustforCA.pdf
Currently says: AWS has not issued any Subordinate CAs or cross-signed any CAs for the Starfield Services Root Certificate Authority - G2.  Since AWS does not 
currently operate subordinate CAs the criteria relevant to Subscriber information under Principle 6: Certificate Life Cycle Management Controls (properly authenticated) was not applicable.

So, clearly, we will need updated audit statements before this request can be approved.

Comment 12

2 years ago
Here is the output of the EV tool:

// CN=Amazon Root CA 1,O=Amazon,C=US
"2.23.140.1.1",
"Amazon",
SEC_OID_UNKNOWN,
{ 0x8E, 0xCD, 0xE6, 0x88, 0x4F, 0x3D, 0x87, 0xB1, 0x12, 0x5B, 0xA3, 
  0x1A, 0xC3, 0xFC, 0xB1, 0x3D, 0x70, 0x16, 0xDE, 0x7F, 0x57, 0xCC, 
  0x90, 0x4F, 0xE1, 0xCB, 0x97, 0xC6, 0xAE, 0x98, 0x19, 0x6E },
"MDkxCzAJBgNVBAYTAlVTMQ8wDQYDVQQKEwZBbWF6b24xGTAXBgNVBAMTEEFtYXpv"
"biBSb290IENBIDE=",
"Bmyfz5m/jAo54vB4ikPmljZbyg==",
Success!

// CN=Amazon Root CA 2,O=Amazon,C=US
"2.23.140.1.1",
"Amazon",
SEC_OID_UNKNOWN,
{ 0x1B, 0xA5, 0xB2, 0xAA, 0x8C, 0x65, 0x40, 0x1A, 0x82, 0x96, 0x01, 
  0x18, 0xF8, 0x0B, 0xEC, 0x4F, 0x62, 0x30, 0x4D, 0x83, 0xCE, 0xC4, 
  0x71, 0x3A, 0x19, 0xC3, 0x9C, 0x01, 0x1E, 0xA4, 0x6D, 0xB4 },
"MDkxCzAJBgNVBAYTAlVTMQ8wDQYDVQQKEwZBbWF6b24xGTAXBgNVBAMTEEFtYXpv"
"biBSb290IENBIDI=",
"Bmyf0pY1hp8KD+WGePhbJruKNw==",
Success!

// CN=Amazon Root CA 3,O=Amazon,C=US
"2.23.140.1.1",
"Amazon",
SEC_OID_UNKNOWN,
{ 0x18, 0xCE, 0x6C, 0xFE, 0x7B, 0xF1, 0x4E, 0x60, 0xB2, 0xE3, 0x47, 
  0xB8, 0xDF, 0xE8, 0x68, 0xCB, 0x31, 0xD0, 0x2E, 0xBB, 0x3A, 0xDA, 
  0x27, 0x15, 0x69, 0xF5, 0x03, 0x43, 0xB4, 0x6D, 0xB3, 0xA4 },
"MDkxCzAJBgNVBAYTAlVTMQ8wDQYDVQQKEwZBbWF6b24xGTAXBgNVBAMTEEFtYXpv"
"biBSb290IENBIDM=",
"Bmyf1XSXNmY/Owua2eiedgPySg==",
Success!

// CN=Amazon Root CA 4,O=Amazon,C=US
"2.23.140.1.1",
"Amazon",
SEC_OID_UNKNOWN,
{ 0xE3, 0x5D, 0x28, 0x41, 0x9E, 0xD0, 0x20, 0x25, 0xCF, 0xA6, 0x90, 
  0x38, 0xCD, 0x62, 0x39, 0x62, 0x45, 0x8D, 0xA5, 0xC6, 0x95, 0xFB, 
  0xDE, 0xA3, 0xC2, 0x2B, 0x0B, 0xFB, 0x25, 0x89, 0x70, 0x92 },
"MDkxCzAJBgNVBAYTAlVTMQ8wDQYDVQQKEwZBbWF6b24xGTAXBgNVBAMTEEFtYXpv"
"biBSb290IENBIDQ=",
"Bmyf18G7EEwpQ+Vxe3ssyBrBDg==",
Success!

// CN=Starfield Services Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US
"2.23.140.1.1",
"Amazon",
SEC_OID_UNKNOWN,
{ 0x56, 0x8D, 0x69, 0x05, 0xA2, 0xC8, 0x87, 0x08, 0xA4, 0xB3, 0x02, 
  0x51, 0x90, 0xED, 0xCF, 0xED, 0xB1, 0x97, 0x4A, 0x60, 0x6A, 0x13, 
  0xC6, 0xE5, 0x29, 0x0F, 0xCB, 0x2A, 0xE6, 0x3E, 0xDA, 0xB5 },
"MIGYMQswCQYDVQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2Nv"
"dHRzZGFsZTElMCMGA1UEChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjE7"
"MDkGA1UEAxMyU3RhcmZpZWxkIFNlcnZpY2VzIFJvb3QgQ2VydGlmaWNhdGUgQXV0"
"aG9yaXR5IC0gRzI=",
"AA==",
Success!
(Assignee)

Comment 13

2 years ago
Created attachment 8707200 [details]
1172401-CAInformation.pdf

I entered all of the new data into Salesforce.

Please review the attached document to make sure it is accurate and complete, and comment in this bug to provide any corrections.

Noted in the document: https://certificate.revocationcheck.com/ is still showing timeout errors for the test websites. Please fix.
Attachment #8624480 - Attachment is obsolete: true
(Reporter)

Comment 14

2 years ago
All URLs are now working on certificate.revocationcheck.com.  The problem was an IPv6 issue which is now resolved.  No errors are being reported at this time.

Please update the CA Email Alias 1 to amazontrust [at] amazon.com.  This is our standard address.
ats-tsp-requests [at] amazon.com can be used to report certificate issues 24x7, but we prefer to not use it for routine contacts.

We have a set of period-of-time audits currently in progress.  As we now have subordinate CAs which issue subscriber certificates these reports are not expected to contain the statement above.  We understand that this inclusion request cannot be completed without the new reports, but we hope that the new reports will not block starting the public discussion.
(Assignee)

Comment 15

2 years ago
Created attachment 8708008 [details]
1172401-CAInformation.pdf
Attachment #8707200 - Attachment is obsolete: true
(Assignee)

Comment 16

2 years ago
This request has been added to the queue for public discussion.
https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion
I will update this bug when I start the discussion.
Whiteboard: EV - Information Incomplete → EV -Ready for Public Discussion

Comment 17

2 years ago
The description from Peter Bowen mentions this:

"We do not require customers have a domain registration with Amazon, use domain suffixes where Amazon is the registrant, or have other services from Amazon."

However, the product detail pages and the documentation at AWS clearly state that certificates issued by AWS Certificate Manager can be used only for Elastic Load Balancer and CloudFront:

http://docs.aws.amazon.com/acm/latest/APIReference/API_GetCertificate.html
"Currently, ACM Certificates can be used only with Elastic Load Balancing and Amazon CloudFront."

https://docs.aws.amazon.com/acm/latest/userguide/gs-elb.html
"You do not install your ACM Certificate directly on the Amazon EC2 instances that contain your website or your application. Instead, you associate the ACM Certificate with an AWS service"

Will ACM-issued certificates at some point be usable outside AWS, as Peter's statement implies?
(Reporter)

Comment 18

a year ago
Amazon Trust Services has now received WebTrust seals and period of time audit reports.  This should resolve the item noted in comment 11.

https://cert.webtrust.org/ViewSeal?id=1998 (Trust Service Principles and Criteria for Certification Authorities Version 2.0)
https://cert.webtrust.org/ViewSeal?id=1999 (WebTrust Principles and Criteria for Certification Authorities - SSL Baseline with Network Security - Version 2.0)
https://cert.webtrust.org/ViewSeal?id=2000 (WebTrust Principles and Criteria for Certification Authorities - Extended Validation SSL - Version 1.4.5)
(Assignee)

Comment 19

a year ago
Created attachment 8734171 [details]
1172401-CAInformation-Complete.pdf
(Reporter)

Comment 20

a year ago
One clarification point with regards to hierarchy: When we offer Extended Validation Server Authentication certificates to third parties, we will establish a specific subordinate CA for this purpose.  For issuing EV certificates for testing we used subordinate CAs that have only issued certificates for testing and have only issued to affiliates of the CA or the CA itself.  The certificates for issued testing are a mix of Extended and Standard validation.
(Assignee)

Comment 21

a year ago
I am now opening the public discussion period for this request from Amazon to enable EV treatment for the currently-included “Starfield Services Root Certificate Authority - G2 certificate, and to include the following 4 new root certificates, turn on the Email and Websites trust bits for them, and enable EV treatment for all of them. 
- Amazon Root CA 1 (RSA key with a 2048 bit long modulus)
- Amazon Root CA 2 (RSA key with a 4096 bit long modulus)
- Amazon Root CA 3 (EC key on the NIST P-256 curve)
- Amazon Root CA 4 (EC key on the NIST P-384 curve) 

For a description of the public discussion phase, see https://wiki.mozilla.org/CA:How_to_apply#Public_discussion

Public discussion will be in the mozilla.dev.security.policy forum.
https://www.mozilla.org/en-US/about/forums/#dev-security-policy

The discussion thread is called "Amazon Root Inclusion Request".

Please actively review, respond, and contribute to the discussion.

A representative of this CA must promptly respond directly in the discussion thread to all questions that are posted.
Whiteboard: EV -Ready for Public Discussion → EV - In Public Discussion
(Assignee)

Comment 22

11 months ago
The public comment period for this request is now over. 

This request has been evaluated as per Mozilla’s CA Certificate Inclusion Policy at

https://www.mozilla.org/about/governance/policies/security-group/certs/policy/inclusion/

Here follows a summary of the assessment. If anyone sees any factual errors, please point them out.

Inclusion Policy Section 4 [Technical]. 
I am not aware of instances where Amazon Trust Services (Amazon) has knowingly issued certificates for fraudulent use. If anyone knows of any such issues or instances, please note them in this bug.

Inclusion Policy Section 6 [Relevance and Policy].
Amazon appears to provide a service relevant to Mozilla users. Customers of the Amazon PKI are the general public. Amazon does not require that customers have a domain registration with Amazon, use domain suffixes where Amazon is the registrant, or have other services from Amazon.

Root Certificate Name: Amazon Root CA 1
O From Issuer Field: Amazon
Trust Bits: Email; Websites
EV Policy OID(s): 2.23.140.1.1
Root Certificate Download URL: https://www.amazontrust.com/repository/AmazonRootCA1.cer

Root Certificate Name: Amazon Root CA 2
O From Issuer Field: Amazon
Trust Bits: Email; Websites
EV Policy OID(s): 2.23.140.1.1
Root Certificate Download URL: http://www.amazontrust.com/repository/AmazonRootCA2.cer

Root Certificate Name: Amazon Root CA 3
O From Issuer Field: Amazon
Trust Bits: Email; Websites
EV Policy OID(s): 2.23.140.1.1
Root Certificate Download URL: http://www.amazontrust.com/repository/AmazonRootCA3.cer

Root Certificate Name: Amazon Root CA 4
O From Issuer Field: Amazon
Trust Bits: Email; Websites
EV Policy OID(s): 2.23.140.1.1
Root Certificate Download URL: http://www.amazontrust.com/repository/AmazonRootCA4.cer

Root Certificate Name: Starfield Services Root Certificate Authority - G2
O From Issuer Field: Starfield Technologies, Inc.
Trust Bits: Websites
EV Policy OID(s): 2.23.140.1.1
Root Certificate Download URL: This root cert is already included in NSS. 

CA Document Repository: https://www.amazontrust.com/repository/
CP: http://www.awstrust.com/repository/cp.pdf
CPS: http://www.awstrust.com/repository/cps.pdf
Subscriber Agreement: https://www.amazontrust.com/repository/sa-1.1.pdf

Certificate Revocation
CRL URL(s):
http://crl.rootca1.amazontrust.com/rootca1.crl
http://crl.rootca2.amazontrust.com/rootca2.crl
http://crl.rootca3.amazontrust.com/rootca3.crl
http://crl.rootca4.amazontrust.com/rootca4.crl
http://crl.rootg2.amazontrust.com/rootg2.crl
CP section 4.9.7: CRL issuing frequency for subscriber certificates is at least once every seven days
OCSP URL(s):
http://ocsp.rootca1.amazontrust.com/
http://ocsp.sca1a.amazontrust.com
http://ocsp.rootca2.amazontrust.com/
http://ocsp.sca2a.amazontrust.com
http://ocsp.rootca3.amazontrust.com/
http://ocsp.sca3a.amazontrust.com
http://ocsp.rootca4.amazontrust.com/
http://ocsp.sca4a.amazontrust.com
http://ocsp.rootg2.amazontrust.com
http://ocsp.sca0a.amazontrust.com
CP section 4.9.10: OCSP responses from this service MUST have a maximum expiration time of ten days

Inclusion Policy Section 7 [Validation]. 
Amazon appears to meet the minimum requirements for subscriber verification, as follows:

* SSL Verification Procedures are clearly described in CPS and CP section 3.2.2, and demonstrate that Amazon confirms that the certificate subscriber owns/controls the domain names to be included in the certificate.

* EV SSL Verification Procedures are clearly described in CP section 3.2.

* Email Verification Procedures are clearly described in CPS section 3.2.2, and show that Amazon confirms that the certificate subscriber owns/controls the email address to be included in the certificate.

* Code Signing Subscriber Verification Procedure: Mozilla is no longer accepting requests to enable the Code Signing trust bit.

Inclusion Policy Sections 11-14 [Audit]
Annual audits are performed by EY, according to the WebTrust criteria.
Standard Audit: https://cert.webtrust.org/SealFile?seal=1998&file=pdf
BR Audit: https://cert.webtrust.org/SealFile?seal=1999&file=pdf
EV Audit: https://cert.webtrust.org/SealFile?seal=2000&file=pdf

Inclusion Policy Section 18 [Certificate Hierarchy]
The Amazon Root CAs will have internally-operated subordinate CAs that will issue certs for SSL, Code Signing, Email, etc. There will be separate subCAs for EV certificate issuance. 
Externally-operated subCAs are permitted according to the CPS. CPS section 4.2.2 clarifies that externally-operated subCAs are either technically constrained or must be audited according to the WebTrust criteria.

Based on this assessment I intend to approve this request from Amazon to enable EV treatment for the currently-included “Starfield Services Root Certificate Authority - G2 certificate; and to include the following 4 new root certificates, turn on the Email and Websites trust bits for them, and enable EV treatment for all of them. 
- Amazon Root CA 1 (RSA key with a 2048 bit long modulus)
- Amazon Root CA 2 (RSA key with a 4096 bit long modulus)
- Amazon Root CA 3 (EC key on the NIST P-256 curve)
- Amazon Root CA 4 (EC key on the NIST P-384 curve)
Whiteboard: EV - In Public Discussion → EV - Pending Approval
(Assignee)

Comment 23

10 months ago
As per the summary in Comment #22, and on behalf of Mozilla I approve this request from Amazon Trust Services (Amazon) to include the following root certificates:

** "Amazon Root CA 1" (websites, email), enable EV
** "Amazon Root CA 2" (websites, email), enable EV
** "Amazon Root CA 3" (websites, email), enable EV
** "Amazon Root CA 4" (websites, email), enable EV

And to enable EV treatment for the following root certificate that is already included:

** “Starfield Services Root Certificate Authority - G2" (websites, email), enable EV

I will file the NSS and PSM bugs for the approved changes.
Whiteboard: EV - Pending Approval → EV - Approved - awaiting NSS and PSM changes
(Assignee)

Updated

10 months ago
Depends on: 1303377
(Assignee)

Updated

10 months ago
Depends on: 1303383
(Assignee)

Comment 24

10 months ago
I have filed bug #1303377 against NSS and bug #1303383 against PSM for the actual changes.

Peter, please add a comment in this bug when the Amazon CP and CPS have been updated to address the comments noted in the discussion.
https://groups.google.com/d/msg/mozilla.dev.security.policy/zZ5RHXCkpGM/a0mEu8-sBwAJ
(Assignee)

Updated

6 months ago
Whiteboard: EV - Approved - awaiting NSS and PSM changes → In NSS 3.28.1, Firefox 51 - awaiting PSM changes for EV enablement
(Assignee)

Updated

4 months ago
Status: ASSIGNED → RESOLVED
Last Resolved: 4 months ago
Resolution: --- → FIXED
Whiteboard: In NSS 3.28.1, Firefox 51 - awaiting PSM changes for EV enablement → In NSS 3.28.1, Firefox 51. EV-enabled in Firefox 54.

Updated

3 months ago
Product: mozilla.org → NSS
You need to log in before you can comment on or make changes to this bug.