Add LOVE DEVELOPMENTS LIMITED Root CA root certificate(s)

RESOLVED WONTFIX

Status

--
enhancement
RESOLVED WONTFIX
3 years ago
2 years ago

People

(Reporter: jacobh, Assigned: kwilson)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: Information incomplete)

Attachments

(2 attachments)

2.22 KB, application/x-x509-ca-cert
Details
2.22 KB, application/x-x509-ca-cert
Details
(Reporter)

Description

3 years ago
Created attachment 8629725 [details]
root.pem

CA Details
----------

CA Name: LOVE DEVELOPMENTS LIMITED Root CA
Website: http://www.lovedevelopments.com
One Paragraph Summary of CA:
Commercial Organization that sells online data services. We serve all geographies and wish to issue our own certs under the CA we establish. This requires us to request inclusion into your database to be accepted.

No Audit Preformed as we are only signing our own certificates.

Certificate Details
-------------------
(To be completed once for each certificate; note that we only include root
certificates in the store, not intermediates.)

Certificate Name:
Summary Paragraph, including the following:
We issue certificates only to our own sites and servers and only though an intermediary. Our root is stored on a portable drive that is inside a safe in an undisclosed location not related directly to the company. We only issue general certificates, not EV. We are applying here to allow our company certs to be recognized by Mozilla Clients like Firefox and Thunderbird. This would prevent our clients from not trusting our sites or getting warnings when they go to our sites that are signed by our own Root CA. (Much in the same way that Google does so when it signs it's own Certs).
 - Number and type of subordinate CAs: 1 Root CA, 1 Intermediate CA. Both stored separate, encrypted, and locked in safes.
 - Root CA -> Intermediate -> Client Cert

Certificate download URL (on CA website): N/A
Version: 3
SHA1 Fingerprint: 5D:27:AF:B8:D7:D2:91:88:DD:AE:B1:7C:C8:7D:2E:D2:DE:FD:4D:97
Public key length (for RSA, modulus length) in bits: 4096 bits
Valid From (YYYY-MM-DD): 2015-07-05
Valid To (YYYY-MM-DD): 2035-06-30

CRL HTTP URL: N/A
CRL issuing frequency for subordinate end-entity certificates: N/A
CRL issuing frequency for subordinate CA certificates: N/A
OCSP URL: N/A

Class: domain-validated, identity/organizationally-validated
Certificate Policy URL: N/A
CPS URL: N/A
Requested Trust Indicators (email and/or SSL and/or code signing): SSL
URL of example website using certificate subordinate to this root
(if applying for SSL): N/A (none signed until approved for inclusion)
(Reporter)

Comment 1

3 years ago
* Certificate Name: LOVE DEVELOPMENTS LIMITED Root CA

Comment 2

3 years ago
(In reply to Jacob Halstead from comment #0)
> 
> No Audit Preformed as we are only signing our own certificates.
> 

Does this mean you will NOT be signing customer or subscriber certificates?  In other words, will the be for a self-signed user certificate that is your own?
(Reporter)

Comment 3

3 years ago
Correct. We will NOT be signing for anyone other than our own company.

Attached is an example cert that we signed for ourself.
(Reporter)

Comment 4

3 years ago
Created attachment 8632504 [details]
Example Certificate

Attached is an example cert that we signed for ourself.
(Assignee)

Comment 5

3 years ago
Please see 
https://wiki.mozilla.org/CA:FAQ#How_do_I_get_my_website.27s_certificate_to_be_trusted_by_Firefox.3F
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → WONTFIX
(Reporter)

Comment 6

3 years ago
(In reply to Kathleen Wilson from comment #5)
> Please see 
> https://wiki.mozilla.org/CA:FAQ#How_do_I_get_my_website.
> 27s_certificate_to_be_trusted_by_Firefox.3F

We do not wish to go through another CA. We control not only a few domains but hundreds.
Status: RESOLVED → UNCONFIRMED
Resolution: WONTFIX → ---

Comment 7

3 years ago
(In reply to Jacob Halstead from comment #6)
> We do not wish to go through another CA. We control not only a few domains
> but hundreds.

If you control all the domains that use your root certificate, then you apparently might not meet the criteria for inclusion in Mozilla's NSS database.  The Mozilla policy "Mozilla CA Certificate Inclusion Policy" at <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/> states:  "We will determine which CA certificates are included in software products distributed by Mozilla, based on the benefits and risks of such inclusion to typical users of those products."  With ALL affected domains under your control, your root certificate does not seem to create a benefit for typical Mozilla users, only for users of your services.
(Assignee)

Comment 8

3 years ago
(In reply to David E. Ross from comment #7)
> If you control all the domains that use your root certificate, then you
> apparently might not meet the criteria for inclusion in Mozilla's NSS
> database.  The Mozilla policy "Mozilla CA Certificate Inclusion Policy" at
> <https://www.mozilla.org/en-US/about/governance/policies/security-group/
> certs/policy/inclusion/> states:  "We will determine which CA certificates
> are included in software products distributed by Mozilla, based on the
> benefits and risks of such inclusion to typical users of those products." 
> With ALL affected domains under your control, your root certificate does not
> seem to create a benefit for typical Mozilla users, only for users of your
> services.


That is correct.

Jacob, if you believe otherwise, please explain why inclusion of your root certificates would benefit typical Mozilla users, and not just the users of your services.

And provide the information listed here:
https://wiki.mozilla.org/CA:Information_checklist

Mozilla's CA certificate inclusion process is described here, so you can get a sense of the time it will take:
https://wiki.mozilla.org/CA

Also, please see the "IMPORTANT Items to Note" list in https://wiki.mozilla.org/CA:How_to_apply
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: Information incomplete
(Assignee)

Comment 9

2 years ago
Closing this bug due to inactivity. Please create a new bug if you decide to proceed with your root inclusion request.
https://wiki.mozilla.org/CA:How_to_apply
Status: ASSIGNED → RESOLVED
Last Resolved: 3 years ago2 years ago
Resolution: --- → WONTFIX

Updated

2 years ago
Product: mozilla.org → NSS
You need to log in before you can comment on or make changes to this bug.