All users were logged out of Bugzilla on October 13th, 2018

Enable Email and Code Signing trust bits for AffirmTrust roots

RESOLVED WONTFIX

Status

--
enhancement
RESOLVED WONTFIX
3 years ago
2 years ago

People

(Reporter: kirk_hall, Assigned: kwilson)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: Information incomplete)

Attachments

(2 attachments)

(Reporter)

Description

3 years ago
Created attachment 8650019 [details]
Trend Micro Sample Client Cert.cer

AffirmTrust filed Bug 543639 requesting the inclusion of the following four roots in the Mozilla root store in February 2010.

AffirmTrust Commercial
AffirmTrust Networking
AffirmTrust Premium
AffirmTrust Premium ECC

https://bugzilla.mozilla.org/show_bug.cgi?id=543639

The four roots were approved in February 2011.  Because AffirmTrust planned to start with SSL server certs and was not then planning to issue Email (S/MIME or Client) certs or code signing certs at that time, the Email and Code Signing trust bits were not turned on.  

Trend Micro has successfully issued SSL certs since 2011, and has passed the WebTrust, Extended Validation WebTrust, and Baseline Requirements WebTrust audits multiple times since 2010.

AffirmTrust was acquired by Trend Micro in August 2011, and the same principals from AffirmTrust are now running Trend Micro’s trust service operations using the AffirmTrust roots.

Trend Micro would like to begin offering email and code signing certs from its roots, so now is applying for Mozilla to turn on the Email and Code Signing trust bits for the four AffirmTrust roots.

In support of this application, we offer the following attachments.

Trend Micro Certification Practices Statement, Version 2.1 (effective August 12, 2015).  See especially Sections 3.2.2.3 (Code Signing) and 3.2.2.4 (Email or Client Certs).  The CPS can be viewed here:
http://www.trendmicro.com/cloud-content/us/pdfs/business/reports/trend-micro-cps-v2_1-effective-12-august-2015.pdf 

Test Email Cert (uploaded)

Successful WebTrust for CAs Audit covering the most recent audit period April 1, 2014 – March 31, 2015
http://www.trendmicro.com/cloud-content/us/pdfs/business/reports/trend_micro_2014-15_webtrust_report.pdf 

Successful Extended Validation (EV) WebTrust Audit covering the most recent audit period April 1, 2014 – March 31, 2015
http://www.trendmicro.com/cloud-content/us/pdfs/business/reports/trend_micro_2014-15_ev_webtrust_report.pdf 

Successful Baseline Requirements (BR) WebTrust Audit covering the most recent audit period April 1, 2014 – March 31, 2015
http://www.trendmicro.com/cloud-content/us/pdfs/business/reports/trend_micro_2014-15_br_webtrust_report.pdf 

You can validate the three WebTrust audits via the three secure WebTrust seals by clicking on the seals here:
http://www.trendmicro.com/us/enterprise/cloud-solutions/deep-security/ssl-certificates/#resources 

We will be happy to provide additional information as needed.

Kirk Hall
Operations Director, Trust Services
Trend Micro, Inc.
(Assignee)

Comment 1

3 years ago
I will try to start the Information Verification phase soon.
https://wiki.mozilla.org/CA:How_to_apply#Information_Verification
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
(Assignee)

Updated

3 years ago
Whiteboard: Information incomplete
(Assignee)

Comment 2

3 years ago
Created attachment 8652472 [details]
1196376-CAInformation.pdf

I have entered the information for this request into Salesforce.

Please review the attached document to make sure it is accurate and complete, and comment in this bug to provide corrections and the additional requested information.
(Assignee)

Comment 3

3 years ago
Update regarding the EV testing (https://wiki.mozilla.org/PSM:EV_Testing_Easy_Version) of the Premium ECC cert, I received this from the developer who maintains the EV Test:
"Regarding the error that is being returned: "As far as I can tell, premiumecc.affirmtrust.com:4433 is resetting any connections made from cert-checker.allizom.org (running locally, it works for me, although it looks like the intermediate is missing its OCSP URL). So, I think the problem is on their end."
(Reporter)

Comment 4

3 years ago
(In reply to Kathleen Wilson from comment #3)
> Update regarding the EV testing
> (https://wiki.mozilla.org/PSM:EV_Testing_Easy_Version) of the Premium ECC
> cert, I received this from the developer who maintains the EV Test:
> "Regarding the error that is being returned: "As far as I can tell,
> premiumecc.affirmtrust.com:4433 is resetting any connections made from
> cert-checker.allizom.org (running locally, it works for me, although it
> looks like the intermediate is missing its OCSP URL). So, I think the
> problem is on their end."

Hi - we updated our intermediate issuing CAs for the two roots in question, AffirmTrust Premium and AffirmTrust Premium ECC so the links should work correctly and display EV green in Firefox now.  Can you please continue processing this bug to turn on the trust bits?  Thanks.

Here are the test cert URLs for the two roots with problems above:

AffirmTrust Premium Root - https://premium.affirmtrust.com:4432/ 
AffirmTrust Premium ECC Root - https://premiumecc.affirmtrust.com:4433/
(Assignee)

Comment 5

3 years ago
(In reply to Kirk Hall from comment #4)
> Can you please continue
> processing this bug to turn on the trust bits? 

Please see the attachment in Comment #2 to see the information that is still needed, and comment in this bug to provide the requested information.

Comment 6

3 years ago
Kathleen, our group has decided we are not going forward with Email certs at this time, so I'd like to terminate the bug I filed.  Thanks for all your help.  Kirk Hall
(Assignee)

Comment 7

3 years ago
(In reply to Kirk Hall from comment #6)
> Kathleen, our group has decided we are not going forward with Email certs at
> this time, so I'd like to terminate the bug I filed.  Thanks for all your
> help.  Kirk Hall

Closing as WONTFIX.

Thanks
Status: ASSIGNED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → WONTFIX

Updated

2 years ago
Product: mozilla.org → NSS
You need to log in before you can comment on or make changes to this bug.