Closed
Bug 1277336
Opened 8 years ago
Closed 6 years ago
Add SSL.com root certificate(s)
Categories
(CA Program :: CA Certificate Root Program, task)
CA Program
CA Certificate Root Program
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: leo, Assigned: kathleen.a.wilson)
References
Details
(Whiteboard: [ca-approved] - In NSS 3.34, FF 58, EV in FF 60)
Attachments
(18 files, 7 obsolete files)
|
37.85 KB,
application/vnd.openxmlformats-officedocument.wordprocessingml.document
|
Details | |
|
144.11 KB,
application/x-download
|
Details | |
|
5.26 KB,
application/zip
|
Details | |
|
137.82 KB,
application/x-download
|
Details | |
|
119.71 KB,
application/x-download
|
Details | |
|
129.25 KB,
application/x-download
|
Details | |
|
327.51 KB,
application/pdf
|
Details | |
|
2.26 KB,
application/x-x509-ca-cert
|
Details | |
|
1.55 MB,
application/pdf
|
Details | |
|
1.55 MB,
application/pdf
|
Details | |
|
12.59 KB,
application/vnd.openxmlformats-officedocument.wordprocessingml.document
|
Details | |
|
40.00 KB,
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
|
Details | |
|
106.94 KB,
application/pdf
|
Details | |
|
152.91 KB,
application/pdf
|
Details | |
|
128.49 KB,
application/pdf
|
Details | |
|
249.06 KB,
application/pdf
|
Details | |
|
236.33 KB,
application/pdf
|
Details | |
|
236.84 KB,
application/pdf
|
Details |
CA Details ---------- CA Name: SSL.com Website: https://www.ssl.com One Paragraph Summary of CA, including the following: SSL.com is a US-based commercial Certificate Authority serving over 150 countries worldwide. We provide digital certificates using a secure and transparent process in compliance with local laws. Our goal is to expand adoption of encryption technologies and best practices through education, tools and expertise. Audit Type: WebTrust Auditor: BDO USA, LLP Auditor Website: https://www.bdo.com Audit Document URL(s): To be provided after the PITRA Certificate Details ------------------- Certificate Name: SSL.com Root Certification Authority RSA The SSL.com Root Certification Authority RSA will be used to produce end-entity Certificates using RSA signature algorithms for SSL (non-EV), S/MIME purposes. Please refer to the hierarchy diagram in Section 1.3 of our CP/CPS for more information ( https://www.ssl.com/repository/SSLcom-CA-Hierarchy.png ). Certificate download URL (on CA website): https://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.cer Version: 3 SHA1 Fingerprint: b7:ab:33:08:d1:ea:44:77:ba:14:80:12:5a:6f:bd:a9:36:49:0c:bb Public key length (for RSA, modulus length) in bits: 4096 Valid From (YYYY-MM-DD): 2016-02-12 Valid To (YYYY-MM-DD): 2041-02-12 CRL HTTP URL: http://crls.ssl.com/ssl.com-rsa-RootCA.crl CRL issuing frequency for subordinate end-entity certificates: 1 day CRL issuing frequency for subordinate CA certificates: 12 months (within 24 hours after revoking a subCA certificate) OCSP URL: http://ocsps.ssl.com Class (domain-validated, identity/organizationally-validated or EV): DV, OV, IV Certificate Policy URL: https://www.ssl.com/repository/SSLcom-CPS.pdf CPS URL: https://www.ssl.com/repository/SSLcom-CPS.pdf Requested Trust Indicators (email and/or SSL and/or code signing): Email, SSL URL of example website using certificate subordinate to this root (if applying for SSL): https://test-dv-rsa.ssl.com Certificate Name: SSL.com Root Certification Authority ECC The SSL.com Root Certification Authority ECC will be used to produce end-entity Certificates using ECDSA signature algorithms for SSL (non-EV), S/MIME purposes. Please refer to the hierarchy diagram in Section 1.3 of our CP/CPS for more information ( https://www.ssl.com/repository/SSLcom-CA-Hierarchy.png ). Certificate download URL (on CA website): https://www.ssl.com/repository/SSLcomRootCertificationAuthorityECC.cer Version: 3 SHA1 Fingerprint: c3:19:7c:39:24:e6:54:af:1b:c4:ab:20:95:7a:e2:c3:0e:13:02:6a Public key length (for RSA, modulus length) in bits: P-384 Valid From (YYYY-MM-DD): 2016-02-12 Valid To (YYYY-MM-DD): 2041-02-12 CRL HTTP URL: http://crls.ssl.com/ssl.com-ecc-RootCA.crl CRL issuing frequency for subordinate end-entity certificates: 1 day CRL issuing frequency for subordinate CA certificates: 12 months (within 24 hours after revoking a subCA certificate) OCSP URL: http://ocsps.ssl.com Class (domain-validated, identity/organizationally-validated or EV): DV, OV, IV Certificate Policy URL: https://www.ssl.com/repository/SSLcom-CPS.pdf CPS URL: https://www.ssl.com/repository/SSLcom-CPS.pdf Requested Trust Indicators (email and/or SSL and/or code signing): Email, SSL URL of example website using certificate subordinate to this root (if applying for SSL): https://test-dv-ecc.ssl.com Certificate Name: SSL.com EV Root Certification Authority RSA The SSL.com EV Root Certification Authority RSA will be used to produce end-entity Certificates using RSA signature algorithms for SSL (EV) purposes. Please refer to the hierarchy diagram in Section 1.3 of our CP/CPS for more information ( https://www.ssl.com/repository/SSLcom-CA-Hierarchy.png ). Certificate download URL (on CA website): http://www.ssl.com/repository/SSLcomEVRootCertificationAuthorityRSA.cer Version: 3 SHA1 Fingerprint: 1c:b7:ed:e1:76:bc:df:ef:0c:86:6f:46:fb:f9:80:e9:01:e5:ce:35 Public key length (for RSA, modulus length) in bits: 4096 Valid From (YYYY-MM-DD): 2016-02-12 Valid To (YYYY-MM-DD): 2041-02-12 CRL HTTP URL: http://crls.ssl.com/ssl.com-EVrsa-RootCA.crl CRL issuing frequency for subordinate end-entity certificates: 1 day CRL issuing frequency for subordinate CA certificates: 12 months (within 24 hours after revoking a subCA certificate) OCSP URL: http://ocsps.ssl.com Class (domain-validated, identity/organizationally-validated or EV): EV (EV OID: 2.23.140.1.1) Certificate Policy URL: https://www.ssl.com/repository/SSLcom-CPS.pdf CPS URL: https://www.ssl.com/repository/SSLcom-CPS.pdf Requested Trust Indicators (email and/or SSL and/or code signing): SSL URL of example website using certificate subordinate to this root (if applying for SSL): https://test-ev-rsa.ssl.com Certificate Name: SSL.com EV Root Certification Authority ECC The SSL.com EV Root Certification Authority ECC will be used to produce end-entity Certificates using ECDSA signature algorithms for SSL (EV) purposes. Please refer to the hierarchy diagram in Section 1.3 of our CP/CPS for more information ( https://www.ssl.com/repository/SSLcom-CA-Hierarchy.png ). Certificate download URL (on CA website): http://www.ssl.com/repository/SSLcomEVRootCertificationAuthorityECC.cer Version: 3 SHA1 Fingerprint: 4c:dd:51:a3:d1:f5:20:32:14:b0:c6:c5:32:23:03:91:c7:46:42:6d Public key length (for RSA, modulus length) in bits: P-384 Valid From (YYYY-MM-DD): 2016-02-12 Valid To (YYYY-MM-DD): 2041-02-12 CRL HTTP URL: http://crls.ssl.com/ssl.com-EVecc-RootCA.crl CRL issuing frequency for subordinate end-entity certificates: 1 day CRL issuing frequency for subordinate CA certificates: 12 months (within 24 hours after revoking a subCA certificate) OCSP URL: http://ocsps.ssl.com Class (domain-validated, identity/organizationally-validated or EV): EV (EV OID: 2.23.140.1.1) Certificate Policy URL: https://www.ssl.com/repository/SSLcom-CPS.pdf CPS URL: https://www.ssl.com/repository/SSLcom-CPS.pdf Requested Trust Indicators (email and/or SSL and/or code signing): SSL URL of example website using certificate subordinate to this root (if applying for SSL): https://test-ev-ecc.ssl.com
removed subCAs
Attachment #8758859 -
Attachment is obsolete: true
Attachment #8758899 -
Attachment is obsolete: true
|
Assignee | |
Comment 7•8 years ago
|
||
Aaron and Francis, Please do the Information Verification. https://wiki.mozilla.org/CA:How_to_apply#Information_Verification
Whiteboard: EV - Information Verification
Hello Aaron and Francis, It's a pleasure to make your acquaintance. Please let us know if you need any additional information or assistance with anything. Chris Kemmerer and Michael Sykes, who helped with drafting the SSL.com CP/CPS are cc'd on this list and are also available to assist. Regards, Leo Grove President SSL.com (In reply to Kathleen Wilson from comment #7) > Aaron and Francis, Please do the Information Verification. > https://wiki.mozilla.org/CA:How_to_apply#Information_Verification
Attachment #8758857 -
Attachment is obsolete: true
|
||
Comment 10•8 years ago
|
||
Hi Leo, Thank you to provide SSL.com CP/CPS, we will start to do information verification base on that and provide our feedback accordingly. Please stay tuned. Thanks! Aaron & Francis
|
Reporter | |
Comment 11•8 years ago
|
||
Excellent, thank you for your time and effort on this. We also plan to upload our Webtrust audit report within the week. Regards, Leo
|
|
Reporter | |
Comment 12•8 years ago
|
||
BDO opinion letter for Baseline Requirements
|
|
Reporter | |
Comment 13•8 years ago
|
||
BDO opinion letter for EV SSL
|
|
Reporter | |
Comment 14•8 years ago
|
||
BDO opinion letter for WTCA
|
|
Reporter | |
Comment 15•8 years ago
|
||
Please find the test certificates for revoked and expired SSL.com certificates: https://revoked-rsa-dv.ssl.com https://revoked-rsa-ev.ssl.com https://revoked-ecc-dv.ssl.com https://revoked-ecc-ev.ssl.com https://expired-rsa-dv.ssl.com https://expired-rsa-ev.ssl.com https://expired-ecc-dv.ssl.com https://expired-ecc-ev.ssl.com
|
|
Reporter | |
Comment 16•8 years ago
|
||
Please find the EV readiness check results below ( https://wiki.mozilla.org/PSM:EV_Testing_Easy_Version#Success ): // CN=SSL.com EV Root Certification Authority RSA,O=SSL Corporation,L=Houston,ST=Texas,C=US "2.23.140.1.1", "CAB Forum EV OID", SEC_OID_UNKNOWN, { 0x5A, 0xDF, 0xA2, 0x50, 0x13, 0xBE, 0xD3, 0x71, 0x08, 0x31, 0x57, 0x2D, 0xE5, 0x1C, 0x4B, 0x9A, 0x21, 0x17, 0x1C, 0x00, 0x31, 0x32, 0x49, 0xC4, 0xCB, 0x47, 0x19, 0xD3, 0x7F, 0xBB, 0x8D, 0x20 }, "MH8xCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVUZXhhczEQMA4GA1UEBwwHSG91c3Rv" "bjEYMBYGA1UECgwPU1NMIENvcnBvcmF0aW9uMTQwMgYDVQQDDCtTU0wuY29tIEVW" "IFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgUlNB", "HWwR62/aOZ0=", Success!
|
|
Reporter | |
Comment 17•8 years ago
|
||
Hello Aaron and Francis, We have uploaded our CPS v1.0, WebTrust audit reports, SSL.com test certs (including revoked and expired) and the EV Readiness check. Is there anything else you require to complete the Information Verification stage? Regards, Leo
|
||
Comment 18•8 years ago
|
||
hi Leo, please refer to the attachment for SSL information verification, it includes 4 root certificates. please pay attention on "Need CA information" items. We would like to know if your certificates have been included in Microsoft's/Google's/Apple's root store. if not, please let us know why. thank you very much
|
|
Reporter | |
Comment 19•8 years ago
|
||
Hello, none of the SSL.com Roots have been included yet in Microsoft's/Google's/Apple's root store. However, all SSL.com Roots (except for the EV ECC - fingerprint: 4c:dd:51:a3:d1:f5:20:32:14:b0:c6:c5:32:23:03:91:c7:46:42:6d) are scheduled to be included in Microsoft's root store sometime this month. We did submit all SSL.com Roots to the Apple Root CA Program in accordance with their parameters a few months ago, but we only received a confirmation that the application was submitted. We are waiting for inclusion into Mozilla's root store before we proceed with Google's root store. Please let me know if there is anything else I can provide you with, thank you.
|
|
||
Comment 20•8 years ago
|
||
hi Leo, thank you for your clarification. by the ways, if you pay attention on the pdf attached (https://bugzilla.mozilla.org/attachment.cgi?id=8790630), please provide following item for all root certificates: Link to Publicly Disclosed and Audited subordinate CA Certificates NEED URL to publicly disclosed subordinate CA certificates that chain up to certificates in Mozilla's CA program, as per Items #8, 9, and 10 of Mozilla's CA Certificate Inclusion Policy. thank you very much
|
|
Reporter | |
Comment 21•8 years ago
|
||
Francis, The subordinate CA Certificate links are listed below: http://www.ssl.com/repository/SSLcomRSASSLsubCA.cer http://www.ssl.com/repository/SSLcomECCSSLsubCA.cer http://www.ssl.com/repository/SSLcomRSAEVSSLsubCA.cer http://www.ssl.com/repository/SSLcomECCEVSSLsubCA.cer Please let me know if there is anything else I can provide.
|
|
||
Comment 22•8 years ago
|
||
This request will be added to the queue for public discussion soon. https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion Note that: due to 'Test Website lint test' and 'EV test' tool are under maintenance, both will need to be re-tested once test tools are available. I will update this bug when I start the discussion. thank you very much
Whiteboard: EV - Information Verification → ready for public discussion
|
||
Comment 23•8 years ago
|
||
> However, all SSL.com Roots (except for the EV ECC - fingerprint: 4c:dd:51:a3:d1:f5:20:32:14:b0:c6:c5:32:23:03:91:c7:46:42:6d) are scheduled to be included in Microsoft's root store sometime this month.
This is still not the case, it seems.
Do you have any updates from Microsoft?
Have they announced the inclusion somewhere?|
|
Reporter | |
Comment 24•8 years ago
|
||
(In reply to firace from comment #23) > > However, all SSL.com Roots (except for the EV ECC - fingerprint: 4c:dd:51:a3:d1:f5:20:32:14:b0:c6:c5:32:23:03:91:c7:46:42:6d) are scheduled to be included in Microsoft's root store sometime this month. > > This is still not the case, it seems. > Do you have any updates from Microsoft? > Have they announced the inclusion somewhere? Hello, You can find all 4 SSL.com Roots (including the EV ECC) here: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab They notified us via email, but I'm not sure of any public announcement. Given current events, updating the Microsoft CA list web page may not happen immediately, but the .cab file link I posted should be sufficient.
|
||
Comment 25•8 years ago
|
||
https://github.com/robstradling/authroot.stl/commit/5ca7dfeccb36e4d5f851f77c7db379e6c190592b is the extracted version of the file, showing the diff.
|
|
||
Comment 26•8 years ago
|
||
That's good, but it looks like the updated list is not active yet. For instance, even after forcing a CTL sync on my Windows machine, I still can't open https://test-ev-rsa.ssl.com/ without
|
|
||
Comment 27•8 years ago
|
||
... (sorry, misclick) a CERT_AUTHORITY_INVALID error.
|
|
Reporter | |
Comment 28•8 years ago
|
||
(In reply to Francis Lee [:frlee] from comment #22) > This request will be added to the queue for public discussion soon. > https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion > > Note that: due to 'Test Website lint test' and 'EV test' tool are under > maintenance, both will need to be re-tested once test tools are available. > > I will update this bug when I start the discussion. > > thank you very much Hello Francis, I pulled the latest source from https://github.com/awslabs/certlint and ran the following tests: sysadmin@Picasso2:~/Development/Ruby/certlint$ ruby -I lib:ext bin/cablint "test-dv-rsa.ssl.com.der" I: TLS Server certificate identified test-dv-rsa.ssl.com.der sysadmin@Picasso2:~/Development/Ruby/certlint$ ruby -I lib:ext bin/cablint "test-ov-rsa.ssl.com.der" I: TLS Server certificate identified test-ov-rsa.ssl.com.der sysadmin@Picasso2:~/Development/Ruby/certlint$ ruby -I lib:ext bin/cablint "test-ev-rsa.ssl.com.der" I: EV certificate identified test-ev-rsa.ssl.com.der I: TLS Server certificate identified test-ev-rsa.ssl.com.der sysadmin@Picasso2:~/Development/Ruby/certlint$ ruby -I lib:ext bin/cablint "test-dv-ecc.ssl.com.der" I: TLS Server certificate identified test-dv-ecc.ssl.com.der sysadmin@Picasso2:~/Development/Ruby/certlint$ ruby -I lib:ext bin/cablint "test-ov-ecc.ssl.com.der" I: TLS Server certificate identified test-ov-ecc.ssl.com.der sysadmin@Picasso2:~/Development/Ruby/certlint$ ruby -I lib:ext bin/cablint "test-ev-ecc.ssl.com.der" I: EV certificate identified test-ev-ecc.ssl.com.der I: TLS Server certificate identified test-ev-ecc.ssl.com.der sysadmin@Picasso2:~/Development/Ruby/certlint$ ruby -I lib:ext bin/certlint "test-dv-rsa.ssl.com.der" sysadmin@Picasso2:~/Development/Ruby/certlint$ ruby -I lib:ext bin/certlint "test-ov-rsa.ssl.com.der" sysadmin@Picasso2:~/Development/Ruby/certlint$ ruby -I lib:ext bin/certlint "test-ev-rsa.ssl.com.der" sysadmin@Picasso2:~/Development/Ruby/certlint$ ruby -I lib:ext bin/certlint "test-dv-ecc.ssl.com.der" sysadmin@Picasso2:~/Development/Ruby/certlint$ ruby -I lib:ext bin/certlint "test-ov-ecc.ssl.com.der" sysadmin@Picasso2:~/Development/Ruby/certlint$ ruby -I lib:ext bin/certlint "test-ev-ecc.ssl.com.der" Comment 16 above has the result of the EV readiness check as well. Regards, Leo
|
|
Assignee | |
Updated•8 years ago
|
Assignee: kwilson → frlee
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
|
|
||
Updated•7 years ago
|
Assignee: frlee → awu
Whiteboard: ready for public discussion → [ca-ready-for-discussion-new 2016-10-02]
|
|
Assignee | |
Comment 29•7 years ago
|
||
Leo, Please perform the BR Self Assessment, and attach the resulting BR-self-assessment document to this bug. Note: Current version of the BRs: https://cabforum.org/baseline-requirements-documents/ Until a version of the BRs is published that describes all of the allowed methods of domain validation, use version 1.4.1 for section 3.2.2.4 (Domain validation): https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.1.pdf = Background = We are adding a BR-self-assessment step to Mozilla's root inclusion/change process. Description of this new step is here: https://wiki.mozilla.org/CA:BRs-Self-Assessment It includes a link to a template for CA's BR Self Assessment, which is a Google Doc: https://docs.google.com/spreadsheets/d/1ni41Czial_mggcax8GuCBlInCt1mNOsqbEPzftuAuNQ/edit?usp=sharing Phase-in plan is here: https://groups.google.com/d/msg/mozilla.dev.security.policy/Y-PxWRCIcck/Fi9y6vOACQAJ In particular, note: + For the CAs currently in the queue for discussion, I would ask them to perform this BR Self Assessment before I would start their discussion.
Whiteboard: [ca-ready-for-discussion-new 2016-10-02] → [ca-ready-for-discussion-new 2016-10-02] - Need BR Self Assessment
|
|
Reporter | |
Comment 30•7 years ago
|
||
(In reply to Kathleen Wilson from comment #29) > Leo, > Please perform the BR Self Assessment, and attach the resulting > BR-self-assessment document to this bug. > > Note: > Current version of the BRs: > https://cabforum.org/baseline-requirements-documents/ > Until a version of the BRs is published that describes all of the allowed > methods of domain validation, use version 1.4.1 for section 3.2.2.4 (Domain > validation): > https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.1.pdf > > = Background = > > We are adding a BR-self-assessment step to Mozilla's root inclusion/change > process. > > Description of this new step is here: > https://wiki.mozilla.org/CA:BRs-Self-Assessment > > It includes a link to a template for CA's BR Self Assessment, which is a > Google Doc: > https://docs.google.com/spreadsheets/d/ > 1ni41Czial_mggcax8GuCBlInCt1mNOsqbEPzftuAuNQ/edit?usp=sharing > > Phase-in plan is here: > https://groups.google.com/d/msg/mozilla.dev.security.policy/Y-PxWRCIcck/ > Fi9y6vOACQAJ > In particular, note: > + For the CAs currently in the queue for discussion, I would ask them to > perform this BR Self Assessment before I would start their discussion. Thanks Kathleen, our Policy and Compliance Team are on this and we should have something to present soon.
|
||
Updated•7 years ago
|
Product: mozilla.org → NSS
|
|
Reporter | |
Comment 31•7 years ago
|
||
SSL.com BR Self Assessment Introduction
|
|
Reporter | |
Comment 32•7 years ago
|
||
SSL.com BR Self Assessment
|
|
Reporter | |
Comment 33•7 years ago
|
||
(In reply to Kathleen Wilson from comment #29) > Leo, > Please perform the BR Self Assessment, and attach the resulting > BR-self-assessment document to this bug. > > Note: > Current version of the BRs: > https://cabforum.org/baseline-requirements-documents/ > Until a version of the BRs is published that describes all of the allowed > methods of domain validation, use version 1.4.1 for section 3.2.2.4 (Domain > validation): > https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.1.pdf > > = Background = > > We are adding a BR-self-assessment step to Mozilla's root inclusion/change > process. > > Description of this new step is here: > https://wiki.mozilla.org/CA:BRs-Self-Assessment > > It includes a link to a template for CA's BR Self Assessment, which is a > Google Doc: > https://docs.google.com/spreadsheets/d/ > 1ni41Czial_mggcax8GuCBlInCt1mNOsqbEPzftuAuNQ/edit?usp=sharing > > Phase-in plan is here: > https://groups.google.com/d/msg/mozilla.dev.security.policy/Y-PxWRCIcck/ > Fi9y6vOACQAJ > In particular, note: > + For the CAs currently in the queue for discussion, I would ask them to > perform this BR Self Assessment before I would start their discussion. I have uploaded the requested SSL.com BR Self Assessment. Please find them at the following links: https://bugzilla.mozilla.org/show_bug.cgi?id=1277336#c31 https://bugzilla.mozilla.org/show_bug.cgi?id=1277336#c32
Whiteboard: [ca-ready-for-discussion-new 2016-10-02] - Need BR Self Assessment → [ca-ready-for-discussion-new 2016-10-02] - BR Self Assessment Received
|
|
Reporter | |
Comment 34•7 years ago
|
||
The attached SSL.com Root CA EV RSA R2 certificate is a replacement for the SSL.com Root CA EV RSA certificate submitted in attachment 8758901 [details]. Going forward, the SSL.com Root CA EV RSA R2 certificate is the certificate we are requesting for inclusion. The other Root certificates from attachment 8758901 [details] are not affected by this.
|
|
Reporter | |
Comment 35•7 years ago
|
||
Please find below the test sites for the SSL.com EV Root Certification Authority RSA R2 and the SSL.com EV SSL Intermediate CA RSA R2 certicates: https://test-ev-rsa.ssl.com https://expired-ev-rsa.ssl.com https://revoked-ev-rsa.ssl.com
|
|
||
Comment 36•7 years ago
|
||
Hi Leo, Thanks to provide BR Self Assessment and Test Websites! I've verified the test websites you provided in Comment#35, and update into Salesforce. I will keep reviewing your BR Self Assessment, and we can make this case moving forward to discussion forum once verified, please stay tuned. Thanks, Aaron
|
|
Reporter | |
Comment 37•7 years ago
|
||
SSL.com CP/CPS v1.2 Approved by PMA on 06/16/2017
Attachment #8772169 -
Attachment is obsolete: true
|
|
||
Comment 38•7 years ago
|
||
Hi Leo, Thanks to provide your updated CP/CPS v1.2 which issued by 2017 June, I've updated into Salesforce as the following URL https://www.ssl.com/app/uploads/2017/06/SSLcom_CP_CPS_Version_1_2.pdf In current BR Self Assessment document, some sessions still indicate that it will be implemented in CP/CPS v1.2. Now it is already released to be referred to, could you update your BR Self Assessment as well? Thank you so much! Kind regards, Aaron
|
|
Reporter | |
Comment 39•7 years ago
|
||
(In reply to Aaron Wu from comment #38) > Hi Leo, > > Thanks to provide your updated CP/CPS v1.2 which issued by 2017 June, I've > updated into Salesforce as the following URL > https://www.ssl.com/app/uploads/2017/06/SSLcom_CP_CPS_Version_1_2.pdf > > In current BR Self Assessment document, some sessions still indicate that it > will be implemented in CP/CPS v1.2. Now it is already released to be > referred to, could you update your BR Self Assessment as well? > > Thank you so much! > > Kind regards, > Aaron We will have that uploaded this week Aaron, thanks. Regards, Leo
|
||
Comment 40•7 years ago
|
||
Updated from 1.2 June 21 2017.
|
|
||
Comment 41•7 years ago
|
||
Typo correction to v. 1.2.1 (NOT 1.21 :| )
|
|
Reporter | |
Comment 42•7 years ago
|
||
Baseline Requirements Self Assessment Introduction for SSL.com CP/CPS 1.2.1
Attachment #8867879 -
Attachment is obsolete: true
|
|
Reporter | |
Comment 43•7 years ago
|
||
Baseline Requirements Self Assessment for SSL.com CP/CPS 1.2.1
Attachment #8867882 -
Attachment is obsolete: true
Attachment #8878657 -
Attachment is obsolete: true
|
|
Reporter | |
Comment 44•7 years ago
|
||
(In reply to Leo Grove from comment #39) > (In reply to Aaron Wu from comment #38) > > Hi Leo, > > > > Thanks to provide your updated CP/CPS v1.2 which issued by 2017 June, I've > > updated into Salesforce as the following URL > > https://www.ssl.com/app/uploads/2017/06/SSLcom_CP_CPS_Version_1_2.pdf > > > > In current BR Self Assessment document, some sessions still indicate that it > > will be implemented in CP/CPS v1.2. Now it is already released to be > > referred to, could you update your BR Self Assessment as well? > > > > Thank you so much! > > > > Kind regards, > > Aaron > > We will have that uploaded this week Aaron, thanks. > > Regards, > > Leo Hello Aaron, I have uploaded the updated BR self assessment documents for the SSL.com CP/CPS v1.2.1. I'm trying to obsolete https://bugzilla.mozilla.org/attachment.cgi?id=8880840 (SSLcom_CP_CPS_Version_1_21.pdf) but I'm unable to find the mechanism to do so. How can I obsolete that attachment? Thanks.
|
|
||
Comment 45•7 years ago
|
||
Hi Leo, Thanks to update CP/CPS v1.2.1 and BR Self Assessment, now we are working on them. Don't worry about the attachment you would like to obsolete, we know the right one to be referred. Thanks, Aaron
|
|
Reporter | |
Comment 46•7 years ago
|
||
Thanks Aaron, We will have our completed period-in-time audit as performed by BDO uploaded in the coming weeks. Please let me know if there is anything else we can provide from our end.
Whiteboard: [ca-ready-for-discussion-new 2016-10-02] - BR Self Assessment Received → [ca-ready-for-discussion-new 2016-10-02] - BR Self Assessment Completed
|
|
||
Comment 47•7 years ago
|
||
Thanks Leo! We are waiting for your audit report accordingly. Regards, Aaron
|
|
Reporter | |
Comment 48•7 years ago
|
||
|
|
Reporter | |
Comment 49•7 years ago
|
||
|
|
Reporter | |
Comment 50•7 years ago
|
||
|
|
Reporter | |
Comment 51•7 years ago
|
||
(In reply to Aaron Wu from comment #47) > Thanks Leo! > > We are waiting for your audit report accordingly. > > Regards, > Aaron Hello Aaron, I have attached the most recent audit reports for the WTEV SSL, WTBR, and WTCA. Please let me know if have any questions or need anything else from our end. Regards, Leo
|
|
Reporter | |
Comment 52•7 years ago
|
||
(In reply to Leo Grove from comment #51) > > (In reply to Aaron Wu from comment #47) > > Thanks Leo! > > > > We are waiting for your audit report accordingly. > > > > Regards, > > Aaron > > Hello Aaron, > > I have attached the most recent audit reports for the WTEV SSL, WTBR, and > WTCA. Please let me know if have any questions or need anything else from > our end. > > Regards, > > Leo Hello Aaron, These are the 2017 audit reports as posted directly on SSL.com https://www.ssl.com/app/uploads/2017/07/SSL-COM-WTCA-Indp-Accountant-Report-and-Mgmt-Assertion-FINAL-2017.pdf https://www.ssl.com/app/uploads/2017/07/SSL-COM-WTBR-Indp-Accountant-Report-and-Mgmt-Assertion-FINAL-2017.pdf https://www.ssl.com/app/uploads/2017/07/SSL-COM-WT-SSL-EV-Indp-Accountant-Report-and-Mgmt-Assertion-FINAL-2017.pdf https://www.ssl.com/app/uploads/2017/07/SSL-COM-WT-CS-EV-Indp-Accountant-Report-and-Mgmt-Assertion-FINAL-2017.pdf Regards, Leo
|
|
||
Comment 53•7 years ago
|
||
Thanks Leo, the audit reports has verified. We will start the public discussion soon, please stay tuned. Thanks, Aaron
|
|
||
Comment 54•7 years ago
|
||
CA Information Verification Final
|
|
||
Comment 55•7 years ago
|
||
CA Information Verification Updated
|
|
||
Comment 56•7 years ago
|
||
CA Information Verification Updated
|
|
||
Comment 57•7 years ago
|
||
I am now opening the public discussion period for this request from SSL.com is to include the “SSL.com Root Certification Authority RSA”, “SSL.com Root Certification Authority ECC”, “SSL.com EV Root Certification Authority RSA R2”, and “SSL.com EV Root Certification Authority ECC” root certificates, turn on the Email and Websites trust bits for the two non-EV roots, turn on the Websites trust bit for the two EV roots, and enable EV treatment for the two EV roots. For a description of the public discussion phase, see https://wiki.mozilla.org/CA:How_to_apply#Public_discussion Public discussion will be in the mozilla.dev.security.policy forum. https://www.mozilla.org/en-US/about/forums/#dev-security-policy The discussion thread is called "SSL.com root inclusion request". Please actively review, respond, and contribute to the discussion. A representative of this CA must promptly respond directly in the discussion thread to all questions that are posted. Thanks, Aaron
|
|
Assignee | |
Updated•7 years ago
|
Whiteboard: [ca-ready-for-discussion-new 2016-10-02] - BR Self Assessment Completed → [ca-in-discussion] - EV - BR Self Assessment Completed
|
|
Assignee | |
Comment 58•7 years ago
|
||
The public comment period for this request is now over. This request has been evaluated as per Mozilla’s Root Store Policy at http://www.mozilla.org/projects/security/certs/policy/ Here follows a summary of the assessment. If anyone sees any factual errors, please point them out. I am not aware of instances where SSL.com has knowingly issued certificates for fraudulent use. If anyone knows of any such issues or instances, please note them in this bug. CA Owner: SSL.com Geographic Focus: USA, Global Primary Market / Customer Base: SSL.com provides digital certificates in over 150 countries worldwide, with the goal of expanding adoption of encryption technologies and best practices through education, tools and expertise. Documents: https://www.ssl.com/repository/ https://www.ssl.com/relying-party-agreement/ https://www.ssl.com/terms-of-use/ https://www.ssl.com/app/uploads/2017/06/SSLcom_CP_CPS_Version_1_2_1.pdf BR Self Assessment: https://bugzilla.mozilla.org/attachment.cgi?id=8881939 = Root Certificate 1 of 4 = Subject: CN=SSL.com Root Certification Authority RSA, OU=null, O=SSL Corporation, C=US Trust Bits: Email; Websites EV Policy OID(s): Not EV Root Certificate Download URL: https://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.cer Test Website - Valid: https://test-ov-rsa.ssl.com Test Website - Expired: https://expired-rsa-dv.ssl.com Test Website - Revoked: https://revoked-rsa-dv.ssl.com CRL URL(s): http://crls.ssl.com/ssl.com-rsa-RootCA.crl http://crls.ssl.com/SSLcomRSASSLsubCA.crl OCSP URL(s): http://ocsps.ssl.com = Root Certificate 2 of 4 = Subject: CN=SSL.com Root Certification Authority ECC, OU=null, O=SSL Corporation, C=US Trust Bits: Email; Websites EV Policy OID(s): Not EV Root Certificate Download URL: https://www.ssl.com/repository/SSLcomRootCertificationAuthorityECC.cer Test Website - Valid: https://test-ov-ecc.ssl.com Test Website - Expired: https://expired-ecc-dv.ssl.com Test Website - Revoked: https://revoked-ecc-dv.ssl.com CRL URL(s): http://crls.ssl.com/ssl.com-ecc-RootCA.crl OCSP URL(s): http://ocsps.ssl.com = Root Certificate 3 of 4 = Subject: CN=SSL.com EV Root Certification Authority RSA R2, OU=null, O=SSL Corporation, C=US Trust Bits: Websites EV Policy OID(s): 2.23.140.1.1 Root Certificate Download URL: https://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.pem Test Website - Valid: https://test-ev-rsa.ssl.com Test Website - Expired: https://expired-ev-rsa.ssl.com Test Website - Revoked: https://revoked-ev-rsa.ssl.com CRL URL(s): http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl OCSP URL(s): http://ocsps.ssl.com = Root Certificate 4 of 4 = Subject: CN=SSL.com EV Root Certification Authority ECC, OU=null, O=SSL Corporation, C=US Trust Bits: Websites EV Policy OID(s): 2.23.140.1.1 Root Certificate Download URL: www.ssl.com/repository/SSLcomEVRootCertificationAuthorityECC.cer Test Website - Valid: https://test-ev-ecc.ssl.com/ Test Website - Expired: https://expired-ecc-ev.ssl.com Test Website - Revoked: https://revoked-ecc-ev.ssl.com CRL URL(s): http://crls.ssl.com/ssl.com-EVecc-RootCA.crl OCSP URL(s): http://ocsps.ssl.com == CA Hierarchy: All 4 of these root certs have internally-operated intermediate CAs. Externally Operated SubCAs: There are currently no externally operated subCAs issued from these root certs. If SSL.com decides to issue externally operated CAs, they commit to comply to Mozilla's Root CA Program and have those subCAs be either technically constrained or publicly disclosed and audited. SSL.com appears to meet the minimum requirements for subscriber verification, as follows: SSL Verification Procedures: As detailed in section 3.2.2.4 of the CP/CPS, verification of the applicant’s ownership/control of each domain to be included in the certificate is done using one or more of the 10 methods documented in section 3.2.2.4 of version 1.4.1 of the CA/Browser Forum Baseline Requirements. The CA's CP/CPS clearly specifies the procedure(s) that the CA employs. EV SSL Verification Procedures: Section 3.2.2 of the CP/CPS describes the procedures for verifiying the organization’s identity, as pre the EV verification procedures described in the EV Guidelines. Email Verification Procedures: Section 3.2.2.9 of the CP/CPS states that SSL.com or an RA may verify an Applicant's control of any email address listed in a certificate via a challenge and response or other approved method. Any challenge email sent by SSL.com to the Applicant must include a Random Value. Annual audits are performed by BDO, according to the WebTrust criteria. Standard Audit: https://www.ssl.com/app/uploads/2017/07/SSL-COM-WTCA-Indp-Accountant-Report-and-Mgmt-Assertion-FINAL-2017.pdf BR Audit: https://www.ssl.com/app/uploads/2017/07/SSL-COM-WTBR-Indp-Accountant-Report-and-Mgmt-Assertion-FINAL-2017.pdf EV Audit: https://cert.webtrust.org/SealFile?seal=2286&file=pdf Based on this assessment, I intend to approve this request to include the following root certificates: ** 'SSL.com Root Certification Authority RSA' (Websites;Email) ** 'SSL.com Root Certification Authority ECC' (Websites;Email) ** 'SSL.com EV Root Certification Authority RSA R2' (Websites) , enable EV ** 'SSL.com EV Root Certification Authority ECC' (Websites) , enable EV
Whiteboard: [ca-in-discussion] - EV - BR Self Assessment Completed → [ca-pending-approval] -- EV
|
|
Assignee | |
Comment 59•7 years ago
|
||
As per the summary in Comment #58, and on behalf of Mozilla I approve this request from SSL.com to include the following root certificates: ** 'SSL.com Root Certification Authority RSA' (Websites;Email) ** 'SSL.com Root Certification Authority ECC' (Websites;Email) ** 'SSL.com EV Root Certification Authority RSA R2' (Websites) , enable EV ** 'SSL.com EV Root Certification Authority ECC' (Websites) , enable EV I will file the NSS and PSM bugs for the approved changes.
Whiteboard: [ca-pending-approval] -- EV → [ca-approved] - Pending NSS and PSM Changes
|
|
Assignee | |
Comment 60•7 years ago
|
||
I have filed bug #1410954 against NSS and bug #1410956 against PSM for the actual changes.
|
|
Reporter | |
Comment 61•7 years ago
|
||
Hello Kathleen, All information on this bug is confirmed accurate. Regards, Leo Grove
|
|
Assignee | |
Updated•7 years ago
|
Whiteboard: [ca-approved] - Pending NSS and PSM Changes → [ca-approved] - In NSS 3.34, FF 58, pending PSM Changes for EV
|
||
Comment 62•6 years ago
|
||
Bulk reassign, see https://bugzilla.mozilla.org/show_bug.cgi?id=1430324
Assignee: awu → kwilson
|
|
Assignee | |
Updated•6 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Whiteboard: [ca-approved] - In NSS 3.34, FF 58, pending PSM Changes for EV → [ca-approved] - In NSS 3.34, FF 58, EV in FF 60
|
||
Comment 63•5 years ago
|
||
Kathleen, Wayne,
I'm curious how these roots got approved when the subject DN of the Roots is not compliant with the BRs as of that date (ballot 199). They contain more than the 3 fields explicitly permitted in Roots as of this date. Will Cross Certificates to these roots be permitted?
Flags: needinfo?(wthayer)
|
||
Comment 64•5 years ago
|
||
(In reply to douglas.beattie from comment #63)
Kathleen, Wayne,
I'm curious how these roots got approved when the subject DN of the Roots is not compliant with the BRs as of that date (ballot 199). They contain more than the 3 fields explicitly permitted in Roots as of this date. Will Cross Certificates to these roots be permitted?
Doug: setting aside the question of the interpretation of ballot 199 that is being discussed by the CAB Forum, it appears that this issue was not detected during the inclusion process. Failing to detect an issue does not create an exception for the issue and any other issues that result from it. It is still the CA's responsibility to comply. Should SSL.com need to cross-sign these roots, I would recommend that they proactively discuss the issue with root programs before doing so. It's possible that an alternative solution can be found or that root programs will grant an exception.
Flags: needinfo?(wthayer)
QA Contact: kwilson
|
||
Updated•2 years ago
|
Product: NSS → CA Program
You need to log in
before you can comment on or make changes to this bug.
Description
•