Closed
Bug 1310580
Opened 9 years ago
Closed 5 years ago
Add new KISA Root certificate(KISA RootCA 4) to Trusted Root Store
Categories
(CA Program :: CA Certificate Root Program, task)
CA Program
CA Certificate Root Program
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: jjw, Assigned: kathleen.a.wilson)
Details
(Whiteboard: [ca-verifying] - Need BR Self Assessment)
User Agent: Mozilla/5.0 (Windows NT 6.1; APCPMS=^N20140115041946137138498B2B92A4C5B53F_1387^; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Tablet PC 2.0; GWX:DOWNLOADED; GWX:RESERVED; rv:11.0) like Gecko
Steps to reproduce:
As KISA has decided to use this new certificate (KISA RootCA 4) to issue certificates of an Issuing CA which will issue SSL certificates, we would like to add our Root certificate (KISA RootCA 4) to Mozilla Trusted Root Store.
Actual results:
An warning message occurs when a user visits a website installed with our SSL due to not trusted Root certificate.
Expected results:
We would like to expect that the Root certificate (KISA RootCA 4) is included in Mozilla Trusted Root Store.
|
Assignee | |
Comment 1•9 years ago
|
||
Please see:
1) https://bugzilla.mozilla.org/show_bug.cgi?id=335197#c168
2) https://wiki.mozilla.org/CA:SubordinateCA_checklist#Super-CAs
"Some CAs sign the certificates of subordinate CAs to show that they have been accredited or licensed by the signing CA. Such signing CAs are called Super-CAs, and their (first-level) subordinate CAs must apply for inclusion of their own certificates until the following has been established and demonstrated: ..."
|
|
Assignee | |
Updated•9 years ago
|
Whiteboard: Super-CA, need to approve subCAs first
|
Reporter | |
Comment 2•9 years ago
|
||
(In reply to Kathleen Wilson from comment #1)
> Please see:
>
> 1) https://bugzilla.mozilla.org/show_bug.cgi?id=335197#c168
>
> 2) https://wiki.mozilla.org/CA:SubordinateCA_checklist#Super-CAs
> "Some CAs sign the certificates of subordinate CAs to show that they have
> been accredited or licensed by the signing CA. Such signing CAs are called
> Super-CAs, and their (first-level) subordinate CAs must apply for inclusion
> of their own certificates until the following has been established and
> demonstrated: ..."
Hello, Kathleen.
We fully understand our Root CA certificate has been categorized as Super-CA. Also we would like to include a new Root CA certifcate(KISA RootCA 4) into Mozilla products. In this case, is it correct that Sub-CA(s) under KISA Root CA will apply separately its CA certificate linked to KISA RootCA 4 to Mozilla?
|
|
Assignee | |
Comment 3•9 years ago
|
||
Will the new root CA certificate (KISA RootCA 4) also sign the subCAs that are currently signed by the old KISA root certificate?
|
|
Reporter | |
Comment 4•9 years ago
|
||
(In reply to Kathleen Wilson from comment #3)
> Will the new root CA certificate (KISA RootCA 4) also sign the subCAs that
> are currently signed by the old KISA root certificate?
Subjects are same. The SubCAs are currently signed by KISA RootCA1 and RootCA4.
|
|
Assignee | |
Updated•9 years ago
|
Whiteboard: Super-CA, need to approve subCAs first → Information Incomplete - Super-CA, need to approve subCAs first
Whiteboard: Information Incomplete - Super-CA, need to approve subCAs first → [ca-verification] - Super-CA, need to approve subCAs first
Whiteboard: [ca-verification] - Super-CA, need to approve subCAs first → [ca-hold] - Super-CA, need to approve subCAs first
|
||
Updated•8 years ago
|
Product: mozilla.org → NSS
|
||
Comment 5•8 years ago
|
||
Bulk reassign, see https://bugzilla.mozilla.org/show_bug.cgi?id=1430324
Assignee: awu → kwilson
|
|
Assignee | |
Comment 6•8 years ago
|
||
In bug #335197 it was determined that KISA would need to apply to have its subCAs directly included as trust anchors.
Therefore, I think this request is for the inclusion of the KISA RootCA1 and RootCA4 certs as trust anchors.
For each subCA to be directly considered for inclusion, the CA needs to update this bug to provide the information listed at the following wiki page.
https://wiki.mozilla.org/CA/Information_Checklist
Whiteboard: [ca-hold] - Super-CA, need to approve subCAs first → [ca-verifying] - Need BR Self Assessment
|
|
Assignee | |
Comment 7•8 years ago
|
||
Concerns about auditor: Bug #1451235
Request for inclusion of a subCA of another KISA root: Bug #1377389
|
||
Comment 8•7 years ago
|
||
There's a concern about KISA itself:
KISA is a public institution and is controlled by the Korean government.
The problem here is that the South Korean government is actively pursuing censorship and concerns that they can legally attempt an MITM attack.
In accordance with Article 44.7.3. of the Act on Promotion of Information and Communication Network Utilization and Information Protection in Korea, the South Korean government may order Internet service providers to block 'hazardous sites'.
Recently, under the leadership of the South Korean government, Internet service providers operate a system to drop packets through the HTTPS protocol through SNI eavesdropping.
I am seriously concerned about the more serious censorship structure that could be formed when this Root CA is registered and I ask KISA to confirm that it will never cooperate with the South Korean government's attempt to attack MITM.
|
||
Updated•6 years ago
|
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
|
||
Comment 9•5 years ago
|
||
I intend to close this inclusion request bug on or about 1-September-2020 because it does not appear to be actively pursued.
Flags: needinfo?(bwilson)
QA Contact: kwilson
|
|
||
Updated•5 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Flags: needinfo?(bwilson)
Resolution: --- → WONTFIX
|
||
Updated•3 years ago
|
Product: NSS → CA Program
You need to log in
before you can comment on or make changes to this bug.
Description
•