Add PosDigicert Class 2 Root CA G4 certificate
Categories
(CA Program :: CA Certificate Root Program, task, P4)
Tracking
(Not tracked)
People
(Reporter: noorul.mansol, Assigned: bwilson)
Details
(Whiteboard: [ca-verifying] - BW 2020-12-11 Comment #26)
Attachments
(6 files)
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
Hi Kathleen, We write this note to inform you that we have a root CA certificates, "PosDigicert Class 2 Root CA G2" to be included in Mozilla Root CA Program. We, representatives of Pos Digicert Sdn. Bhd (Malaysia) wish to submit our Root certificate for Mozilla Root CA Program. Herewith, we attached as Mozilla CA Information Checklist for your kind perusal. If you need any additional information please let us know. Looking forward to reading from you soon. Thanks & Regards
Updated•7 years ago
|
Hi Aaron, Will update & revert back to you with the answers on BR self assessment. Thanks & Regards
Hi, Thanks to provide the information of Mozilla CA Checklist! For BR Self Assessment, here are more information for your reference. Current version of the BRs: https://cabforum.org/baseline-requirements-documents/ Until a version of the BRs is published that describes all of the allowed methods of domain validation, use version 1.4.1 for section 3.2.2.4 (Domain validation): https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.1.pdf = Background = We are adding a BR-self-assessment step to Mozilla's root inclusion/change process. Description of this new step is here: https://wiki.mozilla.org/CA:BRs-Self-Assessment It includes a link to a template for CA's BR Self Assessment, which is a Google Doc: https://docs.google.com/spreadsheets/d/1ni41Czial_mggcax8GuCBlInCt1mNOsqbEPzftuAuNQ/edit?usp=sharing Phase-in plan is here: https://groups.google.com/d/msg/mozilla.dev.security.policy/Y-PxWRCIcck/Fi9y6vOACQAJ In particular, note: + For the CAs currently in the queue for discussion, I would ask them to perform this BR Self Assessment before I would start their discussion. Please let me know if you have further question, Thanks, Aaron
Comment 4•7 years ago
|
||
Given there is already a certification authority named DigiCert, will a different certification authority whose name includes "Digicert" create any problems?
Comment 5•7 years ago
|
||
(In reply to David E. Ross from comment #4) > Given there is already a certification authority named DigiCert, will a > different certification authority whose name includes "Digicert" create any > problems? No.
Hi, As attached is Pos Digicert's BR Self-Assessment for your kind perusal. Thanks & Regards
Comment 7•7 years ago
|
||
Noorul: please can you clarify your organization's connection to the organization mentioned here: https://blog.mozilla.org/security/2011/11/03/revoking-trust-in-digicert-sdn-bhd-intermediate-certificate-authority/ ? Thanks, Gerv
(In reply to Gervase Markham [:gerv] from comment #7) > Noorul: please can you clarify your organization's connection to the > organization mentioned here: > https://blog.mozilla.org/security/2011/11/03/revoking-trust-in-digicert-sdn- > bhd-intermediate-certificate-authority/ > ? > > Thanks, > > Gerv Hi Gerv, In relation to your query regarding on the URL, we would like to acknowledge that we are the said company in the article and yes the incident did happen back then in 2011. Best practices at that time mandated the use of RSA 1024 bit encryption keys. The updated internal process on key issuance was not followed / adhered to by one of our internal registration staff which led to the old RSA 512 bit encryption keys to be used for issuance purposes. However rest assured that the incident was an isolated case and we have rectified the internal breach of standard operating procedure within days of it being reported. The entire batch of the affected certificates which were issued using the RSA 512 bit encryption keys were revoked immediately. We currently use only RSA 2048 bit encryption keys for all of our certificates. For your further information Pos Digicert Sdn Bhd has been awarded the WebTrust for Certification Authority (CA) Certification since 2013 to date. Our latest audit was conducted last year in 2016, whereby the WebTrust compliance audit was conducted by PwC, an internationally registered WebTrust auditor with the Malaysian Communications and Multimedia Commission (MCMC). To fulfil our commitment in continuously providing resilient security assurance services, we are also certified with the prestigious ISO/IEC 27001:2013, marking it as the first Certification Authority in Malaysia being certified under the revised standard, ISO/IEC 27001 (ISMS). Our clients’ security and service satisfaction is paramount to us and we will endeavor to constantly provide our best services to our clients. Thanks & Regards
Hi Aaron & Bugzilla Team, Any updates from this submission? Please let us know if you have any other inquiries. Looking forward to reading from you soon. Thanks & Regards
Comment 10•7 years ago
|
||
Hi, As verifying your BR Self Assessment, it seems some server issues for test websites below a. Testvalid.posdigicert.com.my b. Testrevoke.posdigicert.com.my c. Testexpired.posdigicert.com.my Could you please double check and fix? Thanks, Aaron
Reporter | ||
Comment 11•7 years ago
|
||
Hi Aaron, Sorry for the inconvenience caused. Appreciate if you could use the following URL: https://testvalid.posdigicert.com.my https://testrevoke.posdigicert.com.my https://testexpired.posdigicert.com.my Thanks & Regards
Reporter | ||
Comment 12•7 years ago
|
||
Hi Aaron, Any updates? Please let us know if you have any other inquiries. Looking forward to reading from you soon. Thanks & Regards
Comment 13•7 years ago
|
||
Bulk reassign, see https://bugzilla.mozilla.org/show_bug.cgi?id=1430324
Comment 14•7 years ago
|
||
I have begun verifying the CA information as per step #2 of https://wiki.mozilla.org/CA/Application_Process#Process_Overview Please search the attached document for the word "NEED" to find where the CA needs to provide further information in this bug. In particular: - CA reported that SSL certs are valid up to 3 years, but the rule changes to 825 days on March 1. See sections 4.2.1 and 6.3.2 of https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.5.6.pdf - CRLs that conform to the CA/Browser Forum's Baseline Requirements (BRs). See BRs section. 4.9.7. - OCSP and authorityInformationAccess (AIA) that conform to the BRs. See BRs sections 4.9.9, 4.9.10, 7.1.2.2, 7.1.2.3 - Mozilla has the ability to name constrain root certs; e.g. to *.gov or *.mil. CAs should consider if such constraints may be applied to their root certs. - Cert for Revoked test website cannot be expired. - Resolve errors: https://certificate.revocationcheck.com/testvalid.posdigicert.com.my - Explain/Resolve errors listed here: https://crt.sh/?caid=51025&opt=cablint,zlint,x509lint&minNotBefore=2000-01-01 - Need current Audit Statements - CPS must have clear description of how the CA verifies that the domain names to be included in the SSL certificate are owned/controlled by the certificate subscriber. There is currently not sufficient description of the domain validation procedures in the CPS. Also, it must be clear which subsections of BR section 3.2.2.4 the CA uses. See https://wiki.mozilla.org/CA/Communications#January_2018_CA_Communication
Updated•7 years ago
|
Reporter | ||
Comment 15•7 years ago
|
||
Hi Kathleen, Thank you & appreciate you concern. We will provide the feedback later. Thanks & Regards
Reporter | ||
Comment 16•7 years ago
|
||
Hi Kathleen, Thank you very much for your concern on our submission. Kindly accept our sincere apologizes for the delay in response which was due to our internal financial year end activities/commitment in the organization. Below is the link to our latest WebTrust for CA report & Management Assertion for your kind reference: https://cert.webtrust.org/SealFile?seal=2423&file=pdf For your information, there will be some delay for the WebTrust for BR Audit management assertion to be issued as the audit recently completed. __________________________________________________________________________________________________________________________ Appreciate if you could use the following new URL to test the certificate: https://testvalid.posdigicert.com.my/ https://testrevoke.posdigicert.com.my/ https://testexpired.posdigicert.com.my/ __________________________________________________________________________________________________________________________ As for the verification of the domain names which to be included in the SSL certificate: For Class 2 certificate (Individual), Pos Digicert CA performs validation of the identity of the subscriber as part of the mandatory requirements of certificate application where physical presence is mandatory for verification of applicants. Attested copy of Identity Proof, National Identity Card or Passport. For Class 2 certificate (Organization), Pos Digicert CA performs validation of the identity of the organization by having attested copy of documents from the registrars of Domains containing domain name in order to prove the ownership of the domain name. Attested copy of documents from the registrars of companies is also required to ensure the registration and ownership of the companies. In addition to the above documents, authorization letter in favor of the digital signature certificate applicant from the organization. In the absence of the applicant, attested copy of Authorisation Personnel letter is attached together with the application to ensure the representative is the employee or associated with the organization. Also, to ensure the applicant is aware about the application request, RA must do phone call to verify the identity of the applicant. Refusals to issue a Digital Signature Certificate are commonly due to incomplete application, information or wrong information. Pos Digicert CA never performed certificate generation until the submission and registration is approved by Registration Officer. As stated in BR subsection 3.2.2.4.9 https://wiki.mozilla.org/CA/Communications#January_2018_CA_Communication Pos Digicert are no longer use this method & its been audited. As part of WebTrust for BR Audit findings also,we shall produce new CPS to align with the findings. ________________________________________________________________________________________________________________________ SSL validity: Pos Digicert current SSL issued maximum 2 years validity. Last but not least, we certainly hope that our updates will be considered accordingly. Thanks & Regards
Reporter | ||
Comment 17•6 years ago
|
||
Hi Kathleen & team, Any updates? Please let us know if you have any other inquiries. We really hope that our submission been approved as one of the trusted Root CA for this program. Thanks & Regards
Comment 18•6 years ago
|
||
(In reply to Noorul from comment #16) > Below is the link to our latest WebTrust for CA report & Management > Assertion for your kind reference: > https://cert.webtrust.org/SealFile?seal=2423&file=pdf This audit statement does not list the SHA256 Fingerprints of the root and intermediate certificates that were in scope of the audit. Please inform your auditor that all future audit statements must comply with section 3.1.4 of Mozilla's Root Store Policy. https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ When do you expect to have the 2018 WebTrust CA audit statement? > > For your information, there will be some delay for the WebTrust for BR Audit > management assertion to be issued as the audit recently completed. Please attach the 2017 WebTrust BR audit statement to this bug. When do you expect to have the 2018 WebTrust BR audit statement? Again, please make sure your auditor provides audit statements that comply with section 3.1.4 of Mozilla's Root Store Policy. > _____________________________________________________________________________ > _____________________________________________ > > > Appreciate if you could use the following new URL to test the certificate: > > https://testvalid.posdigicert.com.my/ OK > > https://testrevoke.posdigicert.com.my/ CRL is broken/unparsable See also: https://certificate.revocationcheck.com/testvalid.posdigicert.com.my > > https://testexpired.posdigicert.com.my/ OK > > _____________________________________________________________________________ > _____________________________________________ > > As for the verification of the domain names which to be included in the SSL > certificate: > > For Class 2 certificate (Individual), Pos Digicert CA performs validation of > the identity of the subscriber as part of the mandatory requirements of > certificate application where physical presence is mandatory for > verification of applicants. Attested copy of Identity Proof, National > Identity Card or Passport. > > For Class 2 certificate (Organization), Pos Digicert CA performs validation > of the identity of the organization by having attested copy of documents > from the registrars of Domains containing domain name in order to prove the > ownership of the domain name. Attested copy of documents from the > registrars of companies is also required to ensure the registration and > ownership of the companies. In addition to the above documents, > authorization letter in favor of the digital signature certificate applicant > from the organization. > > In the absence of the applicant, attested copy of Authorisation Personnel > letter is attached together with the application to ensure the > representative is the employee or associated with the organization. Also, to > ensure the applicant is aware about the application request, RA must do > phone call to verify the identity of the applicant. > > Refusals to issue a Digital Signature Certificate are commonly due to > incomplete application, information or wrong information. Pos Digicert CA > never performed certificate generation until the submission and registration > is approved by Registration Officer. > > > As stated in BR subsection 3.2.2.4.9 > https://wiki.mozilla.org/CA/Communications#January_2018_CA_Communication > > Pos Digicert are no longer use this method & its been audited. > As part of WebTrust for BR Audit findings also,we shall produce new CPS to > align with the findings. > https://www.posdigicert.com.my/public/uploads/files/CPS-Rev-7.pdf "" 3.2.7 Authentication of Domain Name and Country Name For all Pos Digicert Server ID G2 Certificates, authentication of the Applicant’s Country Name ownership or control of all requested Domain Name(s) is done by POS DIGICERT confirming that the WHOIS data for the Domain Name matches with the application details submitted. If the WHOIS data for the Domain Name and the Country Name does not match POS DIGICERT will not issue the certificate. POS DIGICERT does not accept IP addresses as a replacement of Domain Name. These requirements shall similarly apply to all Sub CA Certificates issued under Pos Digicert Server ID G2 Certificates. However, the restrictions above do not apply to Pos Digicert Server ID G3 Certificates. "" What does that last sentence mean? "However, the restrictions above do not apply to Pos Digicert Server ID G3 Certificates." All SSL cert issuance within the CA Hierarchy must comply with the BRs. See section 2.2 of Mozilla's Root Store Policy. https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ I also noticed section 4.6 of the CPS says: "POS DIGICERT also issues TRIAL certificates for Pos Digicert Server ID G3 / Digisign Server ID 2048 for a validity period of one (1) month. This complimentary certificate is issued for testing purpose only and is not be subjected to the DSA / DSR." Even TRIAL certificates must be domain validated according to the BRs. > _____________________________________________________________________________ > ___________________________________________ > > SSL validity: > Pos Digicert current SSL issued maximum 2 years validity. I am not finding this in the CPS. Here's what I find: "As per business contract terms requires but not exceeding three years as sanctioned by DSA 1997 Section 59. Most common validity period applies is either 1 year or 2 years or 3 years."
Reporter | ||
Comment 19•6 years ago
|
||
Hi Kathleen,
We are in the midst of drafting new CPS. We shall provide the final CPS later.
For your information also, Pos Digicert Sdn. Bhd. is in the midst of waiting for 2018 WebTrust for CA & SSL Baseline Audit Report from the respective Auditor.
Thanks & Regards
Updated•5 years ago
|
Assignee | ||
Comment 20•4 years ago
|
||
Is Pos Digicert Sdn. Bhd still interested in pursuing inclusion in the Mozilla Root Store? Please let us know at your convenience.
Comment 21•4 years ago
|
||
Dear Ben Wilson,
We will continue with Pos Digicert Class 2 Root CA G4 inclusion (Case Case # 607.)
Hence you may proceed to withdraw PosDigicert Class 2 Root CA G2 root from Mozilla Root Store and close this case # 218.
Thank you.
Assignee | ||
Comment 22•4 years ago
|
||
I am changing the title of this bug to reflect that it is the G4 root for which Pos Digicert is seeking inclusion.
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 23•4 years ago
|
||
Assignee | ||
Comment 24•4 years ago
|
||
Assignee | ||
Comment 25•4 years ago
|
||
Assignee | ||
Comment 26•4 years ago
|
||
CP/CPS Review
BR Self assessment has been provided and needs to be reviewed.
CPS is outdated (2019) and needs to be updated.
Test Notes
NEED TO FIX: CRLs and OCSP responses for 3 URLs to 3 test websites (valid, expired, revoked) whose TLS/SSL cert chains up to this root.
Revocation Tested
Test with http://certificate.revocationcheck.com/ showed following errors.
ERROR: Response expired 1026h31m27s ago
ERROR: ThisUpdate is more than seven days old, CRLs must be updated and reissued at least every seven days (Mozilla Maintenance Policy section 3)
Description of PKI Hierarchy
NEED: URL and/or Description of this PKI Hierarchy.
NEED: Details related to any of the following:
Cross-Signed by another Root Cert?
PKI Hierarchy Verified?
Has Externally Operated SubCAs?
CP/CPS allows Ext Operated SubCAs?
Has External Registration Authorities?
CP/CPS allows External RAs?
Add records for the existing intermediate certs to the CCADB as described here: https://ccadb.org/cas/intermediates#adding-intermediate-certificate-data
If this root has any subordinate CA certificates that are operated by external third parties, then provide the information listed in the Subordinate CA Checklist in a separate document. https://wiki.mozilla.org/CA/Subordinate_CA_Checklist
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Updated•4 years ago
|
Comment 27•4 years ago
|
||
Hi Ben. Last week a representative of this CA asked me why crt.sh was showing "Unknown" as the CRL status for https://crt.sh/?id=1121022026. On investigating I discovered the cause was that the record on crt.sh's CRL table for http://crl.posdigicert.com.my/Class2RootCAG4.crl was assigned to "CA unknown" (CA_ID = -1) rather than CA_ID=182965.
This presumably happened because crt.sh became aware via its Test Websites monitor of the intermediate certificate (https://crt.sh/?id=1121022026) and the CRL Distribution Point (http://crl.posdigicert.com.my/Class2RootCAG4.crl) long before crt.sh became aware of the root certificate (https://crt.sh/?id=3321742494).
After correcting the CA_ID (to 182965) on that crt.sh CRL record, crt.sh is now able to download, parse, and verify the CRL successfully.
The CA representative hinted to me that you'd been looking at this, so I just wanted to post this note to confirm that this was a deficiency with crt.sh rather than a problem with the CRL.
Assignee | ||
Comment 28•4 years ago
|
||
Thanks, Rob.
I re-ran the revocationcheck test and received two errors:
Valid signature but response includes an unnecessary certificate chain
Certificate status is 'Good' expecting 'Unknown'
See https://certificate.revocationcheck.com/testvalidg4.posdigicert.com.my
Assignee | ||
Comment 29•3 years ago
|
||
Sent email requesting update on:
1 - audit reports covering the complete CA lifecycle for Pos Digicert Class 2 Root CA G4 (key generation auditor's report plus contiguous period-of-time audits since key generation)
2 - three working test websites (valid, revoked, expired certificates) chaining up to Pos Digicert Class 2 Root CA G4 (they don't seem to be working)
3 - statement demonstrating how benefits of including root CA are greater than the risks (see - https://wiki.mozilla.org/CA/Quantifying_Value)
Comment 30•2 years ago
|
||
Redirect needinfos that are pending on inactive users to the triage owner.
:kwilson, since the bug has recent activity, could you have a look please?
For more information, please visit auto_nag documentation.
Assignee | ||
Updated•2 years ago
|
Assignee | ||
Updated•2 years ago
|
Assignee | ||
Updated•2 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Description
•