Open Bug 1396760 Opened 7 years ago Updated 2 years ago

Add PosDigicert Class 2 Root CA G4 certificate

Categories

(CA Program :: CA Certificate Root Program, task, P4)

Tracking

(Not tracked)

ASSIGNED

People

(Reporter: noorul.mansol, Assigned: bwilson)

Details

(Whiteboard: [ca-verifying] - BW 2020-12-11 Comment #26)

Attachments

(6 files)

User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
Hi Kathleen,

We write this note to inform you that we have a root CA certificates, "PosDigicert Class 2 Root CA G2" to be included in Mozilla Root CA Program.
 
We, representatives of Pos Digicert Sdn. Bhd (Malaysia) wish to submit our Root certificate for Mozilla Root CA Program.
Herewith, we attached as Mozilla CA Information Checklist for your kind perusal.
 
If you need any additional information please let us know.
 
Looking forward to reading from you soon.

Thanks & Regards
Assignee: kwilson → awu
Whiteboard: [ca-verifying] - Need BR Self Assessment
Hi Aaron,

Will update & revert back to you with the answers on BR self assessment.

Thanks & Regards
Flags: needinfo?(musliza)
Flags: needinfo?(muhammadfaris)
Hi,

Thanks to provide the information of Mozilla CA Checklist!

For BR Self Assessment, here are more information for your reference.

Current version of the BRs: https://cabforum.org/baseline-requirements-documents/
Until a version of the BRs is published that describes all of the allowed methods of domain validation, use version 1.4.1 for section 3.2.2.4 (Domain validation): https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.1.pdf

= Background = 

We are adding a BR-self-assessment step to Mozilla's root inclusion/change process.

Description of this new step is here:
https://wiki.mozilla.org/CA:BRs-Self-Assessment

It includes a link to a template for CA's BR Self Assessment, which is a Google Doc:
https://docs.google.com/spreadsheets/d/1ni41Czial_mggcax8GuCBlInCt1mNOsqbEPzftuAuNQ/edit?usp=sharing

Phase-in plan is here:
https://groups.google.com/d/msg/mozilla.dev.security.policy/Y-PxWRCIcck/Fi9y6vOACQAJ
In particular, note:
+ For the CAs currently in the queue for discussion, I would ask them to perform this BR Self Assessment before I would start their discussion.

Please let me know if you have further question,

Thanks,
Aaron
Given there is already a certification authority named DigiCert, will a different certification authority whose name includes "Digicert" create any problems?
(In reply to David E. Ross from comment #4)
> Given there is already a certification authority named DigiCert, will a
> different certification authority whose name includes "Digicert" create any
> problems?

No.
Hi,

As attached is Pos Digicert's BR Self-Assessment for your kind perusal.

Thanks & Regards
Whiteboard: [ca-verifying] - Need BR Self Assessment → [ca-verifying] - BR Self Assessment Received
Noorul: please can you clarify your organization's connection to the organization mentioned here:
https://blog.mozilla.org/security/2011/11/03/revoking-trust-in-digicert-sdn-bhd-intermediate-certificate-authority/
?

Thanks,

Gerv
(In reply to Gervase Markham [:gerv] from comment #7)
> Noorul: please can you clarify your organization's connection to the
> organization mentioned here:
> https://blog.mozilla.org/security/2011/11/03/revoking-trust-in-digicert-sdn-
> bhd-intermediate-certificate-authority/
> ?
> 
> Thanks,
> 
> Gerv

Hi Gerv,

In relation to your query regarding on the URL, we would like to acknowledge that we are the said company in the article and yes the incident did happen back then in 2011. Best practices at that time mandated the use of RSA 1024 bit encryption keys. The updated internal process on key issuance was not followed / adhered to by one of our internal registration staff which led to the old RSA 512 bit encryption keys to be used for issuance purposes. However rest assured that the incident was an isolated case and we have rectified the internal breach of standard operating procedure within days of it being reported. The entire batch of the affected certificates which were issued using the RSA 512 bit encryption keys were revoked immediately. We currently use only RSA 2048 bit encryption keys for all of our certificates.

For your further information Pos Digicert Sdn Bhd has been awarded the WebTrust for Certification Authority (CA) Certification since 2013 to date. Our latest audit was conducted last year in 2016, whereby the WebTrust compliance audit was conducted by PwC, an internationally registered WebTrust auditor with the Malaysian Communications and Multimedia Commission (MCMC). To fulfil our commitment in continuously providing resilient security assurance services, we are also certified with the prestigious ISO/IEC 27001:2013, marking it as the first Certification Authority in Malaysia being certified under the revised standard, ISO/IEC 27001 (ISMS).

Our clients’ security and service satisfaction is paramount to us and we will endeavor to constantly provide our best services to our clients.

Thanks & Regards
Hi Aaron & Bugzilla Team,

Any updates from this submission?
Please let us know if you have any other inquiries.

Looking forward to reading from you soon.

Thanks & Regards
Hi,

As verifying your BR Self Assessment, it seems some server issues for test websites below

a. Testvalid.posdigicert.com.my
b. Testrevoke.posdigicert.com.my
c. Testexpired.posdigicert.com.my

Could you please double check and fix?

Thanks,
Aaron
Hi Aaron,

Sorry for the inconvenience caused.

Appreciate if you could use the following URL:

https://testvalid.posdigicert.com.my
https://testrevoke.posdigicert.com.my
https://testexpired.posdigicert.com.my


Thanks & Regards
Hi Aaron,

Any updates?
Please let us know if you have any other inquiries.

Looking forward to reading from you soon.

Thanks & Regards
Bulk reassign, see https://bugzilla.mozilla.org/show_bug.cgi?id=1430324
Assignee: awu → kwilson
I have begun verifying the CA information as per step #2 of
https://wiki.mozilla.org/CA/Application_Process#Process_Overview

Please search the attached document for the word "NEED" to find where the CA needs to provide further information in this bug. 
In particular:
- CA reported that SSL certs are valid up to 3 years, but the rule changes to 825 days on March 1. See sections 4.2.1 and 6.3.2 of https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.5.6.pdf
- CRLs that conform to the CA/Browser Forum's Baseline Requirements (BRs). See BRs section. 4.9.7.
- OCSP and authorityInformationAccess (AIA) that conform to the BRs. See BRs sections 4.9.9, 4.9.10, 7.1.2.2, 7.1.2.3
- Mozilla has the ability to name constrain root certs; e.g. to *.gov or *.mil. CAs should consider if such constraints may be applied to their root certs.
- Cert for Revoked test website cannot be expired.
- Resolve errors: https://certificate.revocationcheck.com/testvalid.posdigicert.com.my
- Explain/Resolve errors listed here: https://crt.sh/?caid=51025&opt=cablint,zlint,x509lint&minNotBefore=2000-01-01
- Need current Audit Statements
- CPS must have clear description of how the CA verifies that the domain names to be included in the SSL certificate are owned/controlled by the certificate subscriber. There is currently not sufficient description of the domain validation procedures in the CPS. Also, it must be clear which subsections of BR section 3.2.2.4 the CA uses.
See https://wiki.mozilla.org/CA/Communications#January_2018_CA_Communication
Whiteboard: [ca-verifying] - BR Self Assessment Received → [ca-verifying] - KW Comment #14 2018-02-13
Hi Kathleen,

Thank you & appreciate you concern. We will provide the feedback later.

Thanks & Regards
Hi Kathleen,

Thank you very much for your concern on our submission. 
Kindly accept our sincere apologizes for the delay in response which was due to our internal financial year end activities/commitment in the organization.

Below is the link to our latest WebTrust for CA report & Management Assertion for your kind reference:
https://cert.webtrust.org/SealFile?seal=2423&file=pdf

For your information, there will be some delay for the WebTrust for BR Audit management assertion to be issued as the audit recently completed.
__________________________________________________________________________________________________________________________


Appreciate if you could use the following new URL to test the certificate:

https://testvalid.posdigicert.com.my/

https://testrevoke.posdigicert.com.my/

https://testexpired.posdigicert.com.my/

__________________________________________________________________________________________________________________________

As for the verification of the domain names which to be included in the SSL certificate:

For Class 2 certificate (Individual), Pos Digicert CA performs validation of the identity of the subscriber as part of the mandatory requirements of certificate application where physical presence is mandatory for verification of applicants. Attested copy of Identity Proof, National Identity Card or Passport.

For Class 2 certificate (Organization), Pos Digicert CA performs validation of the identity of the organization by having attested copy of documents from the registrars of Domains containing domain name in order to prove the ownership of the domain name.  Attested copy of documents from the registrars of companies is also required to ensure the registration and ownership of the companies. In addition to the above documents, authorization letter in favor of the digital signature certificate applicant from the organization.

In the absence of the applicant, attested copy of Authorisation Personnel letter is attached together with the application to ensure the representative is the employee or associated with the organization. Also, to ensure the applicant is aware about the application request, RA must do phone call to verify the identity of the applicant.

Refusals to issue a Digital Signature Certificate are commonly due to incomplete application, information or wrong information. Pos Digicert CA never performed certificate generation until the submission and registration is approved by Registration Officer.


As stated in BR subsection 3.2.2.4.9
https://wiki.mozilla.org/CA/Communications#January_2018_CA_Communication

Pos Digicert are no longer use this method & its been audited. 
As part of WebTrust for BR Audit findings also,we shall produce new CPS to align with the findings.

________________________________________________________________________________________________________________________

SSL validity:
Pos Digicert current SSL issued maximum 2 years validity.


Last but not least, we certainly hope that our updates will be considered accordingly.

Thanks & Regards
Hi Kathleen & team,

Any updates?
Please let us know if you have any other inquiries.

We really hope that our submission been approved as one of the trusted Root CA for this program.

Thanks & Regards
(In reply to Noorul from comment #16)
> Below is the link to our latest WebTrust for CA report & Management
> Assertion for your kind reference:
> https://cert.webtrust.org/SealFile?seal=2423&file=pdf

This audit statement does not list the SHA256 Fingerprints of the root and intermediate certificates that were in scope of the audit. Please inform your auditor that all future audit statements must comply with section 3.1.4 of Mozilla's Root Store Policy.
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/

When do you expect to have the 2018 WebTrust CA audit statement?


> 
> For your information, there will be some delay for the WebTrust for BR Audit
> management assertion to be issued as the audit recently completed.


Please attach the 2017 WebTrust BR audit statement to this bug.

When do you expect to have the 2018 WebTrust BR audit statement?
Again, please make sure your auditor provides audit statements that comply with section 3.1.4 of Mozilla's Root Store Policy.
 


> _____________________________________________________________________________
> _____________________________________________
> 
> 
> Appreciate if you could use the following new URL to test the certificate:
> 
> https://testvalid.posdigicert.com.my/

OK

> 
> https://testrevoke.posdigicert.com.my/

CRL is broken/unparsable

See also:
https://certificate.revocationcheck.com/testvalid.posdigicert.com.my

> 
> https://testexpired.posdigicert.com.my/

OK

> 
> _____________________________________________________________________________
> _____________________________________________
> 
> As for the verification of the domain names which to be included in the SSL
> certificate:
> 
> For Class 2 certificate (Individual), Pos Digicert CA performs validation of
> the identity of the subscriber as part of the mandatory requirements of
> certificate application where physical presence is mandatory for
> verification of applicants. Attested copy of Identity Proof, National
> Identity Card or Passport.
> 
> For Class 2 certificate (Organization), Pos Digicert CA performs validation
> of the identity of the organization by having attested copy of documents
> from the registrars of Domains containing domain name in order to prove the
> ownership of the domain name.  Attested copy of documents from the
> registrars of companies is also required to ensure the registration and
> ownership of the companies. In addition to the above documents,
> authorization letter in favor of the digital signature certificate applicant
> from the organization.
> 
> In the absence of the applicant, attested copy of Authorisation Personnel
> letter is attached together with the application to ensure the
> representative is the employee or associated with the organization. Also, to
> ensure the applicant is aware about the application request, RA must do
> phone call to verify the identity of the applicant.
> 
> Refusals to issue a Digital Signature Certificate are commonly due to
> incomplete application, information or wrong information. Pos Digicert CA
> never performed certificate generation until the submission and registration
> is approved by Registration Officer.
> 
> 
> As stated in BR subsection 3.2.2.4.9
> https://wiki.mozilla.org/CA/Communications#January_2018_CA_Communication
> 
> Pos Digicert are no longer use this method & its been audited. 
> As part of WebTrust for BR Audit findings also,we shall produce new CPS to
> align with the findings.
> 


https://www.posdigicert.com.my/public/uploads/files/CPS-Rev-7.pdf
""
3.2.7 Authentication of Domain Name and Country Name
For all Pos Digicert Server ID G2 Certificates, authentication of the Applicant’s Country Name ownership or control of all requested Domain Name(s) is done by POS DIGICERT confirming that the WHOIS data for the Domain Name matches with the application details submitted. If the WHOIS data for the Domain Name and the Country Name does not match POS DIGICERT will not issue the certificate. POS DIGICERT does not accept IP addresses as a replacement of Domain Name. These requirements shall similarly apply to all Sub CA Certificates issued under Pos Digicert Server ID G2 Certificates.
However, the restrictions above do not apply to Pos Digicert Server ID G3 Certificates.
""

What does that last sentence mean?
"However, the restrictions above do not apply to Pos Digicert Server ID G3 Certificates."

All SSL cert issuance within the CA Hierarchy must comply with the BRs.
See section 2.2 of Mozilla's Root Store Policy.
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ 

I also noticed section 4.6 of the CPS says: "POS DIGICERT also issues TRIAL certificates for Pos Digicert Server ID G3 / Digisign Server ID 2048 for a validity period of one (1) month. This complimentary certificate is issued for testing purpose only and is not be subjected to the DSA / DSR."

Even TRIAL certificates must be domain validated according to the BRs.


> _____________________________________________________________________________
> ___________________________________________
> 
> SSL validity:
> Pos Digicert current SSL issued maximum 2 years validity.

I am not finding this in the CPS.
Here's what I find:
"As per business contract terms requires but not exceeding three years as sanctioned by DSA 1997 Section 59. Most common validity period applies is either 1 year or 2 years or 3 years."
Whiteboard: [ca-verifying] - KW Comment #14 2018-02-13 → [ca-verifying] - KW Comment #18 2018-08-20

Hi Kathleen,

We are in the midst of drafting new CPS. We shall provide the final CPS later.

For your information also, Pos Digicert Sdn. Bhd. is in the midst of waiting for 2018 WebTrust for CA & SSL Baseline Audit Report from the respective Auditor.

Thanks & Regards

Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true

Is Pos Digicert Sdn. Bhd still interested in pursuing inclusion in the Mozilla Root Store? Please let us know at your convenience.

QA Contact: kwilson

Dear Ben Wilson,

We will continue with Pos Digicert Class 2 Root CA G4 inclusion (Case Case # 607.)

Hence you may proceed to withdraw PosDigicert Class 2 Root CA G2 root from Mozilla Root Store and close this case # 218.

Thank you.

I am changing the title of this bug to reflect that it is the G4 root for which Pos Digicert is seeking inclusion.

Summary: Add "PosDigicert Class 2 Root CA G2" Pos Digicert Sdn. Bhd. root certificate → Add "PosDigicert Class 2 Root CA G4" Pos Digicert Sdn. Bhd. root certificate
Assignee: kwilson → bwilson

CP/CPS Review

BR Self assessment has been provided and needs to be reviewed.

CPS is outdated (2019) and needs to be updated.

Test Notes

NEED TO FIX: CRLs and OCSP responses for 3 URLs to 3 test websites (valid, expired, revoked) whose TLS/SSL cert chains up to this root.

Revocation Tested

Test with http://certificate.revocationcheck.com/ showed following errors.

ERROR: Response expired 1026h31m27s ago

ERROR: ThisUpdate is more than seven days old, CRLs must be updated and reissued at least every seven days (Mozilla Maintenance Policy section 3)

Description of PKI Hierarchy

NEED: URL and/or Description of this PKI Hierarchy.

NEED: Details related to any of the following:

Cross-Signed by another Root Cert?

PKI Hierarchy Verified?

Has Externally Operated SubCAs?

CP/CPS allows Ext Operated SubCAs?

Has External Registration Authorities?

CP/CPS allows External RAs?

Add records for the existing intermediate certs to the CCADB as described here: https://ccadb.org/cas/intermediates#adding-intermediate-certificate-data

If this root has any subordinate CA certificates that are operated by external third parties, then provide the information listed in the Subordinate CA Checklist in a separate document. https://wiki.mozilla.org/CA/Subordinate_CA_Checklist

Whiteboard: [ca-verifying] - KW Comment #18 2018-08-20 → [ca-verifying] - BW 2020-12-11 Comment #26
Priority: -- → P4

Hi Ben. Last week a representative of this CA asked me why crt.sh was showing "Unknown" as the CRL status for https://crt.sh/?id=1121022026. On investigating I discovered the cause was that the record on crt.sh's CRL table for http://crl.posdigicert.com.my/Class2RootCAG4.crl was assigned to "CA unknown" (CA_ID = -1) rather than CA_ID=182965.
This presumably happened because crt.sh became aware via its Test Websites monitor of the intermediate certificate (https://crt.sh/?id=1121022026) and the CRL Distribution Point (http://crl.posdigicert.com.my/Class2RootCAG4.crl) long before crt.sh became aware of the root certificate (https://crt.sh/?id=3321742494).
After correcting the CA_ID (to 182965) on that crt.sh CRL record, crt.sh is now able to download, parse, and verify the CRL successfully.
The CA representative hinted to me that you'd been looking at this, so I just wanted to post this note to confirm that this was a deficiency with crt.sh rather than a problem with the CRL.

Thanks, Rob.
I re-ran the revocationcheck test and received two errors:
Valid signature but response includes an unnecessary certificate chain
Certificate status is 'Good' expecting 'Unknown'
See https://certificate.revocationcheck.com/testvalidg4.posdigicert.com.my

Sent email requesting update on:
1 - audit reports covering the complete CA lifecycle for Pos Digicert Class 2 Root CA G4 (key generation auditor's report plus contiguous period-of-time audits since key generation)
2 - three working test websites (valid, revoked, expired certificates) chaining up to Pos Digicert Class 2 Root CA G4 (they don't seem to be working)
3 - statement demonstrating how benefits of including root CA are greater than the risks (see - https://wiki.mozilla.org/CA/Quantifying_Value)

Redirect needinfos that are pending on inactive users to the triage owner.
:kwilson, since the bug has recent activity, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(musliza)
Flags: needinfo?(muhammadfaris)
Flags: needinfo?(kwilson)
Flags: needinfo?(kwilson) → needinfo?(bwilson)
Flags: needinfo?(bwilson)
Summary: Add "PosDigicert Class 2 Root CA G4" Pos Digicert Sdn. Bhd. root certificate → Add PosDigicert Class 2 Root CA G4 certificate
Severity: normal → S3
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: