Closed Bug 1417041 Opened 7 years ago Closed 6 years ago

Add "Swedish Government Root Authority v3" root certificate to Mozilla root store

Categories

(CA Program :: CA Certificate Root Program, task)

task
Not set
normal

Tracking

(Not tracked)

RESOLVED WONTFIX

People

(Reporter: mca, Assigned: wthayer)

Details

(Whiteboard: [ca-denied] Comment #13 - submit new root)

Attachments

(5 files)

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET CLR 1.1.4322; .NET4.0C; .NET4.0E; rv:11.0) like Gecko Steps to reproduce: Severity: enhancement Summary: Add "Swedish Government Root Authority v3" root certificate 1. Swedish Government Root Authority v3 2. http://www.forsakringskassan.se/ see also http://www.myndighetsca.se/ 3. Försäkringskassan (SSIA), the Swedish government’s Social Insurance Agency 4. Myndighets CA is a CA for Swedish Government authorities. Employees from 8 goverments are using this root. We are adding Health care in sweden in a few months and some more goverments. 5. We are in Microsoft root program since 2012. We have our latest WebTrust audit in CCADB. We issue personal certificate on smart card and certificate to webservers now and will expand issuing certificates later on to the whole public sector in Sweden. POC 1 = mca@forsakringskassan.se POC 2 = magnus.enmarker@forsakringskassan.se Magnus Enmarker +46 10 112 82 24 POC 3 = robert.tencic@forsakringskassan.se Robert Tencic +46 10 112 82 54 POC 4 = mcadrift@forsakringskassan.se Technical 1. "Swedish Government Root Authority v3" 2. CN = Swedish Government Root Authority v3, O = Swedish Social Insurance Agency, C = SE 3. Provisioning of certificates to Swedish government agencies by Försäkringskassan, the Swedish government’s Social Insurance Agency to Swedish government agencies and to organizations in Swedish public sector. 4. http://pki.myndighetsca.se/crl/SwedishGovernmentRootAuthorityv3.crt 5. 74 6f 88 f9 ac 16 3c 53 00 9e ef 92 0c 40 67 75 6a 15 71 7e 6. ‎den ‎29 ‎september ‎2015 12:32:32 7. ‎den ‎29 ‎september ‎2040 12:42:09 8. V3 9. sha256RSA 10. RSA 4096 11. https://mcacert.myndighetsca.se/ 12. See https://mcacert.myndighetsca.se/ 13. http://pki.myndighetsca.se/crl/SwedishGovernmentHWCAv4.crt and http://pki.myndighetsca.se/crl/SwedishGovernmentSignCAv3.crt See CP/CPS chapter 4.9.7 for CRL issuance frequency. 14. http://ocsp.myndighetsca.se/ocsp See chapter 4.9 and 4.9.9 about OSCP 15. Yes, we have tested 16. We requesting Websites (SSL/TLS) and Email (S/MIME) see chapter 4.1.2 in http://www.myndighetsca.se/cps/SSIA_Sign_CA_v3_CPS_Ver330.pdf for a. Users from all Agencies can request an S/mime certificate on a self-service page at the Portal if they have a valid certificate from “Swedish Government User CA” or “Swedish Government Auth CA”. The s/mime certificate is stored at the Applicants smart card. 17. OV 18. Not EV yet CA Hierarchy 1. Issuing CA beneath "Swedish Government Root Authority v3" is "Swedish Government HW CA v4", "Swedish Government Sign CA v3", "Swedish Government Soft CA v3", "Swedish Government QC CA v3", "Swedish Government Code CA v3" and "Swedish Government EV CA v3". We haven´t use "Swedish Government QC CA v3", "Swedish Government Code CA v3" and "Swedish Government EV CA v3" yet and will end "Swedish Government Soft CA v3" in one year. 2. No sub CAs by 3rd parties. 3. No cross signing 4. We are in Microsoft root program since 2012. We have our latest WebTrust audit in CCADB. Verification 1. See repository at http://www.myndighetsca.se/cps/ 2. See CCADB. We have added your audits to Bugzilla. The general link is here: https://bugzilla.mozilla.org/show_bug.cgi?id=1330392 a. And the three documents are here: i. https://bug1330392.bmoattachments.org/attachment.cgi?id=8926629 ii. https://bugzilla.mozilla.org/attachment.cgi?id=8926630 iii. https://bugzilla.mozilla.org/attachment.cgi?id=8926631 3. See chapter 4.1.2 in http://www.myndighetsca.se/cps/SSIA_HWCA_v4_CPS_Ver430.pdf 4. see chapter 4.1.2 in http://www.myndighetsca.se/cps/SSIA_Sign_CA_v3_CPS_Ver330.pdf for a. Users from all Agencies can request an S/mime certificate on a self-service page at the Portal if they have a valid certificate from “Swedish Government User CA” or “Swedish Government Auth CA”. The s/mime certificate is stored at the Applicants smart card. 5. No 6. All end-user have certificate at smart card and use them to certificate issuance 7. Controlled by aditor in WebTrust audit. Expected results: Add "Swedish Government Root Authority v3" root certificate to Mozilla root store
Summary: root → Add "Swedish Government Root Authority v3" root certificate to Mozilla root store
Please attach your BR Self Assessment, and provide the rest of the information in the checklist. https://wiki.mozilla.org/CA/BR_Self-Assessment https://wiki.mozilla.org/CA/Information_Checklist
Assignee: kwilson → awu
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-verifying] - Need BR Self Assessment
We have done two document for our self assasment (SwedishGovernmentRootAuthority_CAInformation.pdf and SwedishGovernmentRootAuthority_ BRSelfAssessment.xlsx). But I can´t see where I should attach these documents?
SwedishGovernmentRootAuthority_ BRSelfAssessment
SwedishGovernmentRootAuthority_CAInformation
Assignee: awu → kwilson
This root inclusion request is ready for the Detailed CP/CPS Review phase, step 3 of https://wiki.mozilla.org/CA/Application_Process#Process_Overview so assigning this bug to Wayne.
Assignee: kwilson → wthayer
Whiteboard: [ca-verifying] - Need BR Self Assessment → [ca-cps-review]
Whiteboard: [ca-cps-review] → [ca-cps-review] - KW 2018-03-12
I have reviewed this request and found a number of issues: * 3 misissued, but expired certificates from “HW CA v3” intermediate with multiple errors [1] * The CPS [2] , dated December 18, 2017, indicates the CA uses domain validation methods 1 and 5 * The CAA record and problem reporting mechanism fields in CCADB are blank. * Section 6.1.3 of the CPS and the HWCA CP is titled “Private Key Delivery to Certificate Issuer”. Should be “Public Key Delivery to Certificate Issuer”. * Section 1.4.1 of the CPS refers to “SSIA_CP_Ver090”. I am unable to locate this document. * CPS section 1.5.3 contains an invalid reference. * Appendix 1 section 2 shows the maximum end-entity certificate validity period as “Up to 36 months expressed in UTC”. * 404 errors for CRLs & OCSP unauthorized errors for certs issued from “HW CA v3” [3] This subCA is not disclosed in the hierarchy and appears to have been replaced. There are no know unexpired certs signed by this subCA, but is not revoked. * Multiple misissued certs from “HW CA v4” intermediate including recent unexpired and unprovoked certs [4] * The BR audit only covers 6 months beginning on Dec 1, 2016. That implies the CA was not BR audited prior to that date. Please provide evidence of earlier BR audits, if any exists. * Section 2.2 of the CPS does not disclose this CA’s CAA domains as required by BR section 2.2 * Section 3.2.1 of the HWCA CP states that “Key-pairs may be generated by the SSIA HWCA or be presented by the Applicant.” Section 6.1.2 described private key delivery via electronic means. The diagram in CPS section 4.2.1 describes CA key generation for TLS certificates. This violates Mozilla’s forbidden practice of Distributing Generated Private Keys in PKCS#12 Files [5]. * CPS section 3.2.2.1.8 describes a domain validation method for “constructed Email to Domain Contact” that does not appear to me the requirements set forth in the BRs. Same for section 3.2.2.1.12 for “Ip Address”. * Section 3.2.12.1.15 states that “SSIA SHALL confirm ownership of domain name or IP address by using relevant methods.” This is unacceptably vague and thus violates Mozilla policy section 2.2(3). Please respond in this bug when you feel that these issues have been addressed and you are ready for the public comment period [6]to begin. [1] https://crt.sh/?CAID=15950&opt=cablint,zlint,x509lint&minNotBefore=2011-01-01 [2] http://www.myndighetsca.se/cps/SwedishGovernmentRootAuthority_CPS_Ver0100.pdf [3] https://crt.sh/?id=285259002&opt=cablint,ocsp [4] https://crt.sh/?CAID=15984&opt=cablint,zlint,x509lint&minNotBefore=2015-01-01 [5] https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices#Distributing_Generated_Private_Keys_in_PKCS.2312_Files [6] https://wiki.mozilla.org/CA/Application_Process
Flags: needinfo?(mca)
Whiteboard: [ca-cps-review] - KW 2018-03-12 → [ca-cps-review] - Pending CA Response 2018-04-20
Also, this CA's OCSP responder appears to respond "good" to unknown serial numbers in violation of BR section 4.9.10.
Hi, I will answer your questions from top to bottom: 1. "HW CA v3" is not the CA we use for issiung cert. We use "HW CA v4". 2. In our new CP/CPS domain validation methods 1 and 5 are removed from 1/8 2018. 3. We have update CAA records at CCADB 4. It´s has been changed in our new CP/CPS. See CP (http://www.myndighetsca.se/cps/SwedishGovernmentRootAuthority_CP_Ver0120.pdf ) and CPS (http://www.myndighetsca.se/cps/SwedishGovernmentRootAuthority_CPS_Ver0130.pdf) at http://www.myndighetsca.se/cps/. 5. It´s has been changed in our new CPS 6. It´s has been changed in our new CPS 7. It´s has been changed in our new CPS 8. Yes, it has been replaced. We use "HW CA v4" for issuing cert. 9. Multiple misissued certs from “HW CA v4”: See "Mozilla-Errors-MCA-Cert.pdf". We asked Microsoft to help us with the remaining. 10. BR audit has been udated in to two separate document. I will post BR for missing period, ie 6 months before Dec 1, 2016. See “Audit report WebTrust Principles for CA_SSL_May16toNov16_signed_searchable.pdf” 11. CAA: It´s has been changed in our new CPS 12. PKCS#12: It´s has been changed in our new CPS 13. Domain contact: It´s has been changed in our new CPS 14. Domain name: It´s has been changed in our new CPS 15: OCSP - Good: We have correct that now Regards Magnus
Flags: needinfo?(mca)
Thank you for the response and additional information. The most serious issues that have been identified are: * 404 errors for CRLs & OCSP unauthorized errors for certs issued from “HW CA v3” [1] This subCA is not disclosed in the hierarchy and has been replaced according to the CA. There are no know unexpired certs signed by this subCA, but it is not revoked. * Multiple misissued certs from “HW CA v4” intermediate including recent unexpired and unrevoked certs [2] MCA provided a detailed response at [3] claiming that many of these errors are "not applicable". The misissued certificates have not been remediated. * The BR audit covering the periods from 16-February 2016 to 29-May 2016 and 30-May 2016 to 30-November 2016 [5] contains 9 qualifications. * Section 2.2 of the CPS did not disclose this CA’s CAA domains as required by BR section 2.2. The CA has corrected this in the latest version. * Section 3.2.1 of the HWCA CP [6] states that “Key-pairs may be generated by the SSIA HWCA or be presented by the Applicant.” Section 6.1.2 describes private key delivery via electronic means. The diagram in CPS section 4.2.1 describes CA key generation for TLS certificates. This violated Mozilla’s forbidden practice of Distributing Generated Private Keys in PKCS#12 Files [7]. The CA states that this has been corrected in the latest version of the CPS, but I am not aware of a newer version of the HWCA CP than the one I am reviewing. * Section 3.2.2.4.4 of the latest version of the CPS [8] describes a domain validation method for “constructed Email to Domain Contact” that does not appear to meet the requirements set forth in the BRs (3.2.2.4.4). This appears to be a variation of the soon-to-be-banned BR method 3.2.2.4.5. * The OCSP responder was responding "good" to unknown serial numbers in violation of BR section 4.9.10. This issue has been corrected. Given the number and severity of these issues, and the CA's initial response, I will not recommend approval of this request by moving it to the Public Discussion phase of our process. It would result in denial if I did advance it to Public Discussion. For reference, other recent requests that have been denied for similar reasons are bug #986854, 1233645, and 870185. I am denying this root inclusion request. MCA may submit a new inclusion request for a new root that is free of the problems identified in this request. [1] https://crt.sh/?id=285259002&opt=cablint,ocsp [2] https://crt.sh/?CAID=15984&opt=cablint,zlint,x509lint&minNotBefore=2015-01-01 [3] https://bugzilla.mozilla.org/attachment.cgi?id=8985908 [5] https://bug1417041.bmoattachments.org/attachment.cgi?id=8985907 [6] http://www.myndighetsca.se/cps/SSIA_HWCA_v4_CPS_Ver430.pdf [7] https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices#Distributing_Generated_Private_Keys_in_PKCS.2312_Files [8] http://www.myndighetsca.se/cps/SwedishGovernmentRootAuthority_CPS_Ver0130.pdf
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
Whiteboard: [ca-cps-review] - Pending CA Response 2018-04-20 → [ca-denied] Comment #13 - submit new root
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: