Closed Bug 1447497 Opened 7 years ago Closed 7 years ago

DocuSign/Keynectis: Outdated audit statements for Class 2 Primary CA

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: kathleen.a.wilson, Assigned: wthayer)

Details

(Whiteboard: [ca-compliance])

We do not have current audit statements for the following root certificate. Issuer commonName: Class 2 Primary CA SHA-256: 0F993C8AEF97BAAF5687140ED59AD1821BB4AFACF0AA9A58B5D57A338A3AFBCB SHA-1: 74207441729CDD92EC7931D823108DC28192E2BB Validity Not Before: Jul 7 17:05:00 1999 GMT Not After : Jul 6 23:59:59 2019 GMT https://crt.sh/?id=3971 If this root certificate is no longer being audited, then we need to remove it from NSS.
I would like a representative of the owning CA, DocuSign/Keynectis, to add a comment to this bug to provide information about this root certificate, its audit statements, and when most of the SSL certs chaining up to this root expire.
Flags: needinfo?(erwann.abalea)
Whiteboard: [ca-compliance]
I confirm that the CA labelled "Certplus Class 2 Primary CA" in the audit statement is in fact the "Class 2 Primary CA" included in Mozilla Root CA Program for DocuSign.
Flags: needinfo?(erwann.abalea)
Here's the audit statement that was applied to DocuSign's other root cert records in the CCADB: https://bug1297034.bmoattachments.org/attachment.cgi?id=8916590 The Audit Case in the CCADB did not specify that the audit applied to this "Class 2 Primary CA". The audit statement has a table indicating the root certs and subCA certs that were part of the audit, and the audit criteria. The first row has "CERTPLUS CLASS 2 PRIMARY CA" with validity 7 JUL 1999 - 07 JUL 2019, so it does appear that this row is meant to refer to the "Class 2 Primary CA". And checking the table for the non-revoked, non-technically-constrained subCAs of the "Class 2 Primary CA" root, I do see that they were audited according to the expected criteria. Therefore, I will close this bug as resolved, and update the audit statement information for this root cert in the CCADB. I will also exchange email with the auditor. (Aaron had previously exchanged email with the auditor to confirm the authenticity of the audit statement.) *Important note to the CA*: Please make sure your auditor is aware of Mozilla's audit statement requirements, because we are now rejecting audit statements that do not have all of the required information, such as the SHA-256 fingerprints of the root and intermediate certs that were in scope of the audit. https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#public-audit-information
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WORKSFORME
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.