Closed Bug 1464362 Opened 6 years ago Closed 6 years ago

Add SHA256 Santander Digital Signature Firmaprofesional SubCAs to OneCRL

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: chemalogo, Assigned: kathleen.a.wilson)

References

Details

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Build ID: 20180517113820

Steps to reproduce:

See Incident Report: Firmaprofesional: Undisclosed Intermediate certificate SDS, https://bugzilla.mozilla.org/show_bug.cgi?id=1464359
Please add the following intermediate certificate to OneCRL. This request is related to "https://bugzilla.mozilla.org/show_bug.cgi?id=1464359" and "https://bugzilla.mozilla.org/show_bug.cgi?id=1455119".

1) Santander Digital Signature (https://crt.sh/?id=408789249)
sha2 version (https://ccadb.force.com/0011J00001FDXmn)
Issuer commonName:		Autoridad de Certificacion Firmaprofesional CIF A62634068
Certificate Serial Number:	0x4e1706cbace0c293
Subject commonName: Santander Digital Signature
SHA-256 Fingerprint
	D039EEFF71088CC0F16A05A8FF3C61610E141D1E850AC7E11F7713EEE88CB951
Requests asking for a certificate to be included in the default certificate store belongs to NSS: CA Certificate Root Program.

Please correct if this is not the right component.
Assignee: nobody → kwilson
Component: Untriaged → CA Certificate Root Program
Product: Firefox → NSS
Version: 60 Branch → other
Blocks: 1464359
I believe this bug should be closed as WONTFIX.

Adding this cert to OneCRL would not help. OneCRL is only used by Firefox for TLS/SSL and this cert does not have id-kp-serverAuth or anyExtendedKeyUsage in its EKU, so it will not be trusted for TLS/SSL. 

Key Usage: Certificate Sign, CRL Sign
Extended Key Usage: ExtKeyUsageClientAuth,ExtKeyUsageEmailProtection,ExtKeyUsageOCSPSigning,1.3.6.1.4.1.311.20.2.2

I think that the problem you are running into is that section 5.3.1 of version 2.5 and later of Mozilla's Root Store Policy says that to be considered technically constrained, this cert would also need to have Name Constraints:
"If the certificate includes the id-kp-emailProtection extended key usage, it MUST include the Name Constraints X.509v3 extension with constraints on rfc822Name, with at least one name in permittedSubtrees, each such name having its ownership validated according to section 3.2.2.4 of the Baseline Requirements."

So, this cert is no longer considered technically constrained, so it has to be added to the CCADB and audited. If it is included in the audit if its parent cert, then the "Audits Same as Parent" checkbox may be selected, and disclosure is considered to be complete. But please ensure that the parent cert's audit statement includes this cert's SHA256 fingerprint in its scope.
(In reply to Kathleen Wilson from comment #3)
> I believe this bug should be closed as WONTFIX.
> 
> Adding this cert to OneCRL would not help. OneCRL is only used by Firefox
> for TLS/SSL and this cert does not have id-kp-serverAuth or
> anyExtendedKeyUsage in its EKU, so it will not be trusted for TLS/SSL. 
> 
> Key Usage: Certificate Sign, CRL Sign
> Extended Key Usage:
> ExtKeyUsageClientAuth,ExtKeyUsageEmailProtection,ExtKeyUsageOCSPSigning,1.3.
> 6.1.4.1.311.20.2.2
> 
> I think that the problem you are running into is that section 5.3.1 of
> version 2.5 and later of Mozilla's Root Store Policy says that to be
> considered technically constrained, this cert would also need to have Name
> Constraints:
> "If the certificate includes the id-kp-emailProtection extended key usage,
> it MUST include the Name Constraints X.509v3 extension with constraints on
> rfc822Name, with at least one name in permittedSubtrees, each such name
> having its ownership validated according to section 3.2.2.4 of the Baseline
> Requirements."
> 
> So, this cert is no longer considered technically constrained, so it has to
> be added to the CCADB and audited. If it is included in the audit if its
> parent cert, then the "Audits Same as Parent" checkbox may be selected, and
> disclosure is considered to be complete. But please ensure that the parent
> cert's audit statement includes this cert's SHA256 fingerprint in its scope.

Understood. This CA is withdrawing its activity. The Spanish Supervisory Body has been informed months ago. The CA certificate will be revoked in the following weeks and for sure within June.
(In reply to chemalogo from comment #4)
> The CA certificate will be revoked in the
> following weeks and for sure within June.

When that happens (and when the corresponding CRL has been updated), please update the "Revocation Status" field in the corresponding record in the CCADB. Then our standard process will pick it up. You do not need to update this bug, and do not need to file a separate bug.

Thanks!
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.