Closed
Bug 1465629
Opened 6 years ago
Closed 5 years ago
Turn off Websites trust bit for Certplus Class 2 Primary CA
Categories
(CA Program :: CA Certificate Root Program, task)
CA Program
CA Certificate Root Program
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 1574670
People
(Reporter: kathleen.a.wilson, Assigned: kathleen.a.wilson, NeedInfo)
References
Details
Attachments
(1 file)
|
488.04 KB,
application/pdf
|
Details |
I received email from a representative of the CA requesting that the Websites trust bit be turned off for the following root certificate.
My first email below is about the SSL certificates we issue under following root CA: C=FR,O=Certplus,CN=Class 2 Primary CA (SHA1 - 74207441729CDD92EC7931D823108DC28192E2BB). So this request concerns only one root CA. Please find in-line my answers to your questions.
CN=Class 2 Primary CA, O=Certplus
SHA-256 Fingerprint: 0F:99:3C:8A:EF:97:BA:AF:56:87:14:0E:D5:9A:D1:82:1B:B4:AF:AC:F0:AA:9A:58:B5:D5:7A:33:8A:3A:FB:CB
From the CA: For our customers, we've also posted an FAQ in French on that topic available at: https://support.docusign.com/fr/articles/FAQ-Arret-de-l-activite-SSL-de-DocuSign-France
|
Assignee | |
Comment 1•6 years ago
|
||
Responses from the CA via email regarding this particular root cert:
> Please clarify the following:
>
> 1) Is there urgency (e.g. security concern) regarding removal of the
> Websites trust bit for any of these roots?
There is no security concern or any other urgency. We just wanted to let you know as you are a partner about the SSL business.
>
> 2) Will you be getting BR and EV audit statements for these roots and their
> hierarchies this year?
As we’re running now on the eIDAS regime, where audits are done every 2 years, we haven’t planned to pass the audit this year. Our current audit report is still valid until 23rd of July 2019.
>
> 3) When do the last SSL certs chaining up to these roots expire?
July 6th, 2019.
>
> 4) How significant will the impact be for your customers if we remove the
> Websites trust bit before such certs expire?
Our customers have been rushing to produce certificates valid up to the CA expiration date (July 2019). The impact of a premature serverAuth trust removal is unknown.
>
> 5) What date would you prefer to have EV treatment disabled for these roots?
One day after CA expiration date: July 7th, 2019
>
> 6) What date would you prefer to have SSL certs chaining up to these roots
> stop being trusted in NSS and Firefox?
One day after CA expiration date: July 7th, 2019
|
||
Comment 2•6 years ago
|
||
Remi:
My primary concern regarding continued trust in this root certificate is that Mozilla requires annual audits, and new audits are due now. For these roots to remain in the Mozilla program until 2019, one more annual audit will be required. Would you prefer to have this root removed now, or to obtain the necessary audits? We are still seeing about 40,000 Firefox sessions/day with certificates that chain to the Certplus Class 2 Primary CA, so removal now would have a significant impact on your customers.
A secondary concern is that there are a number of open issues related to this CA that need to be addressed:
https://bugzilla.mozilla.org/show_bug.cgi?id=1398247
https://bugzilla.mozilla.org/show_bug.cgi?id=1444455
https://bugzilla.mozilla.org/show_bug.cgi?id=1458038
These issues will need to be fixed for this root to remain in the Mozilla program until July 2019.
Also, removing this root will affect both SSL (websites) and email (S/MIME). Are there active email certificates (emailProtection EKU) that rely on this root? How many?
Flags: needinfo?(remi.pifaut)
|
|
||
Comment 3•6 years ago
|
||
Remi or Erwann: Please clarify your intentions for maintaining audits of the Certplus Class 2 Primary CA. The annual audit statements are due to Mozilla now. If I receive no response to this question by 27-July, I will assume that this root will not be audited in 2018 (comment #1) in violation of Mozilla's policy, and I will begin the process of removing the root.
In bug 1444455, Erwann states that Orange is obtaining an audit for a subordinate CA signed by this root. That only makes sense if this root is also undergoing an annual audit this year.
Also, please be aware that Mozilla requires annual audits for roots with only the email trust bit enabled, so again, either the Certplus Class 2 Primary CA needs a period-of-time audit covering the period from 8-April 2016 to 8-April 2017, or it will be removed from the program.
Flags: needinfo?(erwann.abalea)
|
||
Comment 4•6 years ago
|
||
(In reply to Wayne Thayer [:wayne] from comment #3)
> Remi or Erwann: Please clarify your intentions for maintaining audits of the
> Certplus Class 2 Primary CA. The annual audit statements are due to Mozilla
> now. If I receive no response to this question by 27-July, I will assume
> that this root will not be audited in 2018 (comment #1) in violation of
> Mozilla's policy, and I will begin the process of removing the root.
We will undergo an audit for the Root CA and our subordinate CAs that were used to issue TLS certificates, but this audit will be later than expected, in October 2018.
We already stopped the issuance of certificates by our 3 subordinate CAs, but we of course maintain the revocation and validation status services.
Flags: needinfo?(erwann.abalea)
|
|
||
Comment 5•6 years ago
|
||
The audit date has been advanced to 17-19 September 2018.
|
|
Assignee | |
Comment 6•6 years ago
|
||
(In reply to Erwann Abalea from comment #5)
> The audit date has been advanced to 17-19 September 2018.
Any update on the audit?
|
|
||
Comment 7•6 years ago
|
||
(In reply to Kathleen Wilson from comment #6)
> (In reply to Erwann Abalea from comment #5)
> > The audit date has been advanced to 17-19 September 2018.
>
> Any update on the audit?
The audit was performed, we've asked the auditor to provide us the attestation letter this month. Our issuing CAs have been declared as "Starting EOL", meaning that we do not issue SSL certificates anymore from them and only provide revocation services and revocation information services.
|
|
||
Comment 8•6 years ago
|
||
(In reply to Erwann Abalea from comment #7)
> (In reply to Kathleen Wilson from comment #6)
> > (In reply to Erwann Abalea from comment #5)
> > > The audit date has been advanced to 17-19 September 2018.
> >
> > Any update on the audit?
>
> The audit was performed, we've asked the auditor to provide us the
> attestation letter this month. Our issuing CAs have been declared as
> "Starting EOL", meaning that we do not issue SSL certificates anymore from
> them and only provide revocation services and revocation information
> services.
Another month has passed. What is the status of the audit letter?
|
|
||
Updated•6 years ago
|
Flags: needinfo?(erwann.abalea)
QA Contact: kwilson
|
|
||
Comment 9•6 years ago
|
||
We received the Attestation Letter, here it is.
Flags: needinfo?(erwann.abalea)
|
|
||
Comment 10•6 years ago
|
||
Thank you Erwann. I believe you need to create an audit case in CCADB to get this attestation report processed.
|
|
Assignee | |
Updated•5 years ago
|
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
|
||
Updated•2 years ago
|
Product: NSS → CA Program
You need to log in
before you can comment on or make changes to this bug.
Description
•