Closed Bug 1468000 Opened 7 years ago Closed 5 months ago

Camerfirma: Invalid country field for Camerfirma root CA certificates

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Version:
3.37
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: guido2022, Assigned: bwilson)

Details

(Whiteboard: [ca-compliance] )

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/605.1 (KHTML, like Gecko) Version/11.0 Safari/605.1 Epiphany/3.26.2 Steps to reproduce: Install root CA certificates included in Mozilla NSS version 3.37.3 (some earlier versions might be affected too). Actual results: The following four (4) root CA certificates have been installed: Issuer: C=EU, L=Madrid (see current address at www.camerfirma.com/address)/serialNumber=A82743287, O=AC Camerfirma S.A., CN=Chambers of Commerce Root - 2008 Alias: Chambers of Commerce Root - 2008 Issuer: C=EU, L=Madrid (see current address at www.camerfirma.com/address)/serialNumber=A82743287, O=AC Camerfirma S.A., CN=Global Chambersign Root - 2008 Alias: Global Chambersign Root - 2008 Issuer: C=EU, O=AC Camerfirma SA CIF A82743287, OU=http://www.chambersign.org, CN=Global Chambersign Root Alias: Camerfirma Global Chambersign Root Issuer: C=EU, O=AC Camerfirma SA CIF A82743287, OU=http://www.chambersign.org, CN=Chambers of Commerce Root Alias: Camerfirma Chambers of Commerce Root ALL THE ABOVE MENTIONED ROOT CA CERTIFICATES HAVE AN INVALID COUNTRY FIELD (C=EU): EU IS NOT A COUNTRY ! Expected results: ALL THE FOUR (4) ABOVE MENTIONED ROOT CA CERTIFICATES HAVE AN INVALID COUNTRY FIELD (C=EU): EU IS NOT A COUNTRY ! THE COUNTRY FIELD SHOULD BE SPAIN (C=ES).
Whiteboard: [ca-compliance]
Only country codes listed in ISO 3166 are valid for the "C" field: https://www.iso.org/obp/ui/#iso:pub:PUB500001:en
These roots have been included in the Mozilla program for more than 7 years, predating any documented requirements on the content of these fields.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → INVALID
I realize it's a moot point in this particular case, but I think this bug report may be wrong. https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Exceptional_reservations claims that the 2-char code "EU" was "Extended for any application needing to represent the name European Union in August 1999". I think that makes "EU" a valid "country code", even though the European Union is not a country. BR 7.1.4.2.h requires that "...the subject:countryName MUST contain the two-letter ISO 3166-1 country code associated with the location of the Subject". "Country" (capital C) is a defined term in the BRs, but it is not referenced in 7.1.4.2.h.
Product: NSS → CA Program

The organization is a private Spanish company and not a European Union (europa.eu) organization, therefore I believe the country code is wrong, as it should be C=ES.

Several security issues have already been raised regarding such Certification Authority, please see:

https://wiki.mozilla.org/CA/Camerfirma_Issues

https://bugzilla.mozilla.org/show_bug.cgi?id=1672409

https://www.sectigo.com/resource-library/root-causes-145-google-chrome-to-distrust-ca-camerfirma

I think this issue is not invalid and it is actually verified above.

Status: RESOLVED → VERIFIED

It is a valid bug.

I would like to request that the issue is verified again.

Flags: needinfo?(wthayer)
Flags: needinfo?(wthayer) → needinfo?(bwilson)
Assignee: wthayer → bwilson
Flags: needinfo?(bwilson)
Summary: Invalid country field for Camerfirma root CA certificates → Camerfirma: Invalid country field for Camerfirma root CA certificates
Status: VERIFIED → RESOLVED
Closed: 7 years ago5 months ago
You need to log in before you can comment on or make changes to this bug.