Closed
Bug 1468000
Opened 6 years ago
Closed 6 years ago
Invalid country field for Camerfirma root CA certificates
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
VERIFIED
INVALID
People
(Reporter: guido2022, Assigned: bwilson)
Details
(Whiteboard: [ca-compliance] )
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/605.1 (KHTML, like Gecko) Version/11.0 Safari/605.1 Epiphany/3.26.2 Steps to reproduce: Install root CA certificates included in Mozilla NSS version 3.37.3 (some earlier versions might be affected too). Actual results: The following four (4) root CA certificates have been installed: Issuer: C=EU, L=Madrid (see current address at www.camerfirma.com/address)/serialNumber=A82743287, O=AC Camerfirma S.A., CN=Chambers of Commerce Root - 2008 Alias: Chambers of Commerce Root - 2008 Issuer: C=EU, L=Madrid (see current address at www.camerfirma.com/address)/serialNumber=A82743287, O=AC Camerfirma S.A., CN=Global Chambersign Root - 2008 Alias: Global Chambersign Root - 2008 Issuer: C=EU, O=AC Camerfirma SA CIF A82743287, OU=http://www.chambersign.org, CN=Global Chambersign Root Alias: Camerfirma Global Chambersign Root Issuer: C=EU, O=AC Camerfirma SA CIF A82743287, OU=http://www.chambersign.org, CN=Chambers of Commerce Root Alias: Camerfirma Chambers of Commerce Root ALL THE ABOVE MENTIONED ROOT CA CERTIFICATES HAVE AN INVALID COUNTRY FIELD (C=EU): EU IS NOT A COUNTRY ! Expected results: ALL THE FOUR (4) ABOVE MENTIONED ROOT CA CERTIFICATES HAVE AN INVALID COUNTRY FIELD (C=EU): EU IS NOT A COUNTRY ! THE COUNTRY FIELD SHOULD BE SPAIN (C=ES).
Updated•6 years ago
|
Whiteboard: [ca-compliance]
Reporter | ||
Comment 1•6 years ago
|
||
Only country codes listed in ISO 3166 are valid for the "C" field: https://www.iso.org/obp/ui/#iso:pub:PUB500001:en
Comment 2•6 years ago
|
||
These roots have been included in the Mozilla program for more than 7 years, predating any documented requirements on the content of these fields.
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → INVALID
Comment 3•6 years ago
|
||
I realize it's a moot point in this particular case, but I think this bug report may be wrong. https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Exceptional_reservations claims that the 2-char code "EU" was "Extended for any application needing to represent the name European Union in August 1999". I think that makes "EU" a valid "country code", even though the European Union is not a country. BR 7.1.4.2.h requires that "...the subject:countryName MUST contain the two-letter ISO 3166-1 country code associated with the location of the Subject". "Country" (capital C) is a defined term in the BRs, but it is not referenced in 7.1.4.2.h.
Updated•2 years ago
|
Product: NSS → CA Program
Reporter | ||
Comment 4•7 months ago
|
||
The organization is a private Spanish company and not a European Union (europa.eu) organization, therefore I believe the country code is wrong, as it should be C=ES.
Several security issues have already been raised regarding such Certification Authority, please see:
https://wiki.mozilla.org/CA/Camerfirma_Issues
https://bugzilla.mozilla.org/show_bug.cgi?id=1672409
https://www.sectigo.com/resource-library/root-causes-145-google-chrome-to-distrust-ca-camerfirma
Reporter | ||
Comment 5•7 months ago
|
||
I think this issue is not invalid and it is actually verified above.
Status: RESOLVED → VERIFIED
Reporter | ||
Comment 6•7 months ago
|
||
It is a valid bug.
Reporter | ||
Comment 7•7 months ago
|
||
I would like to request that the issue is verified again.
Flags: needinfo?(wthayer)
Assignee | ||
Updated•7 months ago
|
Flags: needinfo?(wthayer) → needinfo?(bwilson)
Assignee | ||
Updated•7 months ago
|
Assignee: wthayer → bwilson
Flags: needinfo?(bwilson)
You need to log in
before you can comment on or make changes to this bug.
Description
•