1655074 - Add several ICAs of Firmaprofesional to OneCRL

Status: RESOLVED WONTFIX

(CA Program :: CA Certificate Root Program, task)

Description

[chemalogo]

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36

Steps to reproduce:

NA

Actual results:

NA

Expected results:

NA

Comment 1

[chemalogo]

Align with the plans of Firmaprofesional to manage tiquets https://bugzilla.mozilla.org/show_bug.cgi?id=1649943 and https://bugzilla.mozilla.org/show_bug.cgi?id=1651637, please add the following intermediate certificate to OneCRL. The following intermediate certs are not intended to issue TLS:

1) AC Firmaprofesional - CFEA: https://ccadb.force.com/0011J00001hZRdHQAW
Subject: CN=AC Firmaprofesional - CFEA; OU=Certificados de Firma Electronica Avanzada; O=Firmaprofesional S.A.; C=ES
Issuer: CN=Autoridad de Certificacion Firmaprofesional CIF A62634068; C=ES
Valid From (GMT): 7/9/2020
Valid To (GMT): 12/31/2030
Certificate Serial Number: 4C4A75F91EA19866
SHA-1 Fingerprint: 3CC6E9296172146C9A6CD6CE650E48E95E49A281
SHA-256 Fingerprint: 70E08EFCB3B574F562AB772B2BDCFF4E42D7C0A5FD457F1F9BB33346B522F294

2) AC Firmaprofesional - CFEA: https://ccadb.force.com/0011J00001GVmefQAD
Subject: CN=AC Firmaprofesional - CFEA; OU=Certificados de Firma Electronica Avanzada; O=Firmaprofesional S.A.; C=ES
Issuer: CN=Autoridad de Certificacion Firmaprofesional CIF A62634068; C=ES
Valid From (GMT): 6/18/2018
Valid To (GMT): 12/31/2030
Certificate Serial Number: 47B0EBAAB3891680
SHA-1 Fingerprint: A2F787686F625F660679AAF1C8613CA3841B9087
SHA-256 Fingerprint: E3C5244D15F8E0B034F500903B7DA11C57C1656175B86608C7FCDC561D081BF6

3) AC Firmaprofesional - OTC: https://ccadb.force.com/0011J00001hZRfTQAW
Subject: CN=AC Firmaprofesional - OTC; OU=Certificados de un solo uso; O=Firmaprofesional S.A.; C=ES
Issuer: CN=Autoridad de Certificacion Firmaprofesional CIF A62634068; C=ES
Valid From (GMT): 7/9/2020
Valid To (GMT): 12/31/2030
Certificate Serial Number: 3CF52200152411D3
SHA-1 Fingerprint: 62888877F290566B657D6E94E76BE12E0AC66731
SHA-256 Fingerprint: 3774EC2D45F77668ED038F5256D339811D0915B8501D403FE2CF50ED753451E5

4) AC Firmaprofesional - OTC: https://ccadb.force.com/0011J00001GVmfJQAT
Subject: CN=AC Firmaprofesional - OTC; OU=Certificados de un solo uso; O=Firmaprofesional S.A.; C=ES
Issuer: CN=Autoridad de Certificacion Firmaprofesional CIF A62634068; C=ES
Valid From (GMT): 6/18/2018
Valid To (GMT): 12/31/2030
Certificate Serial Number: 6E1663FFF60AF34D
SHA-1 Fingerprint: 72DD9D6D7AE3246C6B9F805FB2F6216E283C4CE2
SHA-256 Fingerprint: 22B6EBDEE9B0A6DA5C9FACED27BF9DCE09803C2AFC11F76B5C0BCF47B7F7D560

5) SIGNE Autoridad de Certificacion: https://ccadb.force.com/0011J00001hZRgkQAG
Subject: CN=SIGNE Autoridad de Certificacion; O=SIGNE S.A.; C=ES
Issuer: CN=Autoridad de Certificacion Firmaprofesional CIF A62634068; C=ES
Valid From (GMT): 7/9/2020
Valid To (GMT): 12/31/2030
Certificate Serial Number: 324E45C5454D9FF9
SHA-1 Fingerprint: F3B9903D00E5172CA359C020EC0C2A1F7307DBEB
SHA-256 Fingerprint: C42CE022D0A3457B6BD6978711CE7BC74385C4B34E11EBC8BAEE8B1D1B832799

6) SIGNE Autoridad de Certificacion: https://ccadb.force.com/0011J00001FDV5zQAH
Subject: CN=SIGNE Autoridad de Certificacion; O=SIGNE S.A.; C=ES
Issuer: CN=Autoridad de Certificacion Firmaprofesional CIF A62634068; C=ES
Valid From (GMT): 7/29/2015
Valid To (GMT): 12/31/2030
Certificate Serial Number: 21F0F18D95A95B75
SHA-1 Fingerprint: E6B52B5D52E5CDE9862AC1DE668EC953AD3659BD
SHA-256 Fingerprint: 1CB470728CF56F302003BB0E4EB062414FA11D4F97E3F061170C96C88071D711

Comment 2

[Kathleen Wilson]

I'm planning to close this bug as WONTFIX, because all of these intermediate certificates are technically constrained via EKU to NOT issue TLS certs. OneCRL is only used by Firefox for TLS, so adding intermediate certs that are not trusted for TLS has zero affect (other than unnecessarily adding data to OneCRL). Therefore, please explain why you think these certificates should be added to OneCRL and what impact you believe that would have.

1) AC Firmaprofesional - CFEA: https://ccadb.force.com/0011J00001hZRdHQAW
Subject: CN=AC Firmaprofesional - CFEA; OU=Certificados de Firma Electronica Avanzada; O=Firmaprofesional S.A.; C=ES
Issuer: CN=Autoridad de Certificacion Firmaprofesional CIF A62634068; C=ES
Valid From (GMT): 7/9/2020
Valid To (GMT): 12/31/2030
Certificate Serial Number: 4C4A75F91EA19866
SHA-1 Fingerprint: 3CC6E9296172146C9A6CD6CE650E48E95E49A281
SHA-256 Fingerprint: 70E08EFCB3B574F562AB772B2BDCFF4E42D7C0A5FD457F1F9BB33346B522F294

Extended Key Usage: ExtKeyUsageClientAuth

2) AC Firmaprofesional - CFEA: https://ccadb.force.com/0011J00001GVmefQAD
Subject: CN=AC Firmaprofesional - CFEA; OU=Certificados de Firma Electronica Avanzada; O=Firmaprofesional S.A.; C=ES
Issuer: CN=Autoridad de Certificacion Firmaprofesional CIF A62634068; C=ES
Valid From (GMT): 6/18/2018
Valid To (GMT): 12/31/2030
Certificate Serial Number: 47B0EBAAB3891680
SHA-1 Fingerprint: A2F787686F625F660679AAF1C8613CA3841B9087
SHA-256 Fingerprint: E3C5244D15F8E0B034F500903B7DA11C57C1656175B86608C7FCDC561D081BF6

Extended Key Usage: ExtKeyUsageClientAuth,ExtKeyUsageOCSPSigning

3) AC Firmaprofesional - OTC: https://ccadb.force.com/0011J00001hZRfTQAW
Subject: CN=AC Firmaprofesional - OTC; OU=Certificados de un solo uso; O=Firmaprofesional S.A.; C=ES
Issuer: CN=Autoridad de Certificacion Firmaprofesional CIF A62634068; C=ES
Valid From (GMT): 7/9/2020
Valid To (GMT): 12/31/2030
Certificate Serial Number: 3CF52200152411D3
SHA-1 Fingerprint: 62888877F290566B657D6E94E76BE12E0AC66731
SHA-256 Fingerprint: 3774EC2D45F77668ED038F5256D339811D0915B8501D403FE2CF50ED753451E5

Extended Key Usage: ExtKeyUsageClientAuth

4) AC Firmaprofesional - OTC: https://ccadb.force.com/0011J00001GVmfJQAT
Subject: CN=AC Firmaprofesional - OTC; OU=Certificados de un solo uso; O=Firmaprofesional S.A.; C=ES
Issuer: CN=Autoridad de Certificacion Firmaprofesional CIF A62634068; C=ES
Valid From (GMT): 6/18/2018
Valid To (GMT): 12/31/2030
Certificate Serial Number: 6E1663FFF60AF34D
SHA-1 Fingerprint: 72DD9D6D7AE3246C6B9F805FB2F6216E283C4CE2
SHA-256 Fingerprint: 22B6EBDEE9B0A6DA5C9FACED27BF9DCE09803C2AFC11F76B5C0BCF47B7F7D560

Extended Key Usage: ExtKeyUsageClientAuth,ExtKeyUsageOCSPSigning

5) SIGNE Autoridad de Certificacion: https://ccadb.force.com/0011J00001hZRgkQAG
Subject: CN=SIGNE Autoridad de Certificacion; O=SIGNE S.A.; C=ES
Issuer: CN=Autoridad de Certificacion Firmaprofesional CIF A62634068; C=ES
Valid From (GMT): 7/9/2020
Valid To (GMT): 12/31/2030
Certificate Serial Number: 324E45C5454D9FF9
SHA-1 Fingerprint: F3B9903D00E5172CA359C020EC0C2A1F7307DBEB
SHA-256 Fingerprint: C42CE022D0A3457B6BD6978711CE7BC74385C4B34E11EBC8BAEE8B1D1B832799

Extended Key Usage: ExtKeyUsageClientAuth,ExtKeyUsageEmailProtection

6) SIGNE Autoridad de Certificacion: https://ccadb.force.com/0011J00001FDV5zQAH
Subject: CN=SIGNE Autoridad de Certificacion; O=SIGNE S.A.; C=ES
Issuer: CN=Autoridad de Certificacion Firmaprofesional CIF A62634068; C=ES
Valid From (GMT): 7/29/2015
Valid To (GMT): 12/31/2030
Certificate Serial Number: 21F0F18D95A95B75
SHA-1 Fingerprint: E6B52B5D52E5CDE9862AC1DE668EC953AD3659BD
SHA-256 Fingerprint: 1CB470728CF56F302003BB0E4EB062414FA11D4F97E3F061170C96C88071D711

Extended Key Usage: ExtKeyUsageClientAuth,ExtKeyUsageEmailProtection,ExtKeyUsageOCSPSigning

Comment 3

[Ryan Sleevi]

(In reply to Kathleen Wilson from comment #2)

I'm planning to close this bug as WONTFIX, because all of these intermediate certificates are technically constrained via EKU to NOT issue TLS certs. OneCRL is only used by Firefox for TLS, so adding intermediate certs that are not trusted for TLS has zero affect (other than unnecessarily adding data to OneCRL). Therefore, please explain why you think these certificates should be added to OneCRL and what impact you believe that would have.

This is in context of the OCSP bug, in that they can potentially issue OCSP responses. However, Mozilla code already rejects these due to checks Mozilla added (rejecting OCSP responses from CAs), and Mozilla clients (like Thunderbird) would not be protected by adding to OneCRL.