Closed
Bug 167572
Opened 22 years ago
Closed 19 years ago
Add Unizeto CERTUM CA certificates to builtin certificates
Categories
(CA Program :: CA Certificate Root Program, task, P3)
CA Program
CA Certificate Root Program
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: m.wawoczny, Assigned: hecker)
References
()
Details
(Whiteboard: [FIX IN HAND][need a=][need sr=][need r=])
Attachments
(2 files)
|
76.14 KB,
text/plain
|
Details | |
|
22.31 KB,
patch
|
Details | Diff | Splinter Review |
At present day Unizeto CERTUM Certification Authority is managing over 240 000 certificates. UNIZETO has its own Certification Authority and is a provider of digital certificate products, services and solutions that create security, privacy and authentication in electronic commerce. UNIZETO offers a range of certificate solutions that encompass Internet security, Extranet security, email security and Enterprise PKI requirements. UNIZETO wishes to have CERTIFICATES provided as a part of Mozilla browser and to CERTIFICATES considered as trusted. This is a blocker for Polish users.
|
Reporter | |
Comment 1•22 years ago
|
||
UNIZETO signed email with attached statement regarding non-exclusive license to manufacture, distribute and sublicense the UNIZETO Root Certificates
|
|
Reporter | |
Comment 2•22 years ago
|
||
|
|
Reporter | |
Updated•22 years ago
|
Whiteboard: [FIX IN HAND][need a=][need sr=][need r=]
|
|
Reporter | |
Comment 4•22 years ago
|
||
Hmmm... Noone can check this patch?
|
||
Comment 5•21 years ago
|
||
Is this the correct way to have new Root CA's added to the Mozilla codebase?
|
|
Reporter | |
Comment 6•21 years ago
|
||
I think yes. Patch seems to be OK, the only problem here is $$$ ;) Netscape support is to expensive, thats why it wasn't checked in.
|
||
Comment 7•21 years ago
|
||
Enhancement request, requesting addition to built-in root CA shared library. Waiting OK from assignee.
Severity: major → enhancement
Priority: -- → P3
|
|
||
Comment 8•21 years ago
|
||
Marek: How did you make the patch file? I'm trying to make one over in bug 204839
|
|
Reporter | |
Comment 10•21 years ago
|
||
Is it possible to check in this patch after launch of a new Mozilla.org foundation or Netscape still manages all certificates? Henrik: First of all you need certificate files in binary, der-encoded format (*.crt files), then you need cert utils (you can build them with NSS). This is how I generated encoded data for Mozilla: cat non-repudiation2\ca.crt | addbuiltin -n "Certum CA" -t "C,C,C" > certdata.txt cat non-repudiation2\level1.crt | addbuiltin -n "Certum Level I" -t "C,C,C" >> certdata.txt cat non-repudiation2\level2.crt | addbuiltin -n "Certum Level II" -t "C,C,C" >> certdata.txt cat non-repudiation2\level3.crt | addbuiltin -n "Certum Level III" -t "C,C,C" >> certdata.txt cat non-repudiation2\level4.crt | addbuiltin -n "Certum Level IV" -t "C,C,C" >> certdata.txt with -n option you need to specify cert name, and with -t set the certificate trust attributes: p valid peer P trusted peer (implies p) c valid CA T trusted CA to issue client certs (implies c) C trusted CA to issue server certs (implies c) u user cert w send warning /* common defaults */ /* equivalent to "c,c,c" */ void SetValidCA(); /* equivalent to "C,C,C" */ void SetTrustedServerCA(); /* equivalent to "CT,CT,CT" */ void SetTrustedCA(); /* equivalent to "p,," */ void SetValidServerPeer(); /* equivalent to "p,p,p" */ void SetValidPeer(); /* equivalent to "P,P,P" */ void SetTrustedPeer(); /* equivalent to "u,u,u" */ void SetUser(); Flag order: "SSL, Email, ObjSign" Last step is to add contents of generated certdata.txt to mozilla/security/nss/lib/ckfw/builtins/certdata.txt file and make a patch.
|
||
Comment 11•20 years ago
|
||
As with Betrusted (which owns TC TrustCenter, see bug #179716), Unizeto CERTUM has a WebTrust seal.
|
|
||
Updated•20 years ago
|
Assignee: ssaux → hecker
Component: Libraries → CA Certificates
Product: NSS → mozilla.org
Version: unspecified → other
|
|
||
Comment 12•20 years ago
|
||
Although this bug is related to bug 179716 in the sense that both sets of certs have the same parent company, neither of these bugs blocks the other. Both are blocked by bug 233453.
No longer depends on: 179716
|
||
Updated•20 years ago
|
Assignee: hecker → hecker
|
Assignee | |
Comment 13•20 years ago
|
||
Accepting bug, removing dependency on bug 233453 in accordance with my post to n.p.m.crypto about proceeding with certain CAs (those with WebTrust CA audits) in the absence of a full mozilla.org policy.
Status: NEW → ASSIGNED
No longer depends on: 233453
|
|
Assignee | |
Comment 14•20 years ago
|
||
I've put up a web page at http://www.hecker.org/mozilla/ca-certificate-list/ with links to information on this CA; this page is an initial prototype of a page I hope to create for all the CAs whose certificates are included in Mozilla. Everything looks OK in terms of having the WebTrust CA audit and the expected official CA docs (CP, CPS, etc.). I do have one question: As I understand it, the request is to add certificates for the CERTUM root CA and also for the Level I through Level 4 CAs under that root. Is this correct?
|
|
Reporter | |
Comment 15•20 years ago
|
||
Yes, you are correct, this bug is to add root CA certificate and beneath it all level certificates (I to IV). Do I need to change patch file to make this work?
|
|
Assignee | |
Comment 16•20 years ago
|
||
(In reply to comment #15) > Yes, you are correct, this bug is to add root CA certificate and beneath it > all level certificates (I to IV). Do I need to change patch file to make this > work? I don't think you need to change the patch file at this time. If Nelson Bolyard (or whoever would make the change) needs a differently-formatted patch file then they can ask for it. I simply wanted to verify the actual certs to be included, based on my understanding from reading the patch. I should have mentioned this in my last comment, but it also appears from reading the patch that the request is to have all the CA certs trusted for purposes of SSL, S/MIME email, and object signing -- i.e., all the "trust bits" turned on for each and every CA. Is this correct?
|
|
Reporter | |
Comment 17•20 years ago
|
||
Yes, all trust bits are enabled, this was requested by Certum CA.
|
||
Updated•20 years ago
|
Keywords: mozilla1.0.1,
mozilla1.2
|
|
Assignee | |
Comment 18•20 years ago
|
||
I have now done some additional review on Unizeto Certum CA. I have read the Certification Policy (CP) and the WebTrust audit report, and skimmed through the Certification Practice Statement (CPS). I have also successfully imported into my copy of Mozilla all five CA certificates (root CA and Level I-IV CAs) and their respective CRLs. Finally, I've successfully surfed to the SSL-enabled version of the Certum web site <https://www.certum.pl/>, which verified properly (it's got a Level IV certificate). All of this looks OK. I have a couple of remaining questions about OCSP. (These questions reflect my relative unfamilarity with OCSP and its implementation in Mozilla; Nelson and others, please feel free to enlighten me.) As I understand it, Certum maintains an OCSP responder at the OCSP service URL <http://ocsp.certum.pl>, and responses are signed using a certificate associated with the Certum Validation Service; this is presumably the certificate at <http://www.certum.pl/keys/vs.crt>. My first question is, is it necessary to import this certificate into Mozilla for Mozilla to properly handle OSCP responses from Certum? And second, what would I need to do in Mozilla in order to enable checking of Certum certs via OCSP? Do I simply need to set the option "Use OCSP to validate only certificates that specify an OCSP service URL"? Or would I have to explicitly specify the service URL and signer, per the third option "Use OCSP to validate all certificates using this URL and signer"? Wouldn't the third option apply to validation of all certificates from any CA, not just Certum? In that case it would seem that the second option is the one to use, presuming that Certum actually specifies a service URL in its certs. I've updated the page at <http://www.hecker.org/mozilla/ca-certificate-list/> with the URLs for the CRLs and OCSP. If I can get my OCSP-related questions answered then I am ready to approve addition of the Certum CA certificates per the interim policy I mentioned above.
|
||
Comment 19•20 years ago
|
||
I just tested the OCSP capabilities of Mozilla 1.7b against Certum VA. If the
Certum VA certificate is included in Mozilla keystore, it works fine. But if
not, the entire validation proccess is going to fail (error code - unauthorized
response), even though response has a certificate in it. Probably Mozilla
doesn't support that feature correctly. The second OCSP validation method in
Mozilla - trusted VA seems to work fine. But in that case, only IDs issued by
Certum CA will be validated. This is due to a real-time responder, based upon
database not CRLs. So, I guess it would be a great convenience to the Mozilla
users to have a built-in Certum VA (besides Certum {CA,Level{1,2,3,4}})
Then, if you wanna use OCSP in Mozilla, you need to
1.get a free ID from http://www.certum.pl/enroll :-)
2.set the option "Use OCSP to validate only...."
3.import the Certum VA certificate
That's all.|
|
Assignee | |
Comment 20•20 years ago
|
||
(In reply to comment #19) > I just tested the OCSP capabilities of Mozilla 1.7b against Certum VA. If the > Certum VA certificate is included in Mozilla keystore, it works fine.... > So, I guess it would be a great convenience to the Mozilla > users to have a built-in Certum VA (besides Certum {CA,Level{1,2,3,4}}) Thanks for testing this. I agree that having the CA certificate for the Certum Validation Service would be useful. Based on my reading of the Unizeto Certum CA meterials together with comments in this bug, and in accordance with the interim mozilla.org CA policy outlined above, I approve including CA certificates for the Unizetum Certum CA, specifically the Certum Root CA, Certum Level I CA, Certum Level II CA, Certum Level III CA, Certum Level IV CA, and Certum Validation Service (all certificates marked as trusted for all uses). I've submitted a new bug 242040 for the actual addition of the certificates to NSS, and will mark this bug as blocked pending resolution of bug 242040. If you have further non-technical comments about this request, please make them in this bug; please don't comment in bug 242040 unless you are making technical comments re the requested change to NSS.
Depends on: 242040
|
||
Comment 21•19 years ago
|
||
Frank, Nelson has added these root CA certs to NSS. So you can mark this bug fixed now.
|
|
Assignee | |
Comment 22•19 years ago
|
||
Certificates are in Firefox 1.0.2 and Thunderbird 1.0.2; resolving as fixed.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Comment 23•19 years ago
|
||
(Forgot to remove bug 242040 as a dependency.)
No longer depends on: 242040
|
||
Updated•7 years ago
|
Product: mozilla.org → NSS
|
||
Updated•2 years ago
|
Product: NSS → CA Program
You need to log in
before you can comment on or make changes to this bug.
Description
•