1679256 - Root inclusion request for D-TRUST BR Root CA 1 2020

Status: RESOLVED FIXED

(CA Program :: CA Certificate Root Program, task, P1)

Description

[Enrico Entschew]

Attachment: D-TRUST_BR_Root_CA_1_2020.crt

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36 Edg/87.0.664.41

Steps to reproduce:

This is a request for a root inclusion.
http://www.d-trust.net/cgi-bin/D-TRUST_BR_Root_CA_1_2020.crt
CN=D-TRUST BR Root CA 1 2020
O=D-Trust GmbH

(Planned rollover for D-TRUST Root Class 3 CA 2 2009)

Comment 1

[Enrico Entschew]

Attachment: 2020_AA2020031301_D-TRUST_BR_Root_CA_1_2020.pdf

Key Ceremony Attestation for D-TRUST BR Root CA 1 2020

Comment 2

[Ben Wilson]

According to the CCADB we need:

• BR Self-Assessment - https://wiki.mozilla.org/CA/BR_Self-Assessment
• Root Certificate Download URL (see above)
• Three test websites and testing
• Sub CA hierarchy, as applicable

Comment 3

[Ben Wilson]

Do you have three test websites with certificates that chain up to this root - a valid certificate, an expired certificate, and a revoked certificate? Thanks.

Comment 4

[Enrico Entschew]

Hallo Ben, please find the requested information here:

Overview of the test websites of D-TRUST BR Root CA 1 2020
Valid: https://certdemo-ov-valid.tls.d-trust.net/
Revoked: https://certdemo-ov-revoked.tls.d-trust.net/
Expired: https://certdemo-ov-expired.tls.d-trust.net/

Furthermore, I submit the CA hierarchy including the Sub CAs in the pdf.

The results of the self assessment will follow after the updated CP, CPS and TSPS are published.

Comment 5

[Enrico Entschew]

Attachment: PKI-Struktur_BR_Root-Inclusion.pdf

Please find here the CA hierarchy including Root CA and Sub CAs.

Comment 6

[Ben Wilson]

Awaiting BR Self Assessment, and then this request can be moved to CP/CPS review.

Comment 7

[Enrico Entschew]

Attachment: D-TRUST_BR_Self_Assessment_D-TRUST_BR_Root_CA_1_2020_final.xlsx

Please find attached the BR self assessment of the D-TRUST BR Root CA 1 2020.

Comment 8

[Ben Wilson]

CP-CPS review can be found in 4th column of attachment in Bug #1679258 - https://bugzilla.mozilla.org/attachment.cgi?id=9243128

Comment 9

[Ben Wilson]

CP-CPS Review highlights are posted here: https://bugzilla.mozilla.org/show_bug.cgi?id=1679258#c9

Comment 10

[Enrico Entschew]

Information to the updated policy documents and revised BR self assessment can be found here: https://bugzilla.mozilla.org/show_bug.cgi?id=1679258#c10 and https://bugzilla.mozilla.org/show_bug.cgi?id=1679258#c11

Comment 11

[Ben Wilson]

Public discussion started today with a scheduled close of 28-Jan-2022: https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/0Ljc_EkPsiQ/m/9XLIROdXBAAJ

Comment 12

[Ben Wilson]

Public discussion closed without comment and with my recommendation that we include this root CA certificate in NSS with the websites trust bit enabled. See https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/0Ljc_EkPsiQ/m/34f608EgAgAJ

Comment 13

[Kathleen Wilson]

As per Comment #12, and on behalf of Mozilla I approve this request from D-TRUST to include the following root certificate:

** D-TRUST BR Root CA 1 2020 (Websites)

I will file the NSS bug for the approved changes.

Comment 14

[Kathleen Wilson]

I have filed bug #1754890 against NSS for the actual changes.