Closed Bug 1755851 Opened 3 years ago Closed 3 years ago

GoDaddy cross-signing two Certainly Intermediate Certificates

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: brittany, Assigned: brittany)

Details

(Whiteboard: [ca-approved])

Attachments

(7 files)

Certainly - 2021 WebTrust for CAs - Report.pdf
188.74 KB, application/pdf
Details
Certainly - 2021 WebTrust for CAs (SSL Baseline) - Report.pdf
146.85 KB, application/pdf
Details
Certainly)- 2021 WebTrust for CAs (Key Lifecycle Management Activities) - Report.pdf
186.73 KB, application/pdf
Details
Attachment Compendium.pdf
508.24 KB, application/pdf
Details
CPCPSReviewTracker.xlsx
20.93 KB, application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
Details
CSAReview.zip
2.54 MB, application/x-zip-compressed
Details
FastlyWebTrustAuditReportReview.zip
1.96 MB, application/x-zip-compressed
Details

User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36

This bug is to document and track the approval of GoDaddy’s intent to use its publicly trusted Starfield Root Certificate Authority - G2 (https://crt.sh/?caid=796) to create two new external subordinate CA certificates to be operated and maintained by Certainly, LLC. These will be cross-certificates sharing their respective key pairs with subordinate CA certificates signed by two Certainly Root CAs that are pending inclusion (https://bugzilla.mozilla.org/show_bug.cgi?id=1727941).

In accordance with Mozilla Root Store Policy, Section 8 - CA Operational Changes for new program participants and at the instruction of Process for Review and Approval of Externally Operated Subordinate CAs we have created this Bugzilla Bug 1755851 and are initiating the formal discussion period on Mozilla’s dev-security-policy mailing list.

Certainly is a wholly owned subsidiary of Fastly, Inc., a cloud service provider headquartered in the USA. Certainly plans to issue certificates to existing Fastly customers. The two Certainly subordinate CAs will issue publicly-trusted DV TLS server certificates. More details may be found in Certainly’s root inclusion case in CCADB. Certainly has performed a CA Compliance Self-Assessment and has committed to adhere to all Mozilla requirements, Baseline Requirements of the CA/Browser Forum, and the GoDaddy (Starfield Technologies) CP/CPS.

All the operational services related to Certainly’s Subscribers will be performed by Certainly, including processing of certificate applications, certificate issuance, certificate publishing, certificate status services, and certificate management. Certainly has implemented the open-source Boulder CA and interacts with Applicants and Subscribers via an ACME API endpoint. Certainly has applied for inclusion as a root CA to Mozilla and a number of other root store programs, requesting inclusion of two root certificates. Both will be used exclusively to issue DV TLS certificates, with the distinction that one root will anchor an RSA hierarchy and the other will anchor an ECDSA hierarchy. These roots, as well as the two corresponding subordinate CAs that are constrained to TLS usages, have been disclosed in CCADB.

Certainly has received the following unqualified audit reports (attached) from the WebTrust Practitioner, Schellman, LLC:

  • WebTrust for CAs point-in-time dated June 30, 2021
  • WebTrust SSL Baseline with NCSSRs point-in-time dated June 30, 2021
  • WebTrust for CAs Key Lifecycle Management report (covering the period between key generation and type-1 audits)

Certainly will undergo WebTrust for CAs and WebTrust SSL Baseline with NCSSRs period-of-time audits no later than June 30, 2022, covering a period beginning July 1, 2021. Certainly has further committed to ongoing WebTrust audits for the 10-year lifetime of the cross-signed certificates.

As operator of a Mozilla-trusted root CA (and a trusted root in other browser root store programs), we recognize that through this cross-sign event, we are ultimately accountable for any actions taken by the Certainly intermediates which will inherit our trust. We have worked closely with Certainly to perform due diligence activities including the review of the Certainly CP/CPS, Subscriber Agreement, and Relying Party Agreement against CA/B forum requirements, GoDaddy Policies, and Mozilla policies. We have also reviewed Certainly’s CA Compliance Self Assessment and operational practices, interviewed Certainly personnel, and reviewed the external audit opinions to verify appropriate scope of coverage and conformance with requirements as expected. Currently and following the proposed cross-sign event, we will continue working closely with Certainly to oversee ongoing compliance efforts.

Of note, Certainly has filed two Mozilla incident reports to date (listed below) which we have followed and reviewed with Certainly. It is our expectation that the second bug be resolved prior to any cross-sign event.

  • Bug 1732745 (Resolved): Root CRL validity period exceeds maximum by one second (27-September 2021)
  • Bug 1752452 (Open): TLS Using ALPN TLS Version and OID (27-January 2022)
Assignee: bwilson → brittany
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-in-discussion] 2022-02-17
Attached file CSAReview.zip

Attached the following review artifacts:

  • Attachment Compendium.pdf
  • CPCPSReviewTracker.xlsx
  • CSAReview.zip (contains three files)
  • FastlyWebTrustAuditReportReview.zip (contains seven files)

Refer to “Attachment Compendium.pdf” which provides additional details and context for the other attachments uploaded. Additionally, Version 1.3 of the Certainly CP/CPS has been published to https://certainly.com/repository/

The severity field is not set for this bug.
:kwilson, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(kwilson)
Type: defect → task
Flags: needinfo?(kwilson)
QA Contact: kwilson → bwilson

The public discussion period ended this week, and I am recommending that Mozilla approve GoDaddy's cross-signing of two intermediate CA certificates for Certainly. See https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/bEnn98Dajzc/m/4DnwaOBnAwAJ As noted, this begins a 7-day last-call period for objections.

Public discussion and the 7-day last-call period recently ended[1], and Certainly's request to include its R1 and E1 root CAs in the root store has been approved[2]. GoDaddy's request to cross-sign Certainly's issuing CAs is similarly approved. GoDaddy and Certainly have successfully completed the Process for non-Technically Constrained Subordinate CAs[3].

[1] https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/EhXhiHfWGC8/m/3PcJHizqAAAJ

[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1727941

[3] https://wiki.mozilla.org/CA/External_Sub_CAs

See https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/bEnn98Dajzc/m/B4hqdK5lHwAJ

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Whiteboard: [ca-in-discussion] 2022-02-17 → [ca-approved]
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: