Add D-Trust SBR Root CAs 1 & 2 2022
Categories
(CA Program :: CA Certificate Root Program, task, P1)
Tracking
(Not tracked)
People
(Reporter: bwilson, Assigned: bwilson)
References
Details
(Whiteboard: [ca-approved] - in NSS 3.98, Firefox 124)
Attachments
(8 files)
482.83 KB,
application/pdf
|
Details | |
482.84 KB,
application/pdf
|
Details | |
610 bytes,
application/x-x509-ca-cert
|
Details | |
1.42 KB,
application/x-x509-ca-cert
|
Details | |
297.28 KB,
application/pdf
|
Details | |
296.82 KB,
application/pdf
|
Details | |
2.58 KB,
application/x-x509-ca-cert
|
Details | |
1.62 KB,
application/x-x509-ca-cert
|
Details |
D-Trust submitted two roots for inclusion.
D-Trust SBR Root CA 1 2022 - https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00001001
https://crt.sh/?sha256=D92C171F5CF890BA428019292927FE22F3207FD2B54449CB6F675AF4922146E2
D-Trust SBR Root CA 2 2022 - https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00001000
https://crt.sh/?sha256=DBA84DD7EF622D485463A90137EA4D574DF8550928F6AFA03B4D8B1141E636CC
Assignee | ||
Updated•2 years ago
|
Assignee | ||
Updated•2 years ago
|
Comment 1•2 years ago
|
||
Comment 2•2 years ago
|
||
Comment 3•2 years ago
|
||
Comment on attachment 9291516 [details]
Audit Attestation for D-TRUST SBR Root CA 1 2022
Comment 4•2 years ago
|
||
Comment 5•2 years ago
|
||
Comment 6•2 years ago
|
||
Comment 7•2 years ago
|
||
Comment 8•2 years ago
|
||
Dear Ben,
Please find the root CA certificates, the audit attestations and the PKI hierarchy overviews.
In future, the “D-Trust SBR Root CA 1 2022” root CA (ECC) and the “D-Trust SBR Root CA 2 2022” root CA (RSA) are to replace the existing “D-TRUST Root CA 3 2013” root CA.
We are currently carrying out the self-assessment for both root CAs. We will submit the result after completion.
Thanks,
Enrico
Updated•1 year ago
|
Assignee | ||
Updated•1 year ago
|
Assignee | ||
Comment 9•1 year ago
•
|
||
Could you please attach an end-entity SMIME certificate issued under each of these roots to this bug? Also, can you upload information about your key generation, too?
Thanks, Ben
Comment 10•1 year ago
|
||
Please find here the links of the audit attestations of the key generation:
https://www.tuvit.de/fileadmin/Content/TUV_IT/zertifikate/de/AA2022081901_D-TRUST_SBR_Root_CA_1_2022_V1.0.pdf
https://www.tuvit.de/fileadmin/Content/TUV_IT/zertifikate/de/AA2022081902_D-TRUST_SBR_Root_CA_2_2022_V1.0.pdf
The end-entity S/MIME certificates issued under each of these roots will be published here as soon as it is available.
Thanks, Enrico
Assignee | ||
Comment 11•1 year ago
|
||
Thanks, Enrico. That information has been updated in the CCADB. How do you propose that we handle the Self Assessment for these S/MIME Root CAs, since you completed a self assessment within the last few years- e.g. https://bugzilla.mozilla.org/attachment.cgi?id=9246613 ? We have a new form, but it mainly is geared toward SSL/TLS and the Baseline Requirements. It appears that my questions regarding the email trust bit were asked and answered in that attachment you provided in Bugzilla #1679258. We look forward to receiving your S/MIME certificates.
Assignee | ||
Updated•1 year ago
|
Assignee | ||
Comment 12•1 year ago
|
||
How soon do you think it will be until you can upload your sample S/MIME certificates here?
Thanks,
Ben
Comment 13•1 year ago
|
||
Dear Ben,
After checking with the product management, we will provide the certificates by the end of May at the latest.
Thanks,
Enrico
Comment 14•11 months ago
|
||
Here is the test certificate from the S/MIME root CA "D-Trust SBR Root CA 2 2022". You can also download the certificate here: https://www.d-trust.net/internet/files/RollOverSmime_RSA.cer
Comment 15•11 months ago
|
||
Here is the test certificate from the S/MIME root CA "D-Trust SBR Root CA 1 2022". You can also download the certificate here: https://www.d-trust.net/internet/files/RollOverSmime_EC.cer
Assignee | ||
Updated•4 months ago
|
Assignee | ||
Comment 16•4 months ago
|
||
Public discussion commenced on 2023-11-03 (https://groups.google.com/a/ccadb.org/g/public/c/EPVczE_6oCc/m/s90nO9-EBAAJ) and concluded on 2023-12-15 (https://groups.google.com/a/ccadb.org/g/public/c/EPVczE_6oCc/m/jsZ0CsgdAAAJ). Today I sent notice to the Mozilla Dev-Security-Policy list that I am recommending approval of D-Trust's request. https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/vjX1-3zQ7ds/m/mSnRpjgOAAAJ. This starts a 7-day "last call" which will run through December 26, 2023.
Assignee | ||
Updated•4 months ago
|
Assignee | ||
Comment 17•4 months ago
|
||
As per Comment #16, and on behalf of Mozilla, this request from D-Trust to include the following root certificates is Approved:
** D-Trust SBR Root CA 1 2022 (Email)
** D-Trust SBR Root CA 2 2022 (Email)
I will file the NSS bug for the approved changes.
Assignee | ||
Updated•4 months ago
|
Assignee | ||
Comment 18•4 months ago
|
||
Bug # 1873095 has been created to add these CA certificates to NSS.
Assignee | ||
Updated•3 months ago
|
Assignee | ||
Comment 19•3 months ago
|
||
These two roots are in Firefox Nightly 124.0a1 (2024-02-01).
Assignee | ||
Updated•3 months ago
|
Description
•