1820592 - Add Telekom Security Root Certificates

Status: RESOLVED FIXED

(CA Program :: CA Certificate Root Program, task, P1)

Description

[Stefan Kirch]

With this bug, Telekom Security requests inclusion of new Root Certificates.
Remark: In this first step, this bug is generated to create a Bug-ID for referencing this bug in the corresponding Root Inclusion Case in the CCADB.
The corresponding Root Inclusion Case in the CCADB can be found here: https://ccadb.my.salesforce-sites.com/mozilla/PrintViewForCase?CaseNumber=00001269
Further information will be given in this bug as soon as the above mentioned CCADB case is completed and submitted to the root stores.

Comment 1

[Ben Wilson]

Telekom Security SMIME ECC Root 2021
https://crt.sh/?sha256=3AE6DF7E0D637A65A8C81612EC6F9A142F85A16834C10280D88E707028518755
Telekom Security TLS ECC Root 2020
https://crt.sh/?sha256=578AF4DED0853F4E5998DB4AEAF9CBEA8D945F60B620A38D1A3C13B2BC7BA8E1

Comment 2

[Stefan Kirch]

As explained in the Root Inclusion Request in the CCADB, we originally have generated four new Root CAs, i.e. the two above mentioned ECC Root CAs as well as two RSA Root CAs using the RSASSA-PSS algorithm. Due to the fact, that the RSA Roots could not be uploaded to the CCADB (see https://bugzilla.mozilla.org/show_bug.cgi?id=1815763) as well as some concerns regarding the support of RSASSA-PSS in general, we have generated two new RSA Root CAs at the end of march, using PKCS#1v1.5 instead of RSASSA-PSS.
As soon as the audit attestations for the Root Key Ceremony are available and we have created the test websites for the new TLS Root CA, we will add the new RSA Roots to the CCADB and update the CCADB case, so that these Roots can also be considered in the Root inclusion Request.
Furthermore, we have also issued two S/MIME Sub-CAs under the two S/MIME Root CAs in preparation of the issuance of the required S/MIME test certificates.

Comment 3

[Stefan Kirch]

In the meantime the Audit Attestations as well as all other information needed in the CCADB for the Root Inclusion case are available, so we updated the Root Inclusion case in the CCADB.
The two new Root CAs can be found in crt.sh:
Telekom Security SMIME RSA Root 2023
https://crt.sh/?q=78A656344F947E9CC0F734D9053D32F6742086B6B9CD2CAE4FAE1A2E4EFDE048
Telekom Security TLS RSA Root 2023
https://crt.sh/?q=EFC65CADBB59ADB6EFE84DA22311B35624B71B3B1EA0DA8B6655174EC8978646

We plan to add the S/MIME test certificates to this bug by mid-September.

Comment 4

[Stefan Kirch]

Attachment: Stefan Kirch Sponsorvalidated Multipurpose ECC.pem

Comment 5

[Stefan Kirch]

Attachment: Stefan Kirch Sponsorvalidated Multipurpose RSA.pem

Comment 6

[Stefan Kirch]

We have issued S/MIME Subscriber Certificates under each of our S/MIME Root-CAs, see attachments.

Comment 7

[Ben Wilson]

Public discussion of this root inclusion request began on the CCADB Public List on 2023-11-01 - https://groups.google.com/a/ccadb.org/g/public/c/yiJ-bkv-Ftg/m/JsbbxpZJBAAJ

Comment 8

[Ben Wilson]

Public discussion on this request closed in December (https://groups.google.com/a/ccadb.org/g/public/c/yiJ-bkv-Ftg/m/lxwjZDvhAAAJ), and today I posted a recommendation on the Mozilla dev-security-policy list (https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/O576yUp8yL4/m/Flf-vtikAgAJ) that this request be approved.

Comment 9

[Ben Wilson]

As per Comment #8, and on behalf of Mozilla, this request from Telekom Security to include the following root certificates is Approved:

** Telekom Security SMIME ECC Root 2021
** Telekom Security TLS ECC Root 2020
** Telekom Security SMIME RSA Root 2023
** Telekom Security TLS RSA Root 2023

I will file the NSS bug for the approved changes.

Comment 10

[Ben Wilson]

Bug #1874017 has been created to add these CA certificates to NSS, after which another bug will need to be filed for PSM to EV-enable the two TLS root CAs.

Comment 11

[Stefan Kirch]

We have successfully tested the integration of the new TLS Root CAs by testing our test websites with Firefox 124 Nightly.