Closed Bug 1845047 Opened 2 years ago Closed 18 days ago

Add SwissSign RSA TLS Root CA 2022 - 1 and SwissSign RSA SMIME Root CA 2022 - 1

Categories

(CA Program :: CA Certificate Root Program, task, P1)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: raffaela.achermann, Assigned: bwilson)

References

Details

(Whiteboard: [ca-approved] - in NSS 3.114, with EV in FF 142 )

Attachments

(7 files)

CA Hierarchy.pdf
80.18 KB, application/pdf
Details
AA20220701_KC_signed.pdf
728.22 KB, application/pdf
Details
AA2022070101_SwissSign_PIT_Root_TLS_2022_Audit_Attestation.pdf
186.34 KB, application/pdf
Details
AA2022070102_SwissSign_PIT_Root_SMIME_2022_Audit_Attestation.pdf
187.01 KB, application/pdf
Details
AA2022113001_Audit_Attestation_SwissSign_Gold_CA-G2_V1.1_signed.pdf
284.33 KB, application/pdf
Details
XXAA2022113001_Audit_Attestation_SwissSign_Gold_CA-G2_20221130.pdf
205.36 KB, application/pdf
Details
certificate profiles.zip
19.17 KB, application/x-zip-compressed
Details
Attached file CA Hierarchy.pdf

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0

Steps to reproduce:

This is a request for a root inclusion.
We want to replace our existing "SwissSign Gold CA - G2" and “SwissSign Silver CA - G2” with new roots that fulfill the current expectations such as current key material or separation of TLS and S/MIME. These roots are already cross-signed by our current "SwissSign Gold CA - G2" and issues leaf certificates accroding to the current regulations and are part of our yearly audits
The reason for this exchange is that the existing roots are end of life and are based on old key-material (e.g. SHA-1 roots). With the "SwissSign RSA TLS Root CA 2022 - 1" and the "SwissSign RSA SMIME Root CA 2022 - 1" we separate the issuing of TLS and SMIME certificates. The new Roots only issue using SHA2-based signatures.

https://crt.sh/?id=7044154542
CN = SwissSign RSA SMIME Root CA 2022 - 1
O = SwissSign AG

and
https://crt.sh/?id=7044185765
CN = SwissSign RSA TLS Root CA 2022 - 1
O = SwissSign AG

Furthermore, I submit:
• BR Self-Assessment: https://repository.swisssign.com/CCADB_Self_Assessment.xlsx
• Root Certificate Download URL:
TLS: https://www.swisssign.com/dam/jcr:d7bff83f-43e3-4adc-84b2-0b694e84e4d5/SwissSign_RSA_TLS_Root_CA_2022_-_1.pem
SMIME: https://www.swisssign.com/dam/jcr:049189f2-d0e7-4164-a9a4-c0ce4a3eaf77/SwissSign_RSA_SMIME_Root_CA_2022_-_1.pem
• Test websites and testing (see below)
• Sub CA Hierarchy

Overview of test westsides of SwissSign RSA SMIME Root CA 2022 - 1
https://repository.swisssign.com/reference_certs/

Overview of test websites of SwissSign RSA TLS Root CA 2022 - 1

Status RSA TLS DV Certificates (DV) RSA TLS OV Certificates (OV) RSA TLS EV Certificates (EV)
Valid https://dv-rsa-tls-2022-valid-cert-demo.swisssign.com https://ov-rsa-tls-2022-valid-cert-demo.swisssign.com https://ev-rsa-tls-2022-valid-cert-demo.swisssign.com
Expired https://dv-rsa-tls-2022-expired-cert-demo.swisssign.com https://ov-rsa-tls-2022-expired-cert-demo.swisssign.com https://ev-rsa-tls-2022-expired-cert-demo.swisssign.com
Revoked https://dv-rsa-tls-2022-revoked-cert-demo.swisssign.com https://ov-rsa-tls-2022-revoked-cert-demo.swisssign.com https://ev-rsa-tls-2022-revoked-cert-demo.swisssign.com

EV-Policy-OIDs:
OID.2.16.756.1.89.2.1.3 (SwissSign specific)
OID.0.4.0.2042.1.4 (ETSI EVCP)
OID.2.23.140.1.1 (CABF EV)

Links to the TSP-Documents:
Overview: https://www.swisssign.com/support/repository.html

https://repository.swisssign.com/SwissSign_TSPS.pdf

TLS Documents:
https://repository.swisssign.com/SwissSign_CPS_TLS.pdf
https://repository.swisssign.com/SwissSign_CPR_TLS.pdf
https://repository.swisssign.com/SwissSign_CP_DV.pdf
https://repository.swisssign.com/SwissSign_CP_OV.pdf
https://repository.swisssign.com/SwissSign_CP_EV.pdf

S/MIME Documents:
https://repository.swisssign.com/SwissSign_CPS_SMIME.pdf
https://repository.swisssign.com/SwissSign_CPR_SMIME.pdf
https://repository.swisssign.com/SwissSign_CP_LCP.pdf
https://repository.swisssign.com/SwissSign_CP_NCP.pdf
https://repository.swisssign.com/SwissSign_CP_NCP_extended.pdf

Subscriber Agreement:
https://repository.swisssign.com/SubscriberAgreement.pdf

Assignee: nobody → bwilson
Status: UNCONFIRMED → ASSIGNED
Type: enhancement → task
Ever confirmed: true
Whiteboard: [ca-initial]
Priority: -- → P1
Whiteboard: [ca-initial] → [ca-verifying]

SwissSign would like a status update.

Flags: needinfo?(bwilson)

I'll continue a review of the documentation submitted (Key Generation and Self Assessment). Of note, SwissSign still needs to populate the CCADB fields for the TLS Root with the URLs of test websites demonstrating automated issuance for DV, OV and EV certificates.

Flags: needinfo?(bwilson)

Dear Ben, we added the URLs for the test websites in the CCADB. Regards Raffaela

Whiteboard: [ca-verifying] → [ca-cps-review]
Whiteboard: [ca-cps-review] → [ca-cps-review] [ca-ready-for-discussion]

All,
I have completed my review of the SwissSign CPSes for TLS and S/MIME and the TSPS with minor comments.

  • SwissSign should be more consistent with its references to the Baseline Requirements (TLS and S/MIME). Sometimes the documents refers to them as the BR, the BRG, the Forum Requirements, etc., so more consistency and single acronyms are needed.
  • Where reference is initially made to certificate types found in the TLS BRs or S/MIME BRs (e.g. Mailbox Validated and Sponsor Validated), the applicable CA/B Forum Policy OIDs should be stated.
  • SwissSign should replace “this CA” with either “the CA” or “these CAs”.
  • Documents should be more clear that anyone who proves possession of the private key can request revocation.

Ben

Whiteboard: [ca-cps-review] [ca-ready-for-discussion] → [ca-ready-for-discussion]

This CA inclusion request is in 6-week public discussion through June 16, 2025. See https://groups.google.com/a/ccadb.org/g/public/c/RvKtfitOgI8/m/VIzH2USyBwAJ

Whiteboard: [ca-ready-for-discussion] → [ca-in-discussion]

Public discussion period ended on June 16, 2025, and there were no objections or comments in opposition to SwissSign's inclusion request.
https://groups.google.com/a/ccadb.org/g/public/c/RvKtfitOgI8/m/6fcSimoyBgAJ.
Today, I sent notice to the Mozilla Dev-Security-Policy list that I am recommending approval of the request. https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/f3ydoYcBvtE/m/e4BFTRqDAgAJ.
This starts a 7-day "last call", which will run through June 24, 2025.

Whiteboard: [ca-in-discussion] → [ca-pending-approval]

As per Comment #12, and on behalf of Mozilla, I approve the request from SwissSign to include the following two root certificates with the following trust settings:

SwissSign RSA SMIME Root CA 2022 – 1 (Email)
SwissSign RSA TLS Root CA 2022 – 1 (Websites, EV)

I will file the NSS and PSM bugs for the approved changes.

Whiteboard: [ca-pending-approval] → [ca-approved] - pending NSS and PSM code changes
Depends on: 1974511

The NSS and PSM bugs are Bug #1974511 and Bug #1974512, respectively.

No longer depends on: 1974511
Depends on: 1974511, 1974512
Whiteboard: [ca-approved] - pending NSS and PSM code changes → [ca-approved] - in NSS 3.114, with EV in FF 142

Certificates included in NSS 3.114 and EV enabled in FF 142 as confirmed in Firefox Nightly.

Status: ASSIGNED → RESOLVED
Closed: 18 days ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: