Closed Bug 232695 Opened 19 years ago Closed 18 years ago

IPSCA root cert inclusion

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: idave, Assigned: hecker)

References

(
URL
)

Details

User-Agent:       
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; it-IT; rv:1.6) Gecko/20040113

IPSCA is a spanish certification authority which is trusted in IE, but not in
mozilla. A lot of webmasters would like it to be trusted by mozilla...

Reproducible: Always
Steps to Reproduce:
Go to https://cerberus.idave.it:30000/horde/
Actual Results:  
A message saying my server's cert is not trusted appeared.

Expected Results:  
Moz should have shown a message saying my server's cert is trusted

IPSCA's web site is: http://certs.ipsca.com/

IPSCA's root cert is:
-----BEGIN CERTIFICATE-----
MIICtzCCAiACAQAwDQYJKoZIhvcNAQEEBQAwgaMxCzAJBgNVBAYTAkVTMRIwEAYD
VQQIEwlCQVJDRUxPTkExEjAQBgNVBAcTCUJBUkNFTE9OQTEZMBcGA1UEChMQSVBT
IFNlZ3VyaWRhZCBDQTEYMBYGA1UECxMPQ2VydGlmaWNhY2lvbmVzMRcwFQYDVQQD
Ew5JUFMgU0VSVklET1JFUzEeMBwGCSqGSIb3DQEJARYPaXBzQG1haWwuaXBzLmVz
MB4XDTk4MDEwMTIzMjEwN1oXDTA5MTIyOTIzMjEwN1owgaMxCzAJBgNVBAYTAkVT
MRIwEAYDVQQIEwlCQVJDRUxPTkExEjAQBgNVBAcTCUJBUkNFTE9OQTEZMBcGA1UE
ChMQSVBTIFNlZ3VyaWRhZCBDQTEYMBYGA1UECxMPQ2VydGlmaWNhY2lvbmVzMRcw
FQYDVQQDEw5JUFMgU0VSVklET1JFUzEeMBwGCSqGSIb3DQEJARYPaXBzQG1haWwu
aXBzLmVzMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCsT1J0nznqjtwlxLyY
XZhkJAk8IbPMGbWOlI6H0fg3PqHILVikgDVboXVsHUUMH2Fjal5vmwpMwci4YSM1
gf/+rHhwLWjhOgeYlQJU3c0jt4BT18g3RXIGJBK6E2Ehim51KODFDzT9NthFf+G4
Nu+z4cYgjui0OLzhPvYR3oydAQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBACzzw3lY
JN7GO9HgQmm47mSzPWIBubOE3yN93ZjPEKn+ANgilgUTB1RXxafey9m4iEL2mdsU
dx+2/iU94aI+A6mB0i1sR/WWRowiq8jMDQ6XXotBtDvECgZAHd1G9AHduoIuPD14
cJ58GNCr+Lh3B0Zx8coLY1xq+XKU1QFPoNtC
-----END CERTIFICATE-----
Assignee: general → kaie
Component: Browser-General → Client Library
OS: Windows XP → All
Product: Browser → PSM
QA Contact: general → bmartin
Hardware: PC → All
Version: Trunk → 2.4
-> NSS
Assignee: kaie → wchang0222
Severity: normal → enhancement
Status: UNCONFIRMED → NEW
Component: Client Library → Libraries
Ever confirmed: true
Product: PSM → NSS
Summary: No support for IPSCA certificates → IPSCA root cert inclusion
Version: 2.4 → 3.4
I would not ask Mozilla users to trust this (or any other certificate authority)
without some assurance (beyond self assertions) that its practices do indeed
meet the standards generally advocated for CAs.  

This illustrates the need for a clear policy as requested in bug #233453.  

While Mozilla does not have its certificate, the Web site for ipSCA claims that
the certificate "is now present in more than 92% of todays browsers."  Since
Mozilla now has over 11% of the market (per W3Schools at
<http://www.w3schools.com/browsers/browsers_stats.asp>), less than 89% of todays
browsers have the certificate.  
*** Bug 238980 has been marked as a duplicate of this bug. ***
What speaks against an inclusion of this root certificate?
Mr Wan-Teh Chang, who was supposed to correct this bug, seems not to care about this bug...
Anyone else who could fix it?
This bug is BLOCKED by bug 233453.  
ALL requests to add new certs to mozilla are BLOCKED until that bug is resolved.  
The place to discuss this is NOT in the bug system. 
The place to discuss this is
news://news.mozilla.org:119/netscape.public.mozilla.crypto
Assignee: wchang0222 → hecker
Component: Libraries → CA Certificates
Product: NSS → mozilla.org
Version: 3.4 → other
Assignee: hecker → hecker
Accepting this bug for processing per my earlier statement about processing
pending certificate requests prior to completion of the formal policy called for
in bug 233453.

I'm tracking down the IPS-related information now; the main repository of
certificates and related information seems to be
<http://www.ips.es/Declaraciones/NuevasCAS/NuevasCAS.html>.  This page does not
include links to any Certificate Policy (CP) or Certification Practice Statement
(CPS) documents; however going through the certs.ipsca.com site I did find a
link to a CPS in Spanish
<http://certs.ipsca.com/companyIPSipsCA/CPSIPSCAv2Abril2002.pdf>.

Per David Ross's comments, IPS does appear to have undergone a WebTrust CA
audit; see the link <https://ips.webtrust.org/espana_sello.html> (Spanish only)
pointed to from the above-referenced page.

Also note that apparently the request here is to add seven (7) separate root
certificates, one for the original IPS Servidores CA and six others for new CAs.
(One of the new CAs is a timestamping service; is this really relevant to Mozilla?)

More comments later as I have time to look through the IPS information.
Status: NEW → ASSIGNED
I now have information on ipsCA available as part of my draft CA list at
<http://www.hecker.org/mozilla/ca-certificate-list/>; thanks go to Rodolfo
Lomascolo of ipsCA for providing additional references.

As I noted previously, ipsCA has been audited by WebTrust Spain; I looked
through a Babelfish translation of the Spanish report and it looked to be in
order and comparable to the other WebTrust for CA reports I've seen. Unless
anyone has any objections I plan to approve the ipsCA roots for inclusion in
Mozilla. (I'm allowing some time for final comments.)

P.S. I'm also removing the dependency of this bug on 233453.
No longer depends on: 233453
I've received no objections to my approving ipsCA, and thus I'm now formally
approving them for inclusion in Mozilla. I'll file a bug against NSS to get the
work done.
Depends on: 244982
Filed bug 244982 to get the certs added, and marked this bug as blocked on that one.
Frank,

Nelson has added these root CA certs to NSS. So
you can mark the bug fixed now.
Certificates are in Firefox 1.0.2 and Thunderbird 1.0.2; resolving as fixed.
Also removing bug 244982 as a dependency.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Product: mozilla.org → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.