Closed Bug 232695 Opened 19 years ago Closed 18 years ago
IPSCA root cert inclusion
User-Agent: Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; it-IT; rv:1.6) Gecko/20040113 IPSCA is a spanish certification authority which is trusted in IE, but not in mozilla. A lot of webmasters would like it to be trusted by mozilla... Reproducible: Always Steps to Reproduce: Go to https://cerberus.idave.it:30000/horde/ Actual Results: A message saying my server's cert is not trusted appeared. Expected Results: Moz should have shown a message saying my server's cert is trusted IPSCA's web site is: http://certs.ipsca.com/ IPSCA's root cert is: -----BEGIN CERTIFICATE----- MIICtzCCAiACAQAwDQYJKoZIhvcNAQEEBQAwgaMxCzAJBgNVBAYTAkVTMRIwEAYD VQQIEwlCQVJDRUxPTkExEjAQBgNVBAcTCUJBUkNFTE9OQTEZMBcGA1UEChMQSVBT IFNlZ3VyaWRhZCBDQTEYMBYGA1UECxMPQ2VydGlmaWNhY2lvbmVzMRcwFQYDVQQD Ew5JUFMgU0VSVklET1JFUzEeMBwGCSqGSIb3DQEJARYPaXBzQG1haWwuaXBzLmVz MB4XDTk4MDEwMTIzMjEwN1oXDTA5MTIyOTIzMjEwN1owgaMxCzAJBgNVBAYTAkVT MRIwEAYDVQQIEwlCQVJDRUxPTkExEjAQBgNVBAcTCUJBUkNFTE9OQTEZMBcGA1UE ChMQSVBTIFNlZ3VyaWRhZCBDQTEYMBYGA1UECxMPQ2VydGlmaWNhY2lvbmVzMRcw FQYDVQQDEw5JUFMgU0VSVklET1JFUzEeMBwGCSqGSIb3DQEJARYPaXBzQG1haWwu aXBzLmVzMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCsT1J0nznqjtwlxLyY XZhkJAk8IbPMGbWOlI6H0fg3PqHILVikgDVboXVsHUUMH2Fjal5vmwpMwci4YSM1 gf/+rHhwLWjhOgeYlQJU3c0jt4BT18g3RXIGJBK6E2Ehim51KODFDzT9NthFf+G4 Nu+z4cYgjui0OLzhPvYR3oydAQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBACzzw3lY JN7GO9HgQmm47mSzPWIBubOE3yN93ZjPEKn+ANgilgUTB1RXxafey9m4iEL2mdsU dx+2/iU94aI+A6mB0i1sR/WWRowiq8jMDQ6XXotBtDvECgZAHd1G9AHduoIuPD14 cJ58GNCr+Lh3B0Zx8coLY1xq+XKU1QFPoNtC -----END CERTIFICATE-----
Assignee: general → kaie
Component: Browser-General → Client Library
OS: Windows XP → All
Product: Browser → PSM
QA Contact: general → bmartin
Hardware: PC → All
Version: Trunk → 2.4
Assignee: kaie → wchang0222
Severity: normal → enhancement
Status: UNCONFIRMED → NEW
Component: Client Library → Libraries
Ever confirmed: true
Product: PSM → NSS
Summary: No support for IPSCA certificates → IPSCA root cert inclusion
Version: 2.4 → 3.4
I would not ask Mozilla users to trust this (or any other certificate authority) without some assurance (beyond self assertions) that its practices do indeed meet the standards generally advocated for CAs. This illustrates the need for a clear policy as requested in bug #233453. While Mozilla does not have its certificate, the Web site for ipSCA claims that the certificate "is now present in more than 92% of todays browsers." Since Mozilla now has over 11% of the market (per W3Schools at <http://www.w3schools.com/browsers/browsers_stats.asp>), less than 89% of todays browsers have the certificate.
*** Bug 238980 has been marked as a duplicate of this bug. ***
What speaks against an inclusion of this root certificate?
Mr Wan-Teh Chang, who was supposed to correct this bug, seems not to care about this bug...
Anyone else who could fix it?
This bug is BLOCKED by bug 233453. ALL requests to add new certs to mozilla are BLOCKED until that bug is resolved. The place to discuss this is NOT in the bug system. The place to discuss this is news://news.mozilla.org:119/netscape.public.mozilla.crypto
Assignee: wchang0222 → hecker
Component: Libraries → CA Certificates
Product: NSS → mozilla.org
Version: 3.4 → other
Accepting this bug for processing per my earlier statement about processing pending certificate requests prior to completion of the formal policy called for in bug 233453. I'm tracking down the IPS-related information now; the main repository of certificates and related information seems to be <http://www.ips.es/Declaraciones/NuevasCAS/NuevasCAS.html>. This page does not include links to any Certificate Policy (CP) or Certification Practice Statement (CPS) documents; however going through the certs.ipsca.com site I did find a link to a CPS in Spanish <http://certs.ipsca.com/companyIPSipsCA/CPSIPSCAv2Abril2002.pdf>. Per David Ross's comments, IPS does appear to have undergone a WebTrust CA audit; see the link <https://ips.webtrust.org/espana_sello.html> (Spanish only) pointed to from the above-referenced page. Also note that apparently the request here is to add seven (7) separate root certificates, one for the original IPS Servidores CA and six others for new CAs. (One of the new CAs is a timestamping service; is this really relevant to Mozilla?) More comments later as I have time to look through the IPS information.
Status: NEW → ASSIGNED
I now have information on ipsCA available as part of my draft CA list at <http://www.hecker.org/mozilla/ca-certificate-list/>; thanks go to Rodolfo Lomascolo of ipsCA for providing additional references. As I noted previously, ipsCA has been audited by WebTrust Spain; I looked through a Babelfish translation of the Spanish report and it looked to be in order and comparable to the other WebTrust for CA reports I've seen. Unless anyone has any objections I plan to approve the ipsCA roots for inclusion in Mozilla. (I'm allowing some time for final comments.) P.S. I'm also removing the dependency of this bug on 233453.
No longer depends on: 233453
I've received no objections to my approving ipsCA, and thus I'm now formally approving them for inclusion in Mozilla. I'll file a bug against NSS to get the work done.
Filed bug 244982 to get the certs added, and marked this bug as blocked on that one.
Frank, Nelson has added these root CA certs to NSS. So you can mark the bug fixed now.
Certificates are in Firefox 1.0.2 and Thunderbird 1.0.2; resolving as fixed. Also removing bug 244982 as a dependency.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.