Closed Bug 238381 Opened 16 years ago Closed 15 years ago

Add QuoVadis commercial CA cert to builtin trusted CA list

Categories

(NSS :: CA Certificate Root Program, task)

task
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: sdavidson, Assigned: hecker)

References

()

Details

Attachments

(2 files)

User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)
Build Identifier: 

QuoVadis is a commercial certificate authority located in Bermuda and serving 
customers worldwide.  We have particular expertise in the insurance and 
financial services sectors, and also serve the Bermuda Government.  Corporate 
customers acting as registration authorities may use our web-based Trust/Link 
administration pages to issue and manage their certificate populations.

QuoVadis is an Authorised Certification Services Provider (CSP) under 
Bermuda's Electronic Transactions Act.  The CSP standard synthesizes major 
requirements from BS 7799, WebTrust for Certification Authorities, and the 
European Electronic Signature Standards Initiative (EESSI).  More information 
may be found at:  http://www.quovadis.bm/bdacsp.asp.  

The QuoVadis CA cert is already in Apple OSX, is expected to be added to the 
RIM BlackBerry OS in version 4, and has completed the WebTrust for CAs 
procedures for Microsoft.

QuoVadis provides device/SSL certificates, as well as end user certificates in 
multiple classes ranging from low authentication to due diligence meeting 
international "know your client" standards.  A summary of our certificate 
classes may be found at:  http://www.quovadis.bm/policies/pki.asp

We provide CRL at (root) www.quovadisoffshore.com/crl/qvrca.crl and (primary 
issuing) www.quovadisoffshore.com/crl/qvica2.crl.  We do not currently provide 
OCSP.

In addition to our CA services, QuoVadis provides professional services to 
assist organizations in deploying PKI for tasks such as secure e-mail, desktop 
login, VPN, digital signatures, smartcards and tokens, etc.

QuoVadis currently provides a "root injector" that senses the user's computer 
config and inserts the root appropriately.  This may be found at:  
http://www.quovadis.bm/root/

Following is the QV root CA cert in base 64 format.  This must be verified at 
the URL above before it is deployed:

-----BEGIN CERTIFICATE-----
MIIF0DCCBLigAwIBAgIEOrZQizANBgkqhkiG9w0BAQUFADB/MQswCQYDVQQGEwJC
TTEZMBcGA1UEChMQUXVvVmFkaXMgTGltaXRlZDElMCMGA1UECxMcUm9vdCBDZXJ0
aWZpY2F0aW9uIEF1dGhvcml0eTEuMCwGA1UEAxMlUXVvVmFkaXMgUm9vdCBDZXJ0
aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wMTAzMTkxODMzMzNaFw0yMTAzMTcxODMz
MzNaMH8xCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1pdGVkMSUw
IwYDVQQLExxSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MS4wLAYDVQQDEyVR
dW9WYWRpcyBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv2G1lVO6V/z68mcLOhrfEYBklbTRvM16z/Yp
li4kVEAkOPcahdxYTMukJ0KX0J+DisPkBgNbAKVRHnAEdOLB1Dqr1607BxgFjv2D
rOpm2RgbaIr1VxqYuvXtdj182d6UajtLF8HVj71lODqV0D1VNk7feVcxKh7YWWVJ
WCCYfqtffp/p1k3sg3Spx2zY7ilKhSoGFPlU5tPaZQeLYzcS19Dsw3sgQUSj7cug
F+FxZc4dZjH3dgEZyH0DWLaVSR2mEiboxgx24ONmy+pdpibu5cxfvWenAScOospU
xbF6lR1xHkopigPcakXBpBlebzbNw6Kwt/5cOOJSvPhEQ+aQuwIDAQABo4ICUjCC
Ak4wPQYIKwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwczovL29jc3AucXVv
dmFkaXNvZmZzaG9yZS5jb20wDwYDVR0TAQH/BAUwAwEB/zCCARoGA1UdIASCAREw
ggENMIIBCQYJKwYBBAG+WAABMIH7MIHUBggrBgEFBQcCAjCBxxqBxFJlbGlhbmNl
IG9uIHRoZSBRdW9WYWRpcyBSb290IENlcnRpZmljYXRlIGJ5IGFueSBwYXJ0eSBh
c3N1bWVzIGFjY2VwdGFuY2Ugb2YgdGhlIHRoZW4gYXBwbGljYWJsZSBzdGFuZGFy
ZCB0ZXJtcyBhbmQgY29uZGl0aW9ucyBvZiB1c2UsIGNlcnRpZmljYXRpb24gcHJh
Y3RpY2VzLCBhbmQgdGhlIFF1b1ZhZGlzIENlcnRpZmljYXRlIFBvbGljeS4wIgYI
KwYBBQUHAgEWFmh0dHA6Ly93d3cucXVvdmFkaXMuYm0wHQYDVR0OBBYEFItLbe3T
KbkGGew5Oanwl4Rqy+/fMIGuBgNVHSMEgaYwgaOAFItLbe3TKbkGGew5Oanwl4Rq
y+/foYGEpIGBMH8xCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1p
dGVkMSUwIwYDVQQLExxSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MS4wLAYD
VQQDEyVRdW9WYWRpcyBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5ggQ6tlCL
MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQUFAAOCAQEAitQUtf70mpKnGdSk
fnIYj9lofFIk3WdvOXrEql494liwTXCYhGHoG+NpGA7O+0dQoE7/8CQfvbLO9Sf8
7C9TqnN7Az10buYWnuulLsS/VidQK2K6vkscPFVcQR0kvoIgR13VRH56FmjffU1R
cHhXHTMe/QKZnAzNCgVPx7uOpHX6Sm2xgI4JVrmcGmD+XcHXetwReNDWXcG31a0y
mQM6isxUJTkxgXsTIlG6Rmyhu576BGxJJnSP0nPrzDCi5upZIof4l/UO/erMkqQW
xFIY6iHOsfHmhIHluqmGKPJDWl0Snawe2ajlCmqnf6CHKc/yiU3U7MXi5nrQNiOK
SnQ2+Q==
-----END CERTIFICATE-----





Reproducible: Always
Steps to Reproduce:




Depends on 233453
Attached file QV Root CA cert
May also be found at www.quovadis.bm/root
Depends on: 233453
I would not ask Mozilla users to trust this (or any other certificate authority)
without some assurance (beyond self assertions) that its practices do indeed
meet the standards claimed in the second paragraph of the Description.  The
QuoVadis Web site does not indicate any third-party verification of its
practices.  While WebTrust for Certification Authorities is cited, QuoVadis does
not have the WebTrust seal; other offshore CAs do have the seal.  

This illustrates the need for a clear policy as requested in bug #233453.  
I agree that a clearly stated policy for CA cert acceptance is advisable.  
For example, the Microsoft policy may be found at:  
http://www.microsoft.com/technet/security/news/rootcert.mspx

Clearly, QuoVadis can provide supporting documentation for our CSP status and 
WebTrust procedures, conducted by the information security team of a Big Four 
accounting firm.
I confirm that this is a genuine request for enhancement.  :)
Status: UNCONFIRMED → NEW
Ever confirmed: true
mass reassign enhancement requests for root CA certs to mozilla.org product 
and to Frank Hecker.  This will take several steps, as component must be 
changed separately :(
Assignee: wchang0222 → hecker
Component: Libraries → CA Certificates
Product: NSS → mozilla.org
Version: unspecified → other
Assignee: hecker → hecker
As of April 9, the QuoVadis Root was added to the Microsoft Root Store for 
Windows XP and Windows 2003.  It will be released shortly (4/27/04) in Windows 
Update for all lower-level Windows users.

On that date, QuoVadis should appear on the list of Windows roots at 
http://msdn.microsoft.com/library/default.asp?url=/library/en-
us/dnsecure/html/rootcertprog.asp

As noted earlier, to achieve this QuoVadis completed the WebTrust for 
Certification Authorities procedures.

Please contact me for copies of the documentation your require.

Regards, Stephen
www.quovadis.bm
Attached provides links to key QuoVadis policy documents per Frank Hecker's
evaluation matrix.
I'm accepting this bug per my prior decision to consider approving CAs with
WebTrust audits. I've updated my CA list at
<http://www.hecker.org/mozilla/ca-certificate-list/> to reflect the QuoVadis
info provided by Stephen Davidson, with a few minor changes from what he
included in his attachment.

A few comments and questions:

* First, let me commend QuoVadis on the completeness of their documentation and
its accessibility on the QV web site. I especially like the fact that QV has a
PKI disclosure statement which is actually concise enough that a real user might
actually read it :-)

* The QuoVadis site links to CA certs at URLs
<http://www.quovadis.bm/public/rca.crt> and
<http://www.quovadis.bm/public/ica2.crt> respectively, while the attachment
provided by Stephen Davidson lists them at
<http://www.quovadis.bm/public/rca_base64.crt> and
<http://www.quovadis.bm/public/ica2_base64.crt> respectively. Both appear to
load into Mozilla the same way, and I presume the difference is simply a matter
of convenience for people who want the base-64 encoded versions.

* Of the two CA certs, the Root CA cert is a true root cert, while the ICA2 cert
is for an intermediate CA under that root. (Just thought I'd note that for
Nelson's benefit.)

* QuoVadis doesn't appear to have an actual WebTrust seal. From reading the
press release about QV being added to the Windows cert list
<http://www.quovadis.bm/corporate/article.asp?newsid=72> I presume the claim is
that by QV fulfilling requirements for the Bermuda Authorised CSP designation it
has met "WebTrust equivalent" requirements. Is my interpretation correct? If so,
is there actually a publicly-available audit report, similar to the WebTrust for
CA reports I've linked to for other CAs, or is the only public document the
certificate from the Ministry of Telecommunications and E-Commerce?
Status: NEW → ASSIGNED
Depends on: QuoVadis
Per my comments in the n.p.m.crypto newsgroup and mozilla-crypto mailing list
(on "WebTrust-equivalent" CA audits), I'm approving the QuoVadis root CA
certificate for inclusion in Mozilla, etc., based on their having completed a
"WebTrust-equivalent" independent audit, and have filed bug 261375 to get the
actual cert added to NSS.

Per discussions in n.p.m.crypto, I'm presuming that we should add only the
QuoVadis Root CA cert to NSS, not the QuoVadis Issuing CA2 cert under that root,
and have so indicated in bug 261375.

Please direct technical comments about the addition of this cert to bug 261375;
all other comments should be made in this bug or the newsgroup/mailing list.
Frank,

Nelson has added this root CA cert to NSS.  So
you can mark the bug fixed now.

You might want to remove bug 233453 as a dependency
of this bug.
Certificates are in Firefox 1.0.2 and Thunderbird 1.0.2; resolving as fixed and
removing bug 233543 and bug 261375 as dependencies.
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
No longer depends on: 233453, QuoVadis
Product: mozilla.org → NSS
You need to log in before you can comment on or make changes to this bug.