Closed Bug 238381 Opened 16 years ago Closed 15 years ago
Vadis commercial CA cert to builtin trusted CA list
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322) Build Identifier: QuoVadis is a commercial certificate authority located in Bermuda and serving customers worldwide. We have particular expertise in the insurance and financial services sectors, and also serve the Bermuda Government. Corporate customers acting as registration authorities may use our web-based Trust/Link administration pages to issue and manage their certificate populations. QuoVadis is an Authorised Certification Services Provider (CSP) under Bermuda's Electronic Transactions Act. The CSP standard synthesizes major requirements from BS 7799, WebTrust for Certification Authorities, and the European Electronic Signature Standards Initiative (EESSI). More information may be found at: http://www.quovadis.bm/bdacsp.asp. The QuoVadis CA cert is already in Apple OSX, is expected to be added to the RIM BlackBerry OS in version 4, and has completed the WebTrust for CAs procedures for Microsoft. QuoVadis provides device/SSL certificates, as well as end user certificates in multiple classes ranging from low authentication to due diligence meeting international "know your client" standards. A summary of our certificate classes may be found at: http://www.quovadis.bm/policies/pki.asp We provide CRL at (root) www.quovadisoffshore.com/crl/qvrca.crl and (primary issuing) www.quovadisoffshore.com/crl/qvica2.crl. We do not currently provide OCSP. In addition to our CA services, QuoVadis provides professional services to assist organizations in deploying PKI for tasks such as secure e-mail, desktop login, VPN, digital signatures, smartcards and tokens, etc. QuoVadis currently provides a "root injector" that senses the user's computer config and inserts the root appropriately. This may be found at: http://www.quovadis.bm/root/ Following is the QV root CA cert in base 64 format. This must be verified at the URL above before it is deployed: -----BEGIN CERTIFICATE----- MIIF0DCCBLigAwIBAgIEOrZQizANBgkqhkiG9w0BAQUFADB/MQswCQYDVQQGEwJC TTEZMBcGA1UEChMQUXVvVmFkaXMgTGltaXRlZDElMCMGA1UECxMcUm9vdCBDZXJ0 aWZpY2F0aW9uIEF1dGhvcml0eTEuMCwGA1UEAxMlUXVvVmFkaXMgUm9vdCBDZXJ0 aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wMTAzMTkxODMzMzNaFw0yMTAzMTcxODMz MzNaMH8xCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1pdGVkMSUw IwYDVQQLExxSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MS4wLAYDVQQDEyVR dW9WYWRpcyBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv2G1lVO6V/z68mcLOhrfEYBklbTRvM16z/Yp li4kVEAkOPcahdxYTMukJ0KX0J+DisPkBgNbAKVRHnAEdOLB1Dqr1607BxgFjv2D rOpm2RgbaIr1VxqYuvXtdj182d6UajtLF8HVj71lODqV0D1VNk7feVcxKh7YWWVJ WCCYfqtffp/p1k3sg3Spx2zY7ilKhSoGFPlU5tPaZQeLYzcS19Dsw3sgQUSj7cug F+FxZc4dZjH3dgEZyH0DWLaVSR2mEiboxgx24ONmy+pdpibu5cxfvWenAScOospU xbF6lR1xHkopigPcakXBpBlebzbNw6Kwt/5cOOJSvPhEQ+aQuwIDAQABo4ICUjCC Ak4wPQYIKwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwczovL29jc3AucXVv dmFkaXNvZmZzaG9yZS5jb20wDwYDVR0TAQH/BAUwAwEB/zCCARoGA1UdIASCAREw ggENMIIBCQYJKwYBBAG+WAABMIH7MIHUBggrBgEFBQcCAjCBxxqBxFJlbGlhbmNl IG9uIHRoZSBRdW9WYWRpcyBSb290IENlcnRpZmljYXRlIGJ5IGFueSBwYXJ0eSBh c3N1bWVzIGFjY2VwdGFuY2Ugb2YgdGhlIHRoZW4gYXBwbGljYWJsZSBzdGFuZGFy ZCB0ZXJtcyBhbmQgY29uZGl0aW9ucyBvZiB1c2UsIGNlcnRpZmljYXRpb24gcHJh Y3RpY2VzLCBhbmQgdGhlIFF1b1ZhZGlzIENlcnRpZmljYXRlIFBvbGljeS4wIgYI KwYBBQUHAgEWFmh0dHA6Ly93d3cucXVvdmFkaXMuYm0wHQYDVR0OBBYEFItLbe3T KbkGGew5Oanwl4Rqy+/fMIGuBgNVHSMEgaYwgaOAFItLbe3TKbkGGew5Oanwl4Rq y+/foYGEpIGBMH8xCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1p dGVkMSUwIwYDVQQLExxSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MS4wLAYD VQQDEyVRdW9WYWRpcyBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5ggQ6tlCL MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQUFAAOCAQEAitQUtf70mpKnGdSk fnIYj9lofFIk3WdvOXrEql494liwTXCYhGHoG+NpGA7O+0dQoE7/8CQfvbLO9Sf8 7C9TqnN7Az10buYWnuulLsS/VidQK2K6vkscPFVcQR0kvoIgR13VRH56FmjffU1R cHhXHTMe/QKZnAzNCgVPx7uOpHX6Sm2xgI4JVrmcGmD+XcHXetwReNDWXcG31a0y mQM6isxUJTkxgXsTIlG6Rmyhu576BGxJJnSP0nPrzDCi5upZIof4l/UO/erMkqQW xFIY6iHOsfHmhIHluqmGKPJDWl0Snawe2ajlCmqnf6CHKc/yiU3U7MXi5nrQNiOK SnQ2+Q== -----END CERTIFICATE----- Reproducible: Always Steps to Reproduce: Depends on 233453
May also be found at www.quovadis.bm/root
I would not ask Mozilla users to trust this (or any other certificate authority) without some assurance (beyond self assertions) that its practices do indeed meet the standards claimed in the second paragraph of the Description. The QuoVadis Web site does not indicate any third-party verification of its practices. While WebTrust for Certification Authorities is cited, QuoVadis does not have the WebTrust seal; other offshore CAs do have the seal. This illustrates the need for a clear policy as requested in bug #233453.
I agree that a clearly stated policy for CA cert acceptance is advisable. For example, the Microsoft policy may be found at: http://www.microsoft.com/technet/security/news/rootcert.mspx Clearly, QuoVadis can provide supporting documentation for our CSP status and WebTrust procedures, conducted by the information security team of a Big Four accounting firm.
I confirm that this is a genuine request for enhancement. :)
Status: UNCONFIRMED → NEW
Ever confirmed: true
mass reassign enhancement requests for root CA certs to mozilla.org product and to Frank Hecker. This will take several steps, as component must be changed separately :(
Assignee: wchang0222 → hecker
Component: Libraries → CA Certificates
Product: NSS → mozilla.org
Version: unspecified → other
As of April 9, the QuoVadis Root was added to the Microsoft Root Store for Windows XP and Windows 2003. It will be released shortly (4/27/04) in Windows Update for all lower-level Windows users. On that date, QuoVadis should appear on the list of Windows roots at http://msdn.microsoft.com/library/default.asp?url=/library/en- us/dnsecure/html/rootcertprog.asp As noted earlier, to achieve this QuoVadis completed the WebTrust for Certification Authorities procedures. Please contact me for copies of the documentation your require. Regards, Stephen www.quovadis.bm
Attached provides links to key QuoVadis policy documents per Frank Hecker's evaluation matrix.
I'm accepting this bug per my prior decision to consider approving CAs with WebTrust audits. I've updated my CA list at <http://www.hecker.org/mozilla/ca-certificate-list/> to reflect the QuoVadis info provided by Stephen Davidson, with a few minor changes from what he included in his attachment. A few comments and questions: * First, let me commend QuoVadis on the completeness of their documentation and its accessibility on the QV web site. I especially like the fact that QV has a PKI disclosure statement which is actually concise enough that a real user might actually read it :-) * The QuoVadis site links to CA certs at URLs <http://www.quovadis.bm/public/rca.crt> and <http://www.quovadis.bm/public/ica2.crt> respectively, while the attachment provided by Stephen Davidson lists them at <http://www.quovadis.bm/public/rca_base64.crt> and <http://www.quovadis.bm/public/ica2_base64.crt> respectively. Both appear to load into Mozilla the same way, and I presume the difference is simply a matter of convenience for people who want the base-64 encoded versions. * Of the two CA certs, the Root CA cert is a true root cert, while the ICA2 cert is for an intermediate CA under that root. (Just thought I'd note that for Nelson's benefit.) * QuoVadis doesn't appear to have an actual WebTrust seal. From reading the press release about QV being added to the Windows cert list <http://www.quovadis.bm/corporate/article.asp?newsid=72> I presume the claim is that by QV fulfilling requirements for the Bermuda Authorised CSP designation it has met "WebTrust equivalent" requirements. Is my interpretation correct? If so, is there actually a publicly-available audit report, similar to the WebTrust for CA reports I've linked to for other CAs, or is the only public document the certificate from the Ministry of Telecommunications and E-Commerce?
Status: NEW → ASSIGNED
Per my comments in the n.p.m.crypto newsgroup and mozilla-crypto mailing list (on "WebTrust-equivalent" CA audits), I'm approving the QuoVadis root CA certificate for inclusion in Mozilla, etc., based on their having completed a "WebTrust-equivalent" independent audit, and have filed bug 261375 to get the actual cert added to NSS. Per discussions in n.p.m.crypto, I'm presuming that we should add only the QuoVadis Root CA cert to NSS, not the QuoVadis Issuing CA2 cert under that root, and have so indicated in bug 261375. Please direct technical comments about the addition of this cert to bug 261375; all other comments should be made in this bug or the newsgroup/mailing list.
Frank, Nelson has added this root CA cert to NSS. So you can mark the bug fixed now. You might want to remove bug 233453 as a dependency of this bug.
Certificates are in Firefox 1.0.2 and Thunderbird 1.0.2; resolving as fixed and removing bug 233543 and bug 261375 as dependencies.
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.