Closed Bug 258416 (Sonera_CA) Opened 20 years ago Closed 20 years ago

Add Sonera CA certs (2) to builtin trusted CA list

Categories

(NSS :: Libraries, enhancement, P2)

Product:
NSS
Component:
Libraries
Type:
enhancement

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: jyrki.nivala, Assigned: nelson)

References

(
URL
)

Details

Attachments

(4 files)

Incremental patch for NSS trunk (3.10): trust Sonera Class 1 CA only for S/MIME
2.28 KB, patch
nelson
: review+
Details | Diff | Splinter Review
Incremental patch for NSS_3_9_BRANCH: trust Sonera Class 1 CA only for S/MIME
1.48 KB, patch
nelson
: review+
Details | Diff | Splinter Review
TeliaSonera-WebTrustBR-2015-06-30.pdf
122.08 KB, application/pdf
Details
TeliaSonera-WebTrustBR-2016-06-30.pdf
188.41 KB, application/octetstream
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7) Gecko/20040803 Firefox/0.9.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7) Gecko/20040803 Firefox/0.9.3

Sonera CA has been audited by WebTrust standard
(https://cert.webtrust.org/ViewSeal?id=276) and we offer wide range of PKI
services to our customers: smart cards, e-mail encryption, SSL certificates etc.

We would like to add two root CAs into NSS:
Sonera Class 1 CA is for certificates where private key is protected by
signature creation device (smart card and USB token)

Sonera Class 2 CA is for certificates where private key is a software token
(end-user certificates and SSL server certificates)

Policies and practises in brief:

We use nCipher nShields for CA private key protection.

End-users are registered by customer RA's. Only customers that have valid
contract with Sonera CA are able to issue certificates. Process are described
more detail in CPS and CPs
(http://support.partnergate.sonera.com/modules.php?name=Content&pa=showpage&pid=2). 

For SSL server certicates we take he usual steps to validate certificate request:
1. We check DNS ownership.
2. We check contact details, etc. Described more detail in Sonera Class 2 CP.

We have 24 hour revocation helpdesk for our customers. Crl distribution points
are listed under "Additional Information". Currently we do not use OCSP.

regards,
Jyrki Nivala - Product Manager
Sonera CA
jyrki.nivala@teliasonera.com
phone: +358407208007
P.O. Box 543
00051 SONERA
Finland
http://support.partnergate.sonera.com/ 


Reproducible: Always
Steps to Reproduce:
1.
2.
3.




Sonera Class 1 CA:
	Valid from: 6th April 2001
	Valid to: 6th April 2021
	Key usage: Certificate Signing, Off-line CRL Signing, CRL Signing 
	Thumprint: 07 47 22 01 99 ce 74 b9 7c b0 3d 79 b2 64 a2 c8 55 e9 33 ff
	CRL Distribution point: 
URL=ldap://194.252.124.241:389/cn=Sonera%20Class1%20CA,o=Sonera,c=FI?certificaterevocationlist;binary
	
Certificate Policy 
http://support.partnergate.sonera.com/

Certificate download page: 
http://support.partnergate.sonera.com/download/CA/soneraclass1ca.crt

-----BEGIN CERTIFICATE-----
MIIDIDCCAgigAwIBAgIBJDANBgkqhkiG9w0BAQUFADA5MQswCQYDVQQGEwJGSTEP
MA0GA1UEChMGU29uZXJhMRkwFwYDVQQDExBTb25lcmEgQ2xhc3MxIENBMB4XDTAx
MDQwNjEwNDkxM1oXDTIxMDQwNjEwNDkxM1owOTELMAkGA1UEBhMCRkkxDzANBgNV
BAoTBlNvbmVyYTEZMBcGA1UEAxMQU29uZXJhIENsYXNzMSBDQTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBALWJHytPZwp5/8Ue+H887dF+2rDNbS82rDTG
29lkFwhjMDMiikzujrsPDUJVyZ0upe/3p4zDq7mXy47vPxVnqIJyY1MPQYx9EJUk
oVqlBvqSV536pQHydekfvFYmUk54GWVYVQNYwBSujHxVX3BbdyMGNpfzJLWaRpXk
3w0LBUXl0fIdgrvGE+D+qnr9aTCU89JFhfzyMlsy3uhsXR/LpCJ0sICOXZT3BgBL
qdReLjVQCfOAl/QMF6452F/NM8EcyonCIvdFEu1eEpOdY6uCLrnrQkFEy0oaAIIN
nvmLVz5MxxftLItyM19yejhW1ebZrgUaHXVFsculJRwSVzb9IjcCAwEAAaMzMDEw
DwYDVR0TAQH/BAUwAwEB/zARBgNVHQ4ECgQIR+IMi/ZTiFIwCwYDVR0PBAQDAgEG
MA0GCSqGSIb3DQEBBQUAA4IBAQCLGrLJXWG04bkruVPRsoWdd44W7hE928Jj2VuX
ZfsSZ9gqXLar5V7DtxYvyOirHYr9qxp81V9jz9yw3Xe5qObSIjiHBxTZ/75Wtf0H
DjxVyhbMp6Z3N/vbXB9OWQaHowND9Rart4S9Tu+fMTfwRvFAttEMpWT4Y14h21VO
TzF2nBBhjrZTOqMRvq9tfB69ri3iDGnHhVNoomG6xT60eVR4ngrHAr5i0RGCS2Uv
kVrCqIexVmiUefkl98HVrhq4uz2PqYo4Ffdz0Fpg0YCw8NzVUM1O7pJIae2yIx4w
zMiUyLb1O4Z/P6Yun/Y+LLWSlj7fLJOK/4GMDw9ZIRlXvVWa
-----END CERTIFICATE-----



Sonera Class 1 -certificates:
-	Private key is stored either in smart card or USB token (Signature Creation
Device)
-	Certificate validity period is maximum 5 years.



Sonera Class 2 CA:
	Valid from: 6th April 2001
	Valid to: 6th April 2021
	Key usage: Certificate Signing, Off-line CRL Signing, CRL Signing 
	Thumprint: 37 f7 6d e6 07 7c 90 c5 b1 3e 93 1a b7 41 10 b4 f2 e4 9a 27
CRL Distribution point: 
URL=ldap://194.252.124.241:389/cn=Sonera%20Class2%20CA,o=Sonera,c=FI?certificaterevocationlist;binary
Certificate Policy:
http://support.partnergate.sonera.com/
Certificate download page:
http://support.partnergate.sonera.com/download/CA/soneraclass2ca.crt

-----BEGIN CERTIFICATE-----
MIIDIDCCAgigAwIBAgIBHTANBgkqhkiG9w0BAQUFADA5MQswCQYDVQQGEwJGSTEP
MA0GA1UEChMGU29uZXJhMRkwFwYDVQQDExBTb25lcmEgQ2xhc3MyIENBMB4XDTAx
MDQwNjA3Mjk0MFoXDTIxMDQwNjA3Mjk0MFowOTELMAkGA1UEBhMCRkkxDzANBgNV
BAoTBlNvbmVyYTEZMBcGA1UEAxMQU29uZXJhIENsYXNzMiBDQTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAJAXSjWdyvANlsdE+hY3/Ei9vX+ALTU74W+o
Z6m/AxxNjG8yR9VBaKQTBME1DJqEQ/xcHf+Js+gXGM2RX/uJ4+q/Tl18GybTdXnt
5oTjV+WtKcT0OijnpXuENmmz/V52vaMtmdOQTiMofRhj8VQ7Jp12W5dCsv+u8E7s
3TmVToMGf+dJQMjFAbJUWmYdPfz56TwKnoG4cPABi+QjVHzIrviQHgCWctRUz2Ej
vOr7nQKV0ba5cTppCD8PtOFCx4j1P5iop7oc4HFx71hXgVB6XGt0Rg6DA5jDjqhu
8nYybieDwnPz3BjotJPqdURrBGAgcVeHnfO+oJAjPYok4doh28MCAwEAAaMzMDEw
DwYDVR0TAQH/BAUwAwEB/zARBgNVHQ4ECgQISqCqWITTXjwwCwYDVR0PBAQDAgEG
MA0GCSqGSIb3DQEBBQUAA4IBAQBazof5FnIVV0sd2ZvnoiYw7JNn39Yt0jSv9zil
zqsWuasvfDXLrNAPtEwr/IDva4yRXzZ299uzGxnq9LIR/WFxRL8oszodv7ND6J+/
3DEIcbCdjdY0RzKQxmUk96BKfARzjzlvF4xytb1LyHr4e4PDKE6cCepnP7JnBBvD
FNr450kkkdAdavphOe9r5yF1BgfYErQhIHBCcYHaPJo2vqZbDWpsmh+Re/n570K6
Tk6ezAyNlNzZRZxe7EJQY670XcSxEtzKO6gunRRaBXW37Ndj4ro1tgQIkejanZz2
ZrUYrAqmVCY0M9IbwdR/GjqOC6oybtv8TyWf2TLHllpwrN9M
-----END CERTIFICATE-----


Sonera Class 2 -certificates:
-	Private key is stored in hard disk (workstation or server)
-	Certificate validity period is maximum 3 years.
Alias: Sonera_CA
Depends on: 233453
Version: unspecified → 3.9.3
Please open a bug against product "mozilla.org",
component "CA Certificates" to get the approval
by the Mozilla Foundation.  Make this bug depend
on that bug.  We will use this bug for the actual
addition of the CA certificates to NSS.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Version: 3.9.3 → 3.9.2
Blocks: Sonera_CA_certs
Mass reassign to myself of enhancement requests for new root certs.
Targetting them all for NSS 3.10
Assignee: wchang0222 → nelson
Priority: -- → P2
Target Milestone: --- → 3.10
Version: 3.9.2 → 3.9
*** Bug 261373 has been marked as a duplicate of this bug. ***
In bug 261373, Frank Hecker wrote:

> Per bug 260484 and my comments in n.p.m.crypto I am approving Sonera 
> Class 1 and Class 2 CA certificates for inclusion in Mozilla et.al. 
> Please add these to the appropriate NSS release(s).

> For certificate URLs see <http://www.hecker.org/mozilla/ca-certificate-list>.
> Note that per comments from Sonera personnel the Class 1 CA should be 
> marked as trusted for S/MIME email use only, while the Class 2 CA should be 
> marked as trusted for all purposes.
Hello, I noticed that some of the root CAs that are listed in
http://www.hecker.org/mozilla/ca-certificate-list/ were included in Firefox 1.0
(nss 3.9.3) and others not (e.g. Sonera). Is there something that Sonera needs
to still?

regards,
Jyrki Nivala
TeliaSonera Finland
The problem was that a group of CAs (including Sonera) was approved
significantly later than another group approved earlier, and the date was too
close to the Firefox release dates to complete all the work needed to get the
certificates into Firefox 1.0. Doing this is not a simple process (among other
things, it requires doing a new release of the NSS library), and therefore the
developers decided that it was too risky to try to make the needed changes so
close to the release date.

I'm sorry that we were not able to get CA certs for Sonera into Firefox 1.0.
Your ceertificates will certainly be included for Firefox 1.1, and I'm going to
lobby for some way to get them into Firefox before then if possible.
The patches that add these requested ROOT CA certs to the NSS 3.9 branch
and to the NSS trunk have been attached to bug 271585.  Please see 
bug 271585 for those attachments.  When those attachments have been 
reviewed and checked in, this bug will be marked resolved/fixed.
Status: NEW → ASSIGNED
These certs have been added to the trunk and the NSS 3.9 branch.
See bug 271585 for more details and the patches.

For testing purposes, for a short time (weeks), a copy of a debug build
of nssckbi.dll with these certs added, built from the NSS 3.9 branch,
may be obtained for testing at http://nelson.bolyard.com/mozilla/nssckbi.dll

I invite the representatives of the various CAs to download it and test it.
Please add any comments (reflecting success or failure) to this bug.
It passes my tests.
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Target Milestone: 3.10 → 3.9.5
Success! Thank you.
Success with NSS, yes.  

The Tbird and FireFox groups have decided to keep their own copies of NSS
on their own branches, rather than using the tagged NSS releases - or so
I have been repeatedly told.  This means that the bug fixes and additions
to NSS on the NSS trunk and/or the NSS branches do not automatically get
taken into TB/FF.  Due to their decision to use their own copies of NSS,
someone on those teams must copy the recent NSS changes into their own 
copies of NSS.  Until they do, these NSS enhancements will not benefit TB/FF.

Please encourage the TB/FF people to take these changes at their soonest
convenience, or better yet, to stop insisting on keeping a copy of the NSS
source on their branch, and to use the NSS release tags maintained and 
supported by the NSS team.   
Mass re-assign of 3.9.5 fixed bugs to 3.9.6 , since we built 3.9.5 with the same
source tree as 3.9.4 .
Target Milestone: 3.9.5 → 3.9.6
Verified with Firefox 1.0.2 that Sonera Class1 CA and
Sonera Class2 CA are in the "Builtin Object Token" with
the following trust settings:
This certificate can identify web sites.
This certificate can identify mail users.
This certificate can identify software makers.
Status: RESOLVED → VERIFIED
Per Sonera's wish in bug 260484 comment 2:

  Sonera Class 1 CA is trusted only for S/MIME (Class 1
  certs are also used for SSL client authentication).

We don't need to bump the nssckbi module number for this
checkin because it was already done yesterday.

Nelson, please review this patch.
Attachment #180655 - Flags: review?(nelson)
This patch is appropriate for Firefox/Thunderbird 1.0.4.

Note that the nssckbi module's version is bumped.
Attachment #180657 - Flags: review?(nelson)
Comment on attachment 180655 [details] [diff] [review]
Incremental patch for NSS trunk (3.10): trust Sonera Class 1 CA only for S/MIME 

r=nelson
Attachment #180655 - Flags: review?(nelson) → review+
Comment on attachment 180657 [details] [diff] [review]
Incremental patch for NSS_3_9_BRANCH: trust Sonera Class 1 CA only for S/MIME

r=nelson
Attachment #180657 - Flags: review?(nelson) → review+
The incremental patches have been checked in on
the NSS trunk (NSS 3.10) and NSS_3_9_BRANCH (NSS 3.9.6).
The nssckbi module versions are 1.53 and 1.43, respectively.
No longer depends on: 233453
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: