Closed Bug 258416 (Sonera_CA) Opened 20 years ago Closed 20 years ago

Add Sonera CA certs (2) to builtin trusted CA list

Categories

(NSS :: Libraries, enhancement, P2)

enhancement

Tracking

(Not tracked)

VERIFIED FIXED

People

(Reporter: jyrki.nivala, Assigned: nelson)

References

()

Details

Attachments

(4 files)

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7) Gecko/20040803 Firefox/0.9.3 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7) Gecko/20040803 Firefox/0.9.3 Sonera CA has been audited by WebTrust standard (https://cert.webtrust.org/ViewSeal?id=276) and we offer wide range of PKI services to our customers: smart cards, e-mail encryption, SSL certificates etc. We would like to add two root CAs into NSS: Sonera Class 1 CA is for certificates where private key is protected by signature creation device (smart card and USB token) Sonera Class 2 CA is for certificates where private key is a software token (end-user certificates and SSL server certificates) Policies and practises in brief: We use nCipher nShields for CA private key protection. End-users are registered by customer RA's. Only customers that have valid contract with Sonera CA are able to issue certificates. Process are described more detail in CPS and CPs (http://support.partnergate.sonera.com/modules.php?name=Content&pa=showpage&pid=2). For SSL server certicates we take he usual steps to validate certificate request: 1. We check DNS ownership. 2. We check contact details, etc. Described more detail in Sonera Class 2 CP. We have 24 hour revocation helpdesk for our customers. Crl distribution points are listed under "Additional Information". Currently we do not use OCSP. regards, Jyrki Nivala - Product Manager Sonera CA jyrki.nivala@teliasonera.com phone: +358407208007 P.O. Box 543 00051 SONERA Finland http://support.partnergate.sonera.com/ Reproducible: Always Steps to Reproduce: 1. 2. 3. Sonera Class 1 CA: Valid from: 6th April 2001 Valid to: 6th April 2021 Key usage: Certificate Signing, Off-line CRL Signing, CRL Signing Thumprint: 07 47 22 01 99 ce 74 b9 7c b0 3d 79 b2 64 a2 c8 55 e9 33 ff CRL Distribution point: URL=ldap://194.252.124.241:389/cn=Sonera%20Class1%20CA,o=Sonera,c=FI?certificaterevocationlist;binary Certificate Policy http://support.partnergate.sonera.com/ Certificate download page: http://support.partnergate.sonera.com/download/CA/soneraclass1ca.crt -----BEGIN CERTIFICATE----- MIIDIDCCAgigAwIBAgIBJDANBgkqhkiG9w0BAQUFADA5MQswCQYDVQQGEwJGSTEP MA0GA1UEChMGU29uZXJhMRkwFwYDVQQDExBTb25lcmEgQ2xhc3MxIENBMB4XDTAx MDQwNjEwNDkxM1oXDTIxMDQwNjEwNDkxM1owOTELMAkGA1UEBhMCRkkxDzANBgNV BAoTBlNvbmVyYTEZMBcGA1UEAxMQU29uZXJhIENsYXNzMSBDQTCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBALWJHytPZwp5/8Ue+H887dF+2rDNbS82rDTG 29lkFwhjMDMiikzujrsPDUJVyZ0upe/3p4zDq7mXy47vPxVnqIJyY1MPQYx9EJUk oVqlBvqSV536pQHydekfvFYmUk54GWVYVQNYwBSujHxVX3BbdyMGNpfzJLWaRpXk 3w0LBUXl0fIdgrvGE+D+qnr9aTCU89JFhfzyMlsy3uhsXR/LpCJ0sICOXZT3BgBL qdReLjVQCfOAl/QMF6452F/NM8EcyonCIvdFEu1eEpOdY6uCLrnrQkFEy0oaAIIN nvmLVz5MxxftLItyM19yejhW1ebZrgUaHXVFsculJRwSVzb9IjcCAwEAAaMzMDEw DwYDVR0TAQH/BAUwAwEB/zARBgNVHQ4ECgQIR+IMi/ZTiFIwCwYDVR0PBAQDAgEG MA0GCSqGSIb3DQEBBQUAA4IBAQCLGrLJXWG04bkruVPRsoWdd44W7hE928Jj2VuX ZfsSZ9gqXLar5V7DtxYvyOirHYr9qxp81V9jz9yw3Xe5qObSIjiHBxTZ/75Wtf0H DjxVyhbMp6Z3N/vbXB9OWQaHowND9Rart4S9Tu+fMTfwRvFAttEMpWT4Y14h21VO TzF2nBBhjrZTOqMRvq9tfB69ri3iDGnHhVNoomG6xT60eVR4ngrHAr5i0RGCS2Uv kVrCqIexVmiUefkl98HVrhq4uz2PqYo4Ffdz0Fpg0YCw8NzVUM1O7pJIae2yIx4w zMiUyLb1O4Z/P6Yun/Y+LLWSlj7fLJOK/4GMDw9ZIRlXvVWa -----END CERTIFICATE----- Sonera Class 1 -certificates: - Private key is stored either in smart card or USB token (Signature Creation Device) - Certificate validity period is maximum 5 years. Sonera Class 2 CA: Valid from: 6th April 2001 Valid to: 6th April 2021 Key usage: Certificate Signing, Off-line CRL Signing, CRL Signing Thumprint: 37 f7 6d e6 07 7c 90 c5 b1 3e 93 1a b7 41 10 b4 f2 e4 9a 27 CRL Distribution point: URL=ldap://194.252.124.241:389/cn=Sonera%20Class2%20CA,o=Sonera,c=FI?certificaterevocationlist;binary Certificate Policy: http://support.partnergate.sonera.com/ Certificate download page: http://support.partnergate.sonera.com/download/CA/soneraclass2ca.crt -----BEGIN CERTIFICATE----- MIIDIDCCAgigAwIBAgIBHTANBgkqhkiG9w0BAQUFADA5MQswCQYDVQQGEwJGSTEP MA0GA1UEChMGU29uZXJhMRkwFwYDVQQDExBTb25lcmEgQ2xhc3MyIENBMB4XDTAx MDQwNjA3Mjk0MFoXDTIxMDQwNjA3Mjk0MFowOTELMAkGA1UEBhMCRkkxDzANBgNV BAoTBlNvbmVyYTEZMBcGA1UEAxMQU29uZXJhIENsYXNzMiBDQTCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBAJAXSjWdyvANlsdE+hY3/Ei9vX+ALTU74W+o Z6m/AxxNjG8yR9VBaKQTBME1DJqEQ/xcHf+Js+gXGM2RX/uJ4+q/Tl18GybTdXnt 5oTjV+WtKcT0OijnpXuENmmz/V52vaMtmdOQTiMofRhj8VQ7Jp12W5dCsv+u8E7s 3TmVToMGf+dJQMjFAbJUWmYdPfz56TwKnoG4cPABi+QjVHzIrviQHgCWctRUz2Ej vOr7nQKV0ba5cTppCD8PtOFCx4j1P5iop7oc4HFx71hXgVB6XGt0Rg6DA5jDjqhu 8nYybieDwnPz3BjotJPqdURrBGAgcVeHnfO+oJAjPYok4doh28MCAwEAAaMzMDEw DwYDVR0TAQH/BAUwAwEB/zARBgNVHQ4ECgQISqCqWITTXjwwCwYDVR0PBAQDAgEG MA0GCSqGSIb3DQEBBQUAA4IBAQBazof5FnIVV0sd2ZvnoiYw7JNn39Yt0jSv9zil zqsWuasvfDXLrNAPtEwr/IDva4yRXzZ299uzGxnq9LIR/WFxRL8oszodv7ND6J+/ 3DEIcbCdjdY0RzKQxmUk96BKfARzjzlvF4xytb1LyHr4e4PDKE6cCepnP7JnBBvD FNr450kkkdAdavphOe9r5yF1BgfYErQhIHBCcYHaPJo2vqZbDWpsmh+Re/n570K6 Tk6ezAyNlNzZRZxe7EJQY670XcSxEtzKO6gunRRaBXW37Ndj4ro1tgQIkejanZz2 ZrUYrAqmVCY0M9IbwdR/GjqOC6oybtv8TyWf2TLHllpwrN9M -----END CERTIFICATE----- Sonera Class 2 -certificates: - Private key is stored in hard disk (workstation or server) - Certificate validity period is maximum 3 years.
Alias: Sonera_CA
Depends on: 233453
Version: unspecified → 3.9.3
Please open a bug against product "mozilla.org", component "CA Certificates" to get the approval by the Mozilla Foundation. Make this bug depend on that bug. We will use this bug for the actual addition of the CA certificates to NSS.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Version: 3.9.3 → 3.9.2
Mass reassign to myself of enhancement requests for new root certs. Targetting them all for NSS 3.10
Assignee: wchang0222 → nelson
Priority: -- → P2
Target Milestone: --- → 3.10
Version: 3.9.2 → 3.9
*** Bug 261373 has been marked as a duplicate of this bug. ***
In bug 261373, Frank Hecker wrote: > Per bug 260484 and my comments in n.p.m.crypto I am approving Sonera > Class 1 and Class 2 CA certificates for inclusion in Mozilla et.al. > Please add these to the appropriate NSS release(s). > For certificate URLs see <http://www.hecker.org/mozilla/ca-certificate-list>. > Note that per comments from Sonera personnel the Class 1 CA should be > marked as trusted for S/MIME email use only, while the Class 2 CA should be > marked as trusted for all purposes.
Hello, I noticed that some of the root CAs that are listed in http://www.hecker.org/mozilla/ca-certificate-list/ were included in Firefox 1.0 (nss 3.9.3) and others not (e.g. Sonera). Is there something that Sonera needs to still? regards, Jyrki Nivala TeliaSonera Finland
The problem was that a group of CAs (including Sonera) was approved significantly later than another group approved earlier, and the date was too close to the Firefox release dates to complete all the work needed to get the certificates into Firefox 1.0. Doing this is not a simple process (among other things, it requires doing a new release of the NSS library), and therefore the developers decided that it was too risky to try to make the needed changes so close to the release date. I'm sorry that we were not able to get CA certs for Sonera into Firefox 1.0. Your ceertificates will certainly be included for Firefox 1.1, and I'm going to lobby for some way to get them into Firefox before then if possible.
The patches that add these requested ROOT CA certs to the NSS 3.9 branch and to the NSS trunk have been attached to bug 271585. Please see bug 271585 for those attachments. When those attachments have been reviewed and checked in, this bug will be marked resolved/fixed.
Status: NEW → ASSIGNED
These certs have been added to the trunk and the NSS 3.9 branch. See bug 271585 for more details and the patches. For testing purposes, for a short time (weeks), a copy of a debug build of nssckbi.dll with these certs added, built from the NSS 3.9 branch, may be obtained for testing at http://nelson.bolyard.com/mozilla/nssckbi.dll I invite the representatives of the various CAs to download it and test it. Please add any comments (reflecting success or failure) to this bug. It passes my tests.
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Target Milestone: 3.10 → 3.9.5
Success! Thank you.
Success with NSS, yes. The Tbird and FireFox groups have decided to keep their own copies of NSS on their own branches, rather than using the tagged NSS releases - or so I have been repeatedly told. This means that the bug fixes and additions to NSS on the NSS trunk and/or the NSS branches do not automatically get taken into TB/FF. Due to their decision to use their own copies of NSS, someone on those teams must copy the recent NSS changes into their own copies of NSS. Until they do, these NSS enhancements will not benefit TB/FF. Please encourage the TB/FF people to take these changes at their soonest convenience, or better yet, to stop insisting on keeping a copy of the NSS source on their branch, and to use the NSS release tags maintained and supported by the NSS team.
Mass re-assign of 3.9.5 fixed bugs to 3.9.6 , since we built 3.9.5 with the same source tree as 3.9.4 .
Target Milestone: 3.9.5 → 3.9.6
Verified with Firefox 1.0.2 that Sonera Class1 CA and Sonera Class2 CA are in the "Builtin Object Token" with the following trust settings: This certificate can identify web sites. This certificate can identify mail users. This certificate can identify software makers.
Status: RESOLVED → VERIFIED
Per Sonera's wish in bug 260484 comment 2: Sonera Class 1 CA is trusted only for S/MIME (Class 1 certs are also used for SSL client authentication). We don't need to bump the nssckbi module number for this checkin because it was already done yesterday. Nelson, please review this patch.
Attachment #180655 - Flags: review?(nelson)
This patch is appropriate for Firefox/Thunderbird 1.0.4. Note that the nssckbi module's version is bumped.
Attachment #180657 - Flags: review?(nelson)
Comment on attachment 180655 [details] [diff] [review] Incremental patch for NSS trunk (3.10): trust Sonera Class 1 CA only for S/MIME r=nelson
Attachment #180655 - Flags: review?(nelson) → review+
Comment on attachment 180657 [details] [diff] [review] Incremental patch for NSS_3_9_BRANCH: trust Sonera Class 1 CA only for S/MIME r=nelson
Attachment #180657 - Flags: review?(nelson) → review+
The incremental patches have been checked in on the NSS trunk (NSS 3.10) and NSS_3_9_BRANCH (NSS 3.9.6). The nssckbi module versions are 1.53 and 1.43, respectively.
No longer depends on: 233453
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: