Closed
Bug 260484
(Sonera_CA_certs)
Opened 20 years ago
Closed 19 years ago
Add Sonera CA certs (2) to builtin trusted CA list
Categories
(CA Program :: CA Certificate Root Program, task)
CA Program
CA Certificate Root Program
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: jyrki.nivala, Assigned: hecker)
References
()
Details
Attachments
(1 obsolete file)
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7) Gecko/20040803 Firefox/0.9.3 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7) Gecko/20040803 Firefox/0.9.3 Sonera CA has been audited by WebTrust standard (https://cert.webtrust.org/ViewSeal?id=276) and we offer wide range of PKI services to our customers: smart cards, e-mail encryption, SSL certificates etc. We would like to add two root CAs into NSS: Sonera Class 1 CA is for certificates where private key is protected by signature creation device (smart card and USB token) Sonera Class 2 CA is for certificates where private key is a software token (end-user certificates and SSL server certificates) Policies and practises in brief: We use nCipher nShields for CA private key protection. End-users are registered by customer RA's. Only customers that have valid contract with Sonera CA are able to issue certificates. Process are described more detail in CPS and CPs (http://support.partnergate.sonera.com/modules.php?name=Content&pa=showpage&pid=2). For SSL server certicates we take he usual steps to validate certificate request: 1. We check DNS ownership. 2. We check contact details, etc. Described more detail in Sonera Class 2 CP. We have 24 hour revocation helpdesk for our customers. Crl distribution points are listed under "Additional Information". Currently we do not use OCSP. regards, Jyrki Nivala - Product Manager Sonera CA jyrki.nivala@teliasonera.com phone: +358407208007 P.O. Box 543 00051 SONERA Finland http://support.partnergate.sonera.com/ Reproducible: Always Steps to Reproduce: 1. 2. 3. Sonera Class 1 CA: Valid from: 6th April 2001 Valid to: 6th April 2021 Key usage: Certificate Signing, Off-line CRL Signing, CRL Signing Thumprint: 07 47 22 01 99 ce 74 b9 7c b0 3d 79 b2 64 a2 c8 55 e9 33 ff CRL Distribution point: URL=ldap://194.252.124.241:389/cn=Sonera%20Class1%20CA,o=Sonera,c=FI?certificaterevocationlist;binary Certificate Policy http://support.partnergate.sonera.com/ Certificate download page: http://support.partnergate.sonera.com/download/CA/soneraclass1ca.crt -----BEGIN CERTIFICATE----- MIIDIDCCAgigAwIBAgIBJDANBgkqhkiG9w0BAQUFADA5MQswCQYDVQQGEwJGSTEP MA0GA1UEChMGU29uZXJhMRkwFwYDVQQDExBTb25lcmEgQ2xhc3MxIENBMB4XDTAx MDQwNjEwNDkxM1oXDTIxMDQwNjEwNDkxM1owOTELMAkGA1UEBhMCRkkxDzANBgNV BAoTBlNvbmVyYTEZMBcGA1UEAxMQU29uZXJhIENsYXNzMSBDQTCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBALWJHytPZwp5/8Ue+H887dF+2rDNbS82rDTG 29lkFwhjMDMiikzujrsPDUJVyZ0upe/3p4zDq7mXy47vPxVnqIJyY1MPQYx9EJUk oVqlBvqSV536pQHydekfvFYmUk54GWVYVQNYwBSujHxVX3BbdyMGNpfzJLWaRpXk 3w0LBUXl0fIdgrvGE+D+qnr9aTCU89JFhfzyMlsy3uhsXR/LpCJ0sICOXZT3BgBL qdReLjVQCfOAl/QMF6452F/NM8EcyonCIvdFEu1eEpOdY6uCLrnrQkFEy0oaAIIN nvmLVz5MxxftLItyM19yejhW1ebZrgUaHXVFsculJRwSVzb9IjcCAwEAAaMzMDEw DwYDVR0TAQH/BAUwAwEB/zARBgNVHQ4ECgQIR+IMi/ZTiFIwCwYDVR0PBAQDAgEG MA0GCSqGSIb3DQEBBQUAA4IBAQCLGrLJXWG04bkruVPRsoWdd44W7hE928Jj2VuX ZfsSZ9gqXLar5V7DtxYvyOirHYr9qxp81V9jz9yw3Xe5qObSIjiHBxTZ/75Wtf0H DjxVyhbMp6Z3N/vbXB9OWQaHowND9Rart4S9Tu+fMTfwRvFAttEMpWT4Y14h21VO TzF2nBBhjrZTOqMRvq9tfB69ri3iDGnHhVNoomG6xT60eVR4ngrHAr5i0RGCS2Uv kVrCqIexVmiUefkl98HVrhq4uz2PqYo4Ffdz0Fpg0YCw8NzVUM1O7pJIae2yIx4w zMiUyLb1O4Z/P6Yun/Y+LLWSlj7fLJOK/4GMDw9ZIRlXvVWa -----END CERTIFICATE----- Sonera Class 1 -certificates: - Private key is stored either in smart card or USB token (Signature Creation Device) - Certificate validity period is maximum 5 years. Sonera Class 2 CA: Valid from: 6th April 2001 Valid to: 6th April 2021 Key usage: Certificate Signing, Off-line CRL Signing, CRL Signing Thumprint: 37 f7 6d e6 07 7c 90 c5 b1 3e 93 1a b7 41 10 b4 f2 e4 9a 27 CRL Distribution point: URL=ldap://194.252.124.241:389/cn=Sonera%20Class2%20CA,o=Sonera,c=FI?certificaterevocationlist;binary Certificate Policy: http://support.partnergate.sonera.com/ Certificate download page: http://support.partnergate.sonera.com/download/CA/soneraclass2ca.crt -----BEGIN CERTIFICATE----- MIIDIDCCAgigAwIBAgIBHTANBgkqhkiG9w0BAQUFADA5MQswCQYDVQQGEwJGSTEP MA0GA1UEChMGU29uZXJhMRkwFwYDVQQDExBTb25lcmEgQ2xhc3MyIENBMB4XDTAx MDQwNjA3Mjk0MFoXDTIxMDQwNjA3Mjk0MFowOTELMAkGA1UEBhMCRkkxDzANBgNV BAoTBlNvbmVyYTEZMBcGA1UEAxMQU29uZXJhIENsYXNzMiBDQTCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBAJAXSjWdyvANlsdE+hY3/Ei9vX+ALTU74W+o Z6m/AxxNjG8yR9VBaKQTBME1DJqEQ/xcHf+Js+gXGM2RX/uJ4+q/Tl18GybTdXnt 5oTjV+WtKcT0OijnpXuENmmz/V52vaMtmdOQTiMofRhj8VQ7Jp12W5dCsv+u8E7s 3TmVToMGf+dJQMjFAbJUWmYdPfz56TwKnoG4cPABi+QjVHzIrviQHgCWctRUz2Ej vOr7nQKV0ba5cTppCD8PtOFCx4j1P5iop7oc4HFx71hXgVB6XGt0Rg6DA5jDjqhu 8nYybieDwnPz3BjotJPqdURrBGAgcVeHnfO+oJAjPYok4doh28MCAwEAAaMzMDEw DwYDVR0TAQH/BAUwAwEB/zARBgNVHQ4ECgQISqCqWITTXjwwCwYDVR0PBAQDAgEG MA0GCSqGSIb3DQEBBQUAA4IBAQBazof5FnIVV0sd2ZvnoiYw7JNn39Yt0jSv9zil zqsWuasvfDXLrNAPtEwr/IDva4yRXzZ299uzGxnq9LIR/WFxRL8oszodv7ND6J+/ 3DEIcbCdjdY0RzKQxmUk96BKfARzjzlvF4xytb1LyHr4e4PDKE6cCepnP7JnBBvD FNr450kkkdAdavphOe9r5yF1BgfYErQhIHBCcYHaPJo2vqZbDWpsmh+Re/n570K6 Tk6ezAyNlNzZRZxe7EJQY670XcSxEtzKO6gunRRaBXW37Ndj4ro1tgQIkejanZz2 ZrUYrAqmVCY0M9IbwdR/GjqOC6oybtv8TyWf2TLHllpwrN9M -----END CERTIFICATE----- Sonera Class 2 -certificates: - Private key is stored in hard disk (workstation or server) - Certificate validity period is maximum 3 years.
Reporter | ||
Updated•20 years ago
|
Updated•20 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assignee | ||
Comment 1•20 years ago
|
||
Some additional comments and questions: 1. Per email request from Jyrki Nivala of Sonera, I have marked Sonera Class 1 and Class 2 CAs as trusted for all purposes in my list of CAs: http://www.hecker.org/mozilla/ca-certificate-list Note that in Mozilla terms this means that certificates issued by these CAs will be accepted in the context of SSL-enabled web servers, S/MIME email, and object signing of executable code and related data. My question here is this: Do the Sonera CAs actually issue certificates for the purpose of object signing? (This is the Mozilla equivalent of Microsoft code developer certificates, e.g, for signing ActiveX controls.) If Sonera does *not* issue such certificates today and does not plan to issue them in the future, then there is no point in marking the Sonera certificates as trusted for this purpose. 2. Per the previous comments, CRLs for the Sonera CAs can be obtained from an LDAP directory maintained by Sonera. Is there also a URL where Mozilla users could download Sonera CRLs using HTTP? This would make it much simpler for Mozilla users to install and use Sonera CRLs. Note that we need a definitive answer to question 1 above in order to add the certificates to NSS and thence Mozilla, etc. Question 2 is optional; I don't need the answer in order to approve Sonera for inclusion, but I'd like the information so that I can make it publicly available to any Mozilla users who are interested in using Sonera CRLs.
Status: NEW → ASSIGNED
Reporter | ||
Comment 2•20 years ago
|
||
(In reply to comment #1) > Some additional comments and questions: > > 1. Per email request from Jyrki Nivala of Sonera, I have marked Sonera Class 1 > and Class 2 CAs as trusted for all purposes in my list of CAs: > > http://www.hecker.org/mozilla/ca-certificate-list > > Note that in Mozilla terms this means that certificates issued by these CAs will > be accepted in the context of SSL-enabled web servers, S/MIME email, and object > signing of executable code and related data. My question here is this: Do the > Sonera CAs actually issue certificates for the purpose of object signing? (This > is the Mozilla equivalent of Microsoft code developer certificates, e.g, for > signing ActiveX controls.) If Sonera does *not* issue such certificates today > and does not plan to issue them in the future, then there is no point in marking > the Sonera certificates as trusted for this purpose. We do not *currently* issue code-signing cerfificates, but we plan to in near future. But, after you pointed it out, it could better to change "Trusted for flag" as follows: Sonera Class 1 CA is trusted only for S/MIME (Class 1 certs are also used for SSL client authentication) Sonera Class 2 CA is trusted for All > > 2. Per the previous comments, CRLs for the Sonera CAs can be obtained from an > LDAP directory maintained by Sonera. Is there also a URL where Mozilla users > could download Sonera CRLs using HTTP? This would make it much simpler for > Mozilla users to install and use Sonera CRLs. Unfortunately we don't currently provide this. We are planning to provide this and OCSP next year, should we contact Mozilla.org then again? > > Note that we need a definitive answer to question 1 above in order to add the > certificates to NSS and thence Mozilla, etc. Question 2 is optional; I don't > need the answer in order to approve Sonera for inclusion, but I'd like the > information so that I can make it publicly available to any Mozilla users who > are interested in using Sonera CRLs.
Assignee | ||
Comment 3•20 years ago
|
||
(In reply to comment #2) > We do not *currently* issue code-signing cerfificates, but we plan to in near > future. But, after you pointed it out, it could better to change "Trusted for > flag" as follows: > Sonera Class 1 CA is trusted only for S/MIME (Class 1 certs are also used for > SSL client authentication) > Sonera Class 2 CA is trusted for All Thank you for the additional information; I have updated my CA certificate list web page accordingly. (Use of Class 1 certs for SSL client authentication is irrelevant for Mozilla, since validation of the certificates in that context is done by web servers, not by Mozilla. Hence I've omitted mention of this in the CA certificate list.) Re an HTTP URL for CRLs: > Unfortunately we don't currently provide this. We are planning to provide this > and OCSP next year, should we contact Mozilla.org then again? Yes, just send me an email when you add that support. As I mentioned previously, this is just to provide additional information to Mozilla users, so if you forget to send me an email don't worry about it :-)
Assignee | ||
Comment 4•20 years ago
|
||
Per my previous comments I'm approving Sonera Class 1 and Class 2 CA certificates for inclusion in Mozilla, etc., and have filed bug 261373 against the NSS developers to get this accomplished. Please submit comments on technical issues related to the CA certificates to bug 261373; any other comments should stay in this bug.
Comment 5•19 years ago
|
||
Frank, Nelson has added these root CA certs to NSS. So you can mark the bug fixed now.
Assignee | ||
Comment 6•19 years ago
|
||
Certificates are in Firefox 1.0.2 and Thunderbird 1.0.2; resolving as fixed and removing dependencies on bug 258416 and bug 261373.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Comment 7•19 years ago
|
||
Per Sonera's wish in comment 2: Sonera Class 1 CA is trusted only for S/MIME (Class 1 certs are also used for SSL client authentication).
Comment 8•19 years ago
|
||
Comment on attachment 180653 [details] [diff] [review] Incremental patch for NSS trunk (3.10): trust Sonera Class 1 CA only for S/MIME Sorry, this patch is meant for the corresponding NSS bug 258416.
Attachment #180653 -
Attachment is obsolete: true
Updated•7 years ago
|
Product: mozilla.org → NSS
Updated•2 years ago
|
Product: NSS → CA Program
You need to log in
before you can comment on or make changes to this bug.
Description
•