Closed Bug 260484 (Sonera_CA_certs) Opened 20 years ago Closed 19 years ago

Add Sonera CA certs (2) to builtin trusted CA list

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jyrki.nivala, Assigned: hecker)

References

(
URL
)

Details

Attachments

(1 obsolete file) 

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7) Gecko/20040803 Firefox/0.9.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7) Gecko/20040803 Firefox/0.9.3

Sonera CA has been audited by WebTrust standard
(https://cert.webtrust.org/ViewSeal?id=276) and we offer wide range of PKI
services to our customers: smart cards, e-mail encryption, SSL certificates etc.

We would like to add two root CAs into NSS:
Sonera Class 1 CA is for certificates where private key is protected by
signature creation device (smart card and USB token)

Sonera Class 2 CA is for certificates where private key is a software token
(end-user certificates and SSL server certificates)

Policies and practises in brief:

We use nCipher nShields for CA private key protection.

End-users are registered by customer RA's. Only customers that have valid
contract with Sonera CA are able to issue certificates. Process are described
more detail in CPS and CPs
(http://support.partnergate.sonera.com/modules.php?name=Content&pa=showpage&pid=2). 

For SSL server certicates we take he usual steps to validate certificate request:
1. We check DNS ownership.
2. We check contact details, etc. Described more detail in Sonera Class 2 CP.

We have 24 hour revocation helpdesk for our customers. Crl distribution points
are listed under "Additional Information". Currently we do not use OCSP.

regards,
Jyrki Nivala - Product Manager
Sonera CA
jyrki.nivala@teliasonera.com
phone: +358407208007
P.O. Box 543
00051 SONERA
Finland
http://support.partnergate.sonera.com/ 




Reproducible: Always
Steps to Reproduce:
1.
2.
3.




Sonera Class 1 CA:
	Valid from: 6th April 2001
	Valid to: 6th April 2021
	Key usage: Certificate Signing, Off-line CRL Signing, CRL Signing 
	Thumprint: 07 47 22 01 99 ce 74 b9 7c b0 3d 79 b2 64 a2 c8 55 e9 33 ff
	CRL Distribution point: 
URL=ldap://194.252.124.241:389/cn=Sonera%20Class1%20CA,o=Sonera,c=FI?certificaterevocationlist;binary
	
Certificate Policy 
http://support.partnergate.sonera.com/

Certificate download page: 
http://support.partnergate.sonera.com/download/CA/soneraclass1ca.crt

-----BEGIN CERTIFICATE-----
MIIDIDCCAgigAwIBAgIBJDANBgkqhkiG9w0BAQUFADA5MQswCQYDVQQGEwJGSTEP
MA0GA1UEChMGU29uZXJhMRkwFwYDVQQDExBTb25lcmEgQ2xhc3MxIENBMB4XDTAx
MDQwNjEwNDkxM1oXDTIxMDQwNjEwNDkxM1owOTELMAkGA1UEBhMCRkkxDzANBgNV
BAoTBlNvbmVyYTEZMBcGA1UEAxMQU29uZXJhIENsYXNzMSBDQTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBALWJHytPZwp5/8Ue+H887dF+2rDNbS82rDTG
29lkFwhjMDMiikzujrsPDUJVyZ0upe/3p4zDq7mXy47vPxVnqIJyY1MPQYx9EJUk
oVqlBvqSV536pQHydekfvFYmUk54GWVYVQNYwBSujHxVX3BbdyMGNpfzJLWaRpXk
3w0LBUXl0fIdgrvGE+D+qnr9aTCU89JFhfzyMlsy3uhsXR/LpCJ0sICOXZT3BgBL
qdReLjVQCfOAl/QMF6452F/NM8EcyonCIvdFEu1eEpOdY6uCLrnrQkFEy0oaAIIN
nvmLVz5MxxftLItyM19yejhW1ebZrgUaHXVFsculJRwSVzb9IjcCAwEAAaMzMDEw
DwYDVR0TAQH/BAUwAwEB/zARBgNVHQ4ECgQIR+IMi/ZTiFIwCwYDVR0PBAQDAgEG
MA0GCSqGSIb3DQEBBQUAA4IBAQCLGrLJXWG04bkruVPRsoWdd44W7hE928Jj2VuX
ZfsSZ9gqXLar5V7DtxYvyOirHYr9qxp81V9jz9yw3Xe5qObSIjiHBxTZ/75Wtf0H
DjxVyhbMp6Z3N/vbXB9OWQaHowND9Rart4S9Tu+fMTfwRvFAttEMpWT4Y14h21VO
TzF2nBBhjrZTOqMRvq9tfB69ri3iDGnHhVNoomG6xT60eVR4ngrHAr5i0RGCS2Uv
kVrCqIexVmiUefkl98HVrhq4uz2PqYo4Ffdz0Fpg0YCw8NzVUM1O7pJIae2yIx4w
zMiUyLb1O4Z/P6Yun/Y+LLWSlj7fLJOK/4GMDw9ZIRlXvVWa
-----END CERTIFICATE-----



Sonera Class 1 -certificates:
-	Private key is stored either in smart card or USB token (Signature Creation
Device)
-	Certificate validity period is maximum 5 years.



Sonera Class 2 CA:
	Valid from: 6th April 2001
	Valid to: 6th April 2021
	Key usage: Certificate Signing, Off-line CRL Signing, CRL Signing 
	Thumprint: 37 f7 6d e6 07 7c 90 c5 b1 3e 93 1a b7 41 10 b4 f2 e4 9a 27
CRL Distribution point: 
URL=ldap://194.252.124.241:389/cn=Sonera%20Class2%20CA,o=Sonera,c=FI?certificaterevocationlist;binary
Certificate Policy:
http://support.partnergate.sonera.com/
Certificate download page:
http://support.partnergate.sonera.com/download/CA/soneraclass2ca.crt

-----BEGIN CERTIFICATE-----
MIIDIDCCAgigAwIBAgIBHTANBgkqhkiG9w0BAQUFADA5MQswCQYDVQQGEwJGSTEP
MA0GA1UEChMGU29uZXJhMRkwFwYDVQQDExBTb25lcmEgQ2xhc3MyIENBMB4XDTAx
MDQwNjA3Mjk0MFoXDTIxMDQwNjA3Mjk0MFowOTELMAkGA1UEBhMCRkkxDzANBgNV
BAoTBlNvbmVyYTEZMBcGA1UEAxMQU29uZXJhIENsYXNzMiBDQTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAJAXSjWdyvANlsdE+hY3/Ei9vX+ALTU74W+o
Z6m/AxxNjG8yR9VBaKQTBME1DJqEQ/xcHf+Js+gXGM2RX/uJ4+q/Tl18GybTdXnt
5oTjV+WtKcT0OijnpXuENmmz/V52vaMtmdOQTiMofRhj8VQ7Jp12W5dCsv+u8E7s
3TmVToMGf+dJQMjFAbJUWmYdPfz56TwKnoG4cPABi+QjVHzIrviQHgCWctRUz2Ej
vOr7nQKV0ba5cTppCD8PtOFCx4j1P5iop7oc4HFx71hXgVB6XGt0Rg6DA5jDjqhu
8nYybieDwnPz3BjotJPqdURrBGAgcVeHnfO+oJAjPYok4doh28MCAwEAAaMzMDEw
DwYDVR0TAQH/BAUwAwEB/zARBgNVHQ4ECgQISqCqWITTXjwwCwYDVR0PBAQDAgEG
MA0GCSqGSIb3DQEBBQUAA4IBAQBazof5FnIVV0sd2ZvnoiYw7JNn39Yt0jSv9zil
zqsWuasvfDXLrNAPtEwr/IDva4yRXzZ299uzGxnq9LIR/WFxRL8oszodv7ND6J+/
3DEIcbCdjdY0RzKQxmUk96BKfARzjzlvF4xytb1LyHr4e4PDKE6cCepnP7JnBBvD
FNr450kkkdAdavphOe9r5yF1BgfYErQhIHBCcYHaPJo2vqZbDWpsmh+Re/n570K6
Tk6ezAyNlNzZRZxe7EJQY670XcSxEtzKO6gunRRaBXW37Ndj4ro1tgQIkejanZz2
ZrUYrAqmVCY0M9IbwdR/GjqOC6oybtv8TyWf2TLHllpwrN9M
-----END CERTIFICATE-----


Sonera Class 2 -certificates:
-	Private key is stored in hard disk (workstation or server)
-	Certificate validity period is maximum 3 years.
Alias: Sonera_CA_certs
Depends on: Sonera_CA
QA Contact: jyrki.nivala
Status: UNCONFIRMED → NEW
Ever confirmed: true
Some additional comments and questions:

1. Per email request from Jyrki Nivala of Sonera, I have marked Sonera Class 1
and Class 2 CAs as trusted for all purposes in my list of CAs:

  http://www.hecker.org/mozilla/ca-certificate-list

Note that in Mozilla terms this means that certificates issued by these CAs will
be accepted in the context of SSL-enabled web servers, S/MIME email, and object
signing of executable code and related data. My question here is this: Do the
Sonera CAs actually issue certificates for the purpose of object signing? (This
is the Mozilla equivalent of Microsoft code developer certificates, e.g, for
signing ActiveX controls.) If Sonera does *not* issue such certificates today
and does not plan to issue them in the future, then there is no point in marking
the Sonera certificates as trusted for this purpose.

2. Per the previous comments, CRLs for the Sonera CAs can be obtained from an
LDAP directory maintained by Sonera. Is there also a URL where Mozilla users
could download Sonera CRLs using HTTP? This would make it much simpler for
Mozilla users to install and use Sonera CRLs.

Note that we need a definitive answer to question 1 above in order to add the
certificates to NSS and thence Mozilla, etc. Question 2 is optional; I don't
need the answer in order to approve Sonera for inclusion, but I'd like the
information so that I can make it publicly available to any Mozilla users who
are interested in using Sonera CRLs.
Status: NEW → ASSIGNED
(In reply to comment #1)
> Some additional comments and questions:
> 
> 1. Per email request from Jyrki Nivala of Sonera, I have marked Sonera Class 1
> and Class 2 CAs as trusted for all purposes in my list of CAs:
> 
>   http://www.hecker.org/mozilla/ca-certificate-list
> 
> Note that in Mozilla terms this means that certificates issued by these CAs will
> be accepted in the context of SSL-enabled web servers, S/MIME email, and object
> signing of executable code and related data. My question here is this: Do the
> Sonera CAs actually issue certificates for the purpose of object signing? (This
> is the Mozilla equivalent of Microsoft code developer certificates, e.g, for
> signing ActiveX controls.) If Sonera does *not* issue such certificates today
> and does not plan to issue them in the future, then there is no point in marking
> the Sonera certificates as trusted for this purpose.
We do not *currently* issue code-signing cerfificates, but we plan to in near
future. But, after you pointed it out, it could better to change "Trusted for
flag" as follows:
Sonera Class 1 CA is trusted only for S/MIME (Class 1 certs are also used for
SSL client authentication)
Sonera Class 2 CA is trusted for All
> 
> 2. Per the previous comments, CRLs for the Sonera CAs can be obtained from an
> LDAP directory maintained by Sonera. Is there also a URL where Mozilla users
> could download Sonera CRLs using HTTP? This would make it much simpler for
> Mozilla users to install and use Sonera CRLs.
Unfortunately we don't currently provide this. We are planning to provide this
and OCSP next year, should we contact Mozilla.org then again?
> 
> Note that we need a definitive answer to question 1 above in order to add the
> certificates to NSS and thence Mozilla, etc. Question 2 is optional; I don't
> need the answer in order to approve Sonera for inclusion, but I'd like the
> information so that I can make it publicly available to any Mozilla users who
> are interested in using Sonera CRLs.


(In reply to comment #2)
> We do not *currently* issue code-signing cerfificates, but we plan to in near
> future. But, after you pointed it out, it could better to change "Trusted for
> flag" as follows:
> Sonera Class 1 CA is trusted only for S/MIME (Class 1 certs are also used for
> SSL client authentication)
> Sonera Class 2 CA is trusted for All

Thank you for the additional information; I have updated my CA certificate list
web page accordingly. (Use of Class 1 certs for SSL client authentication is
irrelevant for Mozilla, since validation of the certificates in that context is
done by web servers, not by Mozilla. Hence I've omitted mention of this in the
CA certificate list.)

Re an HTTP URL for CRLs:
> Unfortunately we don't currently provide this. We are planning to provide this
> and OCSP next year, should we contact Mozilla.org then again?

Yes, just send me an email when you add that support. As I mentioned previously,
this is just to provide additional information to Mozilla users, so if you
forget to send me an email don't worry about it :-)
Depends on: 261373
Per my previous comments I'm approving Sonera Class 1 and Class 2 CA
certificates for inclusion in Mozilla, etc., and have filed bug 261373 against
the NSS developers to get this accomplished. Please submit comments on technical
issues related to the CA certificates to bug 261373; any other comments should
stay in this bug.

Frank,

Nelson has added these root CA certs to NSS.  So
you can mark the bug fixed now.
Certificates are in Firefox 1.0.2 and Thunderbird 1.0.2; resolving as fixed and
removing dependencies on bug 258416 and bug 261373.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Per Sonera's wish in comment 2:

  Sonera Class 1 CA is trusted only for S/MIME (Class 1
  certs are also used for SSL client authentication).
Comment on attachment 180653 [details] [diff] [review]
Incremental patch for NSS trunk (3.10): trust Sonera Class 1 CA only for S/MIME

Sorry, this patch is meant for the corresponding NSS bug 258416.
Attachment #180653 - Attachment is obsolete: true
Product: mozilla.org → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: