Closed Bug 261778 Opened 19 years ago Closed 15 years ago

Add Camerfirma CA certificate (Spain)

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: ramirom, Assigned: hecker)

References

(
URL
)

Details

Attachments

(1 file)

SSL Audit info Chambers of Commerce Root
2.17 MB, application/pdf
Details 
User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a1) Gecko/20040520

AC Camerfirma is a spanish certification authority which is trusted in IE, but 
not in mozilla. 



Reproducible: Always
Steps to Reproduce:
1.go to https://www.camerfirma.com
2.
3.

Actual Results:  
A message saying my server's cert is not trusted appeared.



Expected Results:  
Just go ahead 

This bug is already reported by a number of CA.
I'm accepting this bug. I'm changing the summary line to "Add Camerfirma CA
certificate" to better reflect the nature of the request.
Severity: normal → enhancement
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Summary: A message saying my server's cert is not trusted appeared → Add Camerfirma CA certificate
Camerfirma has passed a WebTrust for CAs audit, so I expect that I will approve
Camerfirma's root CA certificates for inclusion in Mozilla and other products.
However first I need to have answers to the following questions:

1. What are the actual Certificate Authorities whose certificates should be
included in Mozilla?

The page <http://www.camerfirma.com/mod_web/repositorio/otrascas.html> shows
several Camerfirma CA hierarchies. After reading some other material on the
Camerfirma web site, I'm guessing that the root CA certificates that should be
included are for the Chambers of Commerce root CA and the Global Chambersign
root CA. Is this correct?

(Incidentally, the CA hierarchy graph on the otrascas.html page is very mice,
especially with the links to the certificates, hashes, CRLs, etc. I wish more CA
did the same thing.)

2. What are the actual root CA certificates that should be included, and where
can they be obtained? From the otrascas.html page I'm guessing that the root CA
certificates are the ones at the following URLs:

http://www.camerfirma.com/mod_web/consultas/certi/Chambers.cer
http://www.camerfirma.com/certs/ROOT-CHAMBERSIGN.crt

for the "Chambers of Commerce" and "Global Chambersign" CAs. Is this correct?

3. What are the intended uses of the end-entity certificates issued by the CAs?
Both of the certificates referenced above have a netscape cert type extension
referencing all three of SSL, S/MIME, and object signing, so I presume that the
certificates should be trusted for all purposes relevant to Mozilla. Is this
correct?

4. Where is the Certification Practices Statement (CPS) for Camerfirma? I'm
guessing that the most recent CPS is the document at the following URL:

http://docs.camerfirma.com/mod_web/usuarios/pdf/CPS_1.4.pdf

Is this correct? Does this CPS apply to both of the CAs ("Chambers of Commerce"
and "Global Chambersign")? Is the CPS available in an English translation?

5. Where are the CRLs for the Camerfirma root CAs? According to the
otrascas.html page, the CRLs are at the following URLs:

http://crl.chambersign.org/chambersroot.crl
http://crl.chambersign.org/chambersignroot.crl

for the "Chambers of Commerce" and "Global Chambersign" CAs? Is this correct?

6. Does Camerfirma support OSCP validation of certificates, in addition to the CRLs?


I've edited my CA certificates information page:

  http://www.hecker.org/mozilla/ca-certificate-list

to include information concerning Camerfirma. Please review the information and
provide corrections where needed.
I am willing to approve this request, but I need answers to the questions I
asked in my previous comment (#2); in particular I need answers to questions 1,
2, and 3. I will not do anything further with this request until I receive those
answers.
(In reply to comment #2)

> 1. What are the actual Certificate Authorities whose certificates should be
> included in Mozilla?
> The page <http://www.camerfirma.com/mod_web/repositorio/otrascas.html> shows
> several Camerfirma CA hierarchies. After reading some other material on the
> Camerfirma web site, I'm guessing that the root CA certificates that should 
be
> included are for the Chambers of Commerce root CA and the Global Chambersign
> root CA. Is this correct?

Yes it is.

> (Incidentally, the CA hierarchy graph on the otrascas.html page is very mice,
> especially with the links to the certificates, hashes, CRLs, etc. I wish 
more CA
> did the same thing.)

Thank you a lot, I am pleased to hear that.

> 2. What are the actual root CA certificates that should be included, and 
where
> can they be obtained? From the otrascas.html page I'm guessing that the root 
CA
> certificates are the ones at the following URLs:
> http://www.camerfirma.com/mod_web/consultas/certi/Chambers.cer
> http://www.camerfirma.com/certs/ROOT-CHAMBERSIGN.crt
> for the "Chambers of Commerce" and "Global Chambersign" CAs. Is this correct?

 Yes.

> 3. What are the intended uses of the end-entity certificates issued by the 
CAs?
> Both of the certificates referenced above have a netscape cert type extension
> referencing all three of SSL, S/MIME, and object signing, so I presume that 
the
> certificates should be trusted for all purposes relevant to Mozilla. Is this
> correct?

Yes, mainly for digital signature and web authentication.

> 4. Where is the Certification Practices Statement (CPS) for Camerfirma? I'm
> guessing that the most recent CPS is the document at the following URL:
> http://docs.camerfirma.com/mod_web/usuarios/pdf/CPS_1.4.pdf
> Is this correct? Does this CPS apply to both of the CAs ("Chambers of 
Commerce"
> and "Global Chambersign")? Is the CPS available in an English translation?


Yes, this CPS involve all certificates issued by Camerfirma and I am affraid 
is not translated to English jet.

> 5. Where are the CRLs for the Camerfirma root CAs? According to the
> otrascas.html page, the CRLs are at the following URLs:
> http://crl.chambersign.org/chambersroot.crl
> http://crl.chambersign.org/chambersignroot.crl
> for the "Chambers of Commerce" and "Global Chambersign" CAs? Is this correct?

Yes, but, you will need all crl from all CA´s delegated in the hierarchy, will 
you ?, it is important for us that all CA´s were recognize by Mozilla.

> 6. Does Camerfirma support OSCP validation of certificates, in addition to 
the CRLs?

Yes you can get information about "Chambers of Commerce Root" and "Chambersign 
Global Root" from http://ocsp.certiver.com:7070


Thank you for the answers to my questions. I just have two more comments:

* Regarding question 3, about uses of the certificates: I asked this question in
order to determine how we should set the "trust bits" on the root CA
certificate. Your answer was somewhat ambiguous. Based on your answer we will
certainly mark the root CAs (or potentially their subordinate CAs) as trusted
for certifying SSL-enabled web sites and S/MIME email users. However we will
*not* mark the root CA (or subordinates) as being trusted for certifying
developers of digitally-signed executable code objects, since you didn't
explicitly say that your CAs issue such certificates.

If this is incorrect (in other words, if the Camerfirma root CAs and/or their
subordinate CAs *do* issue certificates for signing executable code objects),
then please correct me, and we will mark the root CA as trusted for all three
purposes.

* Regarding question 5, about CRLs: We do *not* preload CRLs into Mozilla or
related products. If Mozilla users want to use CRLs then they have to explicitly
download the CRLs and install them. However I wanted the information about CRLs
in order to publish the information on my CA web page at
<http://www.hecker.org/mozilla/ca-certificate-list> for use by anyone who's
interested.

Since you have subordinate CAs under the two root CAs, I'll modify my web page
to include links to the CRLs for those other CAs.

If you can answer my first question above (to clarify how we should set the
"trust bits") then I will go ahead and officially approve including the
Camerfirm root CA certificate.
(In reply to comment #6)
> Thank you for the answers to my questions. I just have two more comments:
> * Regarding question 3, about uses of the certificates: I asked this 
question in
> order to determine how we should set the "trust bits" on the root CA
> certificate. Your answer was somewhat ambiguous. Based on your answer we will
> certainly mark the root CAs (or potentially their subordinate CAs) as trusted
> for certifying SSL-enabled web sites and S/MIME email users. However we will
> *not* mark the root CA (or subordinates) as being trusted for certifying
> developers of digitally-signed executable code objects, since you didn't
> explicitly say that your CAs issue such certificates.
> If this is incorrect (in other words, if the Camerfirma root CAs and/or their
> subordinate CAs *do* issue certificates for signing executable code objects),
> then please correct me, and we will mark the root CA as trusted for all three
> purposes.

Dear Frank, you have a point there. We whould like there is no limit at all in 
the use of our certificates, so code signing, TSA, OCSP use whould be 
included. We will restrict the use in end users certificartes.


> * Regarding question 5, about CRLs: We do *not* preload CRLs into Mozilla or
> related products. If Mozilla users want to use CRLs then they have to 
explicitly
> download the CRLs and install them. However I wanted the information about 
CRLs
> in order to publish the information on my CA web page at
> <http://www.hecker.org/mozilla/ca-certificate-list> for use by anyone who's
> interested.
> Since you have subordinate CAs under the two root CAs, I'll modify my web 
page
> to include links to the CRLs for those other CAs.
> If you can answer my first question above (to clarify how we should set the
> "trust bits") then I will go ahead and officially approve including the
> Camerfirm root CA certificate.

OK thank you a lot Frank
In accordance with current policy, I am approving Camerfirma's root CA
certificates for inclusion in Mozilla, and will file a bug against NSS to have
the actual certificates added.
Depends on: 275576
Filed bug 275576 against NSS for the actual addition of the certificates, and
marked it as blocking this bug. Any further *technical* comments re this should
be directed to bug 275576.
The Camerfirma Chamber of Commerce Root CA and Global Chambersign
Root CA have been added to NSS.  They will be in Mozilla 1.8 Beta 2
and Firefox/Thunderbird 1.1 Alpha.

I don't know if this is enough to mark the bug fixed or you want
to wait until Mozilla 1.8 final and Firefox/Thunderbird 1.1 final.
I found a discrepancy in the SHA-1 fingerprint of the
Chambers of Commerce Root.  So please don't mark this
bug fixed yet.
OK, the SHA-1 fingerprint issue has been resolved.
Resolving this bug as FIXED, given that the necessary changes have been made to
NSS and will show up in future versions of Firefox, Thunderbird, etc.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Summary: Add Camerfirma CA certificate → Add Camerfirma CA certificate (Spain)
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
We whould like to include new ca root certificates. We are planning generate new key pair generation in a few weeks and obviously new certificates that we want to be included in a future version of the Mozilla suite. 
We would like to include new ca root certificates. We are planning generate
new key pair generation in a few weeks and obviously new certificates that we
want to be included in a future version of the Mozilla suite. 

Ramiro, You need to file a new bug to request the addition of MORE certs.
The original requests in this old bug have been satisfied in full.
Please start with this page:
http://wiki.mozilla.org/CA:Root_Certificate_Requests
Status: REOPENED → RESOLVED
Closed: 18 years ago15 years ago
Resolution: --- → FIXED
Ramiro, 
I see that you have opened another bug for the new certificate requests.
That bug is bug 406968. The information in that request is incomplete.
Please put all further information about that request in that bug.
OK, Nelson I will use this bug for my request, sorry for any trouble.
Then could I use this bug to include new roots, or I use the new bug I opened 406968 ? 


current audit info
Product: mozilla.org → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.