Closed Bug 275583 Opened 20 years ago Closed 18 years ago

Add T-Systems CA certificate

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: hecker, Assigned: hecker)

Details

I've received a request from T-Systems (subsidiary of Deutsche Telekom) to add
two root CA certificates to Mozilla and related products: Deutsche Telekom Root
CA 1 and Deutsche Telekom Root CA 2. T-Systems operates the Trust Center for
Deutsche Telekom. The Trust Center has not been WebTrust audited, but has been
QM DIN ISO 9001:2000 certified since 1997, and since 1998 has fulfilled the
requirements of the German Signature Act. (Information supplied by T-Systems.)

For other current information see the T-Systems listing on my CA certificate
information page:

  http://www.hecker.org/mozilla/ca-certificate-list

Here are the open issues regarding this CA's application:

1. T-Systems does not have a current Certification Practices Statement (CPS) for
the root CAs (either of them). This is supposedly being revised and will be
available in January 2005.

2. I'd like some more information about T-Systems/Trust Center compliance with
the German Digital Signature Act, including URLs pointing to information in
English about this.
http://www.droit.fundp.ac.be/textes/addendum.pdf 
 
Rosa Julià -Barcelà 
  
 
(3) Duties and Obligations 
 
The DSA provides, inter alia, for the following obligations: 
 
Article 5 states that the CA will have to reliably establish 
the identity of persons applying for a certificate as well 
as information concerning their professional status. 
 
The CA must issue certificates and take measures to prevent 
undetected forgery or manipulation of data as well as to 
ensure confidentiality of private signature keys. 
 
The CA will notify the applicants of the measures necessary 
to support secure digital signatures and their reliable verification. 
 
Article 8 contains an obligation concerning the invalidation 
of certificates where the owner of a signature key requests 
it, when the certificate was obtained through certain false 
statements. It should be noted that the DSA does not address 
the issue of whether the CA should be required to provide a 
full 24-hour service for invalidating certificates. 
 
(4) Liability 
 
Unlike other laws or proposals, the DSA does not address 
liability issues. Legal comments argue that regulation has 
been postponed until more consensus has been achieved about 
which kind of rules should be established. Therefore, at the 
moment, the general liability rules shall apply. In case of 
tort liability, this means that a with-fault liability regime 
will be applicable. 
 
The licensed CA, as described above, has the statutory 
obligation to issue certificates and to establish and 
maintain a database of revoked certificates. Thus, the CA 
should assume responsibility for the accuracy, the updating 
and completeness of its certificates and database vis a vis 
its own subscribers. 
 
The criteria of duty of care would seem to be a good one. 
However, because of the technical issues surrounding the 
certification process, it will be very difficult for 
consumers to prove the lack of care of the CA in the 
issuance of a certificate. Consequently, we suggest that 
the onus probandi should be reversed. This means that it 
should be sufficient for the damaged subscriber and third 
party to assert that the CA did not exercise sufficient 
care in the carrying out of his obligations and it will 
be up to the CA to evidence the contrary by proving the 
satisfaction of the requirements set out in the DSA and 
Ordinance. 
 
In order to compare the two regimes it would be 
necessary to state with some certainty what it 
is that WebTrust achieves, and I don't think this 
is possible in objective terms.  Or, at least I've 
not seen any objective statement of what MF 
demands of the WebTrust regime, and its place 
is more justified on "historical evolution." 
 
So any comparison would have to be subjective. 
 
Having said that, I suspect that this is easy enough 
in this specific case, because the German law 
follows the regulated model for Digital Signature 
Acts. 
 
In digital signature laws there are (as a gross 
simplification) two "models" being the highly 
regulated one and the permissive one.  The 
latter is the easiest one to write about and 
understand:  it simply states that a signature 
that is created digitally is not denied the status 
of a signature purely because it is digital. 
 
This is no bad thing, as it extends the signature 
and allows it to be considered on its merits in 
a dispute, which is what we want.  However, it 
adds nothing to a question of whether a CA 
using that form is comparable to a WebTrust 
audited CA, the precise question today. 
 
The other model, the regulated model, is often 
referred to as the Utah model.  This model is 
comparatively heaveyweight and much closer 
to WebTrust.  In this model, a CA can be licensed 
by the state, and must take on obligations and 
responsibilities.  As long as those obligations 
and responsibilities are serious, then one could 
make a subjective judgement that this is as 
sufficient as WebTrust, for the purposes of 
Mozilla (I'm writing this trying to avoid stating 
that WebTrust itself represents the necessary 
goal...). 
 
Doing a bit of googling I found the link below, 
which is an analysis of the 1997 law passed in 
Germany.  The appropriate text is also below 
as a useful summary of Mozilla's interests. 
 
On the basis of that, my "vote" would be for 
adding the T-Systems root cert, if they can 
confirm that they are licensed by the state 
under the provisions of the Act, and subject 
to Duties and Obligations outlined below. 
 
A simple letter to that effect would seem like 
sufficient due diligence.  Anything more would 
probably lead to needing the legal eagles to 
pass muster and an "opinion" and that is way 
beyond the scope of Mozilla Foundation's 
activities and position on liability. 
 
iang 
 
http://www.droit.fundp.ac.be/textes/addendum.pdf
QA Contact: ca-certificates
Frank: do you have a name and email address for the contact from T-Systems?

Gerv
Lothar Eickholt <Lothar.Eickholt@t-systems.com>
I have sent the following email to Lothar.Eickholt@t-systems.com:

Dear Mr Eickholt,

Two years ago, you requested inclusion of the root certificate of your
Certificate Authority in Mozilla products.
https://bugzilla.mozilla.org/show_bug.cgi?id=275583

Since that time, we have formalised a CA Certificate policy, detailing how we process such requests:
http://www.mozilla.org/projects/security/pki/nss/ca-certificates/policy.html
We hope that this will bring clarity to the process.

Due to the age of the request, the above mentioned bug report has been closed. If inclusion of your certificate(s) is still desired, please could you file a new bug report as specified in section 14 of the policy, including all the information requested by that clause.

Many thanks,

Gerv
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → WONTFIX
Product: mozilla.org → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.