279728 - Request to add NetLock CA certificates

Status: RESOLVED FIXED

(CA Program :: CA Certificate Root Program, task)

Description

[Frank Hecker]

NetLock is a CA located in Hungary. They have four root CAs: NetLock Qualified
(Class QA), NetLock Notary (Class A), NetLock Business (Class B), and NetLock
Express (Class C). See <http://www.hecker.org/mozilla/ca-certificate-list> for
more information.

NetLock apparently has completed a WebTrust for CA audit (by Ernst & Young), but
the CA is not listed on the WebTrust "sites with seals" page, and I can't find
any other online information regarding their WebTrust status. See also bug
277797 concerning a problem importing one of the NetLock certificates.

Approval of NetLock CA certificates for inclusion in Mozilla-related software
will depend on resolving the question of NetLock's WebTrust status and
(possibly) resolving bug 277797.

Comment 1

[Nelson Bolyard (seldom reads bugmail)]

We can't add this CA's "qualified" CA cert until bug 277797 is resolved.

Comment 2

[Frank Hecker]

I got a copy of the NetLock audit report (in the form of JPEG page images
scanned in from the original paper document) and have linked to it from
<http://www.hecker.org/mozilla/ca-certificate-list>. This appears to satisfy the
requirement for a WebTrust/WebTrust-equivalent audit.

The remaining issues appear to be as follows:

1. The issue with the Qualified CA discussed in bug 277797. IMO this doesn't
affect my approval of NetLock in general, it simply affects when/if the
Qualified CA root certificate can be actually added.

2. The recommended trust bits for the various NetLock CA certificates. This is
not strictly speaking needed for my approval, but *is* needed for the actual
addition of the certificates to NSS. I need answers to the following questions
for each of the four CAs (qualified/notary/business/express):

a. Does the CA issue certificates for use by SSL-enabled web servers (or other
SS-enabled servers)?

b. Does the CA issue certificates for use in sending/receiving signed and/or
encrypted email?

P.S. Also accepting this bug -- I forgot to do this earlier.

c. Does the CA issue certificates for use by software developers creating
digitally signed code objects (e.g., Java applets, ActiveX controls, etc.)?

Comment 3

[Varga Viktor]

> 2. The recommended trust bits for the various NetLock CA certificates. This is
> not strictly speaking needed for my approval, but *is* needed for the actual
> addition of the certificates to NSS. I need answers to the following questions
> for each of the four CAs (qualified/notary/business/express):

My answers are in the same order. 


> a. Does the CA issue certificates for use by SSL-enabled web servers (or other
> SS-enabled servers)?

no/yes/yes/yes

> b. Does the CA issue certificates for use in sending/receiving signed and/or
> encrypted email?

yes/yes/yes/yes

> c. Does the CA issue certificates for use by software developers creating
> digitally signed code objects (e.g., Java applets, ActiveX controls, etc.)?

yes/yes/yes/yes

So, except the qualified, all of them are used to all the purposes,
the only difference that the qualified isn't issue SSL certificates.

Thanks for your help.

Comment 4

[Frank Hecker]

I'm approving this request based on NetLock's successful completion of a
WebTrust audit, and have filed bug 280744 for the actual addition of the certs
to NSS.

Comment 5

[Wan-Teh Chang]

Current Status

NetLock Notary (Class A), NetLock Business (Class B), and NetLock
Express (Class C) have been added to NSS.  They will be in
Mozilla 1.8 Beta 2 and Firefox/Thunderbird ("Aviary") 1.1 Alpha.

NetLock Qualified (Class QA) has not been added to NSS because of
bug 277797.

Comment 6

[Nelson Bolyard (seldom reads bugmail)]

Bug 313942 now requests inclusion of the new Netlock Class QA root cert.
The other CA certs requested in this RFE have been completed.
So I'm marking this resolved/fixed.