Inserting 3 next generation of CA certificates for GeoTrust

RESOLVED FIXED

Status

task
RESOLVED FIXED
14 years ago
2 years ago

People

(Reporter: cbailey, Assigned: hecker)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Alexa Toolbar)
Build Identifier: 

I did not see if the report already resolved....

GeoTrust would like to insert 3 next generation CA certificates

Root 1
GeoTrust Universal CA 
https://www.geotrust.com/resources/root_certificates/certificates/GeoTrust_Univ
ersal_CA.cer
(Base-64 encoded X.509)
Organization:  GeoTrust Inc.
Country: US
Serial Number: 01
Validity Period: Tue March 04, 2004 to Sun March 04, 2029 (GMT)
Certificate Fingerprint (MD5): 92:65:58:8B:A2:1A:31:72:73:68:5C:B4:A5:7A:07:48
Certificate Fingerprint (SHA-1):
e6:21:f3:35:43:79:05:9a:4b:68:30:9d:8a:2f:74:22:15:87:ec:79
Key Length: 4096

Root 2
GeoTrust Global CA2 
https://www.geotrust.com/resources/root_certificates/certificates/GeoTrust_Glob
al_CA2.cer
(Base-64 encoded X.509)
Organization: GeoTrust Inc.
Country: US
Serial Number: 01
Validity Period: Tue March 04, 2004 to Sun March 04, 2019 (GMT)
Certificate Fingerprint (MD5): 0E:40:A7:6C:DE:3:5D:8F:D1:F:E4:D1:8D:F9:6C:A9
Certificate Fingerprint (SHA-1):
a9:e9:78:08:14:37:58:88:f2:05:19:b0:6d:2b:0d:2b:60:16:90:7d
Key Length: 2048 

Root 3
GeoTrust Universal CA2 
https://www.geotrust.com/resources/root_certificates/certificates/GeoTrust_Univ
ersal_CA2.cer
 (Base-64 encoded X.509)
Organization: GeoTrust Inc.
Country: US
Serial Number: 01
Validity Period: Tue March 04, 2004 to Sun March 04, 2029 (GMT)
Certificate Fingerprint (MD5): 34:FC:B8:D0:36:DB:9E:14:B3:C2:F2:DB:8F:E4:94:C7
Certificate Fingerprint (SHA-1):
37:9a:19:7b:41:85:45:35:0c:a6:03:69:f3:3c:2e:af:47:4f:20:79
Key Length: 4096 

Please contact Chris Bailey, CTO of GeoTrust if you have any questions.
Chris Bailey
cbailey@geotrust.com
678-595-7999 (cell)


Reproducible: Always
Status: UNCONFIRMED → NEW
Ever confirmed: true
Chris, my apologies for the long delay in looking at this bug. The main question I have is: Where are the CPS and CP documents corresponding to these roots? I want to reference them in my CA certificate list, but can't find the actual GeoTrust services to which they correspond. I've looked through some of the documents at

http://www.geotrust.com./resources/repository/legal.asp

with no luck thus far.

Although GeoTrust already has root certs in Mozilla I want to do due diligence on obtaining the sorts of information we collect for new CAs: CPS and CP documents, audit reports, types of certs issued, verification procedures, CRLs, OCSP URLs, etc.
Status: NEW → ASSIGNED
[Below is information provided by Geotrust relating to this request.]

These roots will be used to replace Geotrust's existing Equifax roots over the
coming months and year with a full transition occurring by December 31, 2010. The CPSs are located at the following URL:
http://www.geotrust.com/resources/repository/legal.asp

These roots will be used for SSL, Code Signing, Timestamping, S/Mime Client Auth, and all other uses.

Information on Geotrust's WebTrust audit is located here:
https://cert.webtrust.org/ViewSeal?id=532

Note: The roots submitted with this request will be included in the new audit next year, once they are active this year. WebTrust Audit only looks back 1 year in the audit. Geotrust's last audit date was January 1, 2005 through December 31, 2005.

Certificates are issued both directly from the root and from subordinated
CAs depending on the product. However, Geotrust does not subordinate to third party CAs.

All various assurance levels are issued under the same root/subordinate root.

All CRLs are issued REAL TIME and have an expiration of 24 hours to 10 days
depending on the product. The CLSs can be found here:
http://www.geotrust.com/resources/crls/index.asp

OCSP services are issued with a few products, but have not been defined with
these new roots.

[Note that the response doesn't directly answer the question of exactly how the new root CAs relate to the various Geotrust-provided CA products. However at a general level the picture is clear: With a couple of apparent exceptions -- e.g., the Adobe-related CAs -- certificates for current Geotrust services are issued from subordinate CAs under the Equifax roots. Over time those subordinate CAs will be migrated to live under the new roots. A note for Geotrust in this regard: It would be nice if future CPSs would provide more detail on the actual subordinate CA and root CA associated with a given service, as is currently done in the CPSs for the True Credentials CAs.]
More Geotrust information: For the record, the following appear to be the Geotrust-related root CAs for which certificates are currently pre-loaded into Mozilla products, with numbering as taken from

http://www.geotrust.com/resources/root_certificates/index.asp

* Root 1 - Equifax Secure CA
* Root 2 - Geotrust Global CA
* Root 4 - Equifax Secure eBusiness CA-1
* Root 5 - Equifax Secure Global eBusiness CA-1
* Root 8 - Equifax Secure eBusiness CA 2

The new certificates being proposed for inclusion are

* Root 3 - GeoTrust Universal CA 
* Root 6 - GeoTrust Global CA2 
* Root 7 - GeoTrust Universal CA2

To the best of my knowledge we don't currently pre-load any of the other Geotrust CA certificates listed on the page referenced above (roots 9 through 13).
(In reply to comment #3)
> More Geotrust information: For the record, the following appear to be the
> Geotrust-related root CAs for which certificates are currently pre-loaded into
> Mozilla products, with numbering as taken from
> http://www.geotrust.com/resources/root_certificates/index.asp
> * Root 1 - Equifax Secure CA
> * Root 2 - Geotrust Global CA
> * Root 4 - Equifax Secure eBusiness CA-1
> * Root 5 - Equifax Secure Global eBusiness CA-1
> * Root 8 - Equifax Secure eBusiness CA 2
> The new certificates being proposed for inclusion are
> * Root 3 - GeoTrust Universal CA 
> * Root 6 - GeoTrust Global CA2 
> * Root 7 - GeoTrust Universal CA2
> To the best of my knowledge we don't currently pre-load any of the other
> Geotrust CA certificates listed on the page referenced above (roots 9 through
> 13).

That is right, we need to keep roots 1,2,4,5,and 8. Then add roots 3,6,7. All the roots should be marked for ALL uses (S/Mime, SSL, Client Auth, Code Signing, etc...). We are not adding roots 9 through 13.
For the record, here are the types of subscriber validation done for the various Geotrust CAs; information is from the CPS documents at

  http://www.geotrust.com/resources/repository/legal.asp

* Power Server ID (provides single SSL certificate for up to four domains). Verify that the subscriber controls domains named in the SSL/TLS certificate. See Section III of the CPS for more information.

* QuickSSL (SSL certificates). Verify that the subscriber controls the domain named in the SSL/TLS certificate. See Section III of the CPS for more information.

* QuickSSL Premium (SSL certificates). Verify that the subscriber controls the domain named in the SSL/TLS certificate. See Section III.C of the CPS for more information.

* True BusinessID (SSL certificates). Verify that subscriber is authorized to apply on behalf of the organization to which certificate is being issued. See Section III of the CPS for more information.

* My Credential (client certificates for S/MIME, etc.). Verify that subscriber controls the email address and telephone number included in the certificate. See Section III of the CPS for more information.

* True Credential and True Credential Express (client certificates for S/MIME, etc.). These services are for issuance of certificates to employees of an organization; each organization is responsible for acting as the Registration Authority and vetting the identity of certificate subscribers.  See Section III of the CPS for more information.

* Enterprise SSL and Enterprise SSL Premium (allow organizations to issue SSL server certificates for their own domains). Verify that subscriber is authorized to apply on behalf of the organization to which certificate is being issued. See Section III of the CPS for more information.

* Equifax SecureMark (client certificates for financial transactions, etc., UK-only). Verify identity of subscriber (organization or individual); for S/MIME certificates verify that subscriber controls email account.  See Section III of the CPS for more information.

To my knowledge the following Geotrust services mentioned on the above-referenced page are not relevant in our case because the associated root CA certificates (if any) are not preloaded into Mozilla products:

* True Site (no root CA)
* Mobile Code Signing (uses mobile root CAs)
* QuickPayments (no root CA)
* True Credentials for Adobe Acrobat (Adobe root CA)
* My Credential for Adobe Acrobat (Adobe root CA)
* Desktop Code Signing (TC Trustcenter root CA)
* Verified Domain (no root CA)
To echo my comments in the mozilla.dev.tech.crypto newsgroup:

I'm approving this request, and will shortly file a bug against NSS for the actual adding of the certs.

As I've posted in another message [to m.d.t.crypto], the issue previously raised about Geotrust's Power Server ID certificates was the result of my being misled by confusing language on Geotrust's web site. (I've asked them to correct the page in question.) 
Depends on: 347883
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Product: mozilla.org → NSS
You need to log in before you can comment on or make changes to this bug.