Request to add Swisscom root CA certificate

RESOLVED FIXED

Status

NSS
CA Certificate Root Program
--
enhancement
RESOLVED FIXED
12 years ago
a year ago

People

(Reporter: Frank Hecker, Assigned: Frank Hecker)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Assignee)

Description

12 years ago
I've received a request from Swisscom Solutions, a CA in Switzerland, to add a root CA certificate. I've added information about Swisscom to my CA
certificate list (see the URL above).

Swisscom has successfully completed accreditation according to Swiss government procedures, based on compliance to ETSI TS 101 456. I'll add more information here as I have time.
(Assignee)

Updated

12 years ago
Status: NEW → ASSIGNED
(Assignee)

Comment 1

12 years ago
More information on Swisscom, from their online documents and email communications:

Swisscom issues three types of certificates using three subordinate CAs:

Diamant ('Diamond'): qualified certificates on SSCD (smart cards) according to Swiss and European digital signature law. 

Saphir ('Sapphire'): class 3 certificates for signing, authentication (Windows Logon), and encryption on SSCD.

Rubin ('Ruby'): class 2 software-based certificates for device authentication 802.1x EAP-TLS, SSL Server, and email security (signing and
encryption).

The Diamant and Saphir classes of certificates require that the applicant be physically present and identified by a national ID card or a passport. The Rubin class of certificates are issued to individuals and servers within an organization, and require that a trusted person within a organisation (basically acting as a Registration Authority) verify the identity, etc., of certificate applicants within that organization.

(Note that Swisscom has not yet published separate Certificate Policy documents for the Saphir and Rubin certificates, but plans to do so soon, in both German and English versions.)
(Assignee)

Comment 2

12 years ago
Here are more detailed comments on Swisscom in relation to the Mozilla CA certificate policy:

Section 4. I'm not aware of any technical issues with certificates issued by
Swisscom or its subordinate CAs. If anyone sees any technical problems with the
Swisscom root cert or any other certs issued by Swisscom or its subordinate CAS, please note it in this bug report.

Section 6. Swisscom appears to provide a service relevant to Mozilla users: It is a public CA issuing certificates to persons and organizations in Switzerland, and its certificates might be used by Mozilla users in Switzerland or elsewhere. Swisscom policies are documented in the CPS and CP documents listed on the ca-certificate-list page referenced above. (Although note that I'm still waiting on two additional CP documents from Swisscom.)

Section 7. Swisscom appears to meet the minimum requirements for subscriber
verification: For all classes of certificates applicants are required to prove peronal identity either directly to Swisscom or to authorized agents of Swisscom (i.e., for the 'Rubin' class of certs).

Section 8-10. Swisscom has successfully completed an independent audit using
the ETSI TS 101 456 criteria. The auditors were KPMG, operating under the auspices of the Swiss Accreditation Service (an agency of the Swiss government).

Section 13. As noted above, Swisscom has multiple subordinate CAs under the single Swisscom root, and all of the subordinate CAs issue certificates at a single validation level.

Other: Swisscom issues CRLs for the root CA and the subordinate CAs.

The SHA-1 fingerprint for the Swisscom root CA is:

  5f 3a fc 0a 8b 64 f6 86 67 34 74 df 7e a9 a2 fe f9 fa 7a 51

As noted above, based on the information available to me thus far I'm inclined
to approve inclusion of this CA certificate into the default Mozilla list. I'll
allow a few days of comment and then make my final decision.
(Assignee)

Comment 3

12 years ago
Fixed the URL reference to Swisscom's entry on my CA certificate list page.
(Assignee)

Comment 4

12 years ago
More information on CRLs and OCSP for Swisscom (from an email from a Swisscom representative):

The Swisscom root CA is off-line and a CRL is produced at least twice a year or
every time the root CA is activated for signing or updating a subordinate CA. The subordinate CAs generate a CRL on a daily base. The CRL is valid 7 days
to ensure a valid CRL is available when there's a major problem and Swisscom can't produce a CRL; however in normal production the CRLs are updated daily.

Swisscom's OCSP responders are now in the test stage and will go live later this year. The distribution point is published in the CPS, and will be <http://ocsp.swissdigicert.ch/cert-class>, where "cert-class" is replaced "Diamant", "Saphir", or "Rubin".
(Assignee)

Comment 5

12 years ago
My apologies for not following up on this before now. As far as I'm aware all questions relating to Swisscom have been answered, and they appear to be in compliance with our CA policy, I am formally approving their request to have their root CA certificate included in NSS and thus Firefox and other Mozilla-based products.

I'll be filing a bug against NSS shortly for the actual cert addition.
(Assignee)

Updated

12 years ago
Depends on: 347880
Frank filed Bug 347880 to include this cert in NSS.  Bug 347880 is now
marked resolved/fixed.  So I am marking this bug resolved/fixed also.
Status: ASSIGNED → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED

Updated

a year ago
Product: mozilla.org → NSS
You need to log in before you can comment on or make changes to this bug.