Closed Bug 342996 Opened 18 years ago Closed 18 years ago

Request to add Wells Fargo root CA certificate

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: hecker, Assigned: hecker)

References

(
URL
)

Details

I've received a request from Wells Fargo to add their root CA certificate. (They're already in the Microsoft and Apple root lists.) Note that Wells Fargo has (and continues to) issue certificates (including SSL certs) to small businesses and others who are already Wells Fargo customers; they are also moving into serving other customers for certificate products (i.e., beyond their existing customer base for banking and related financial services).

For basic information about the Wells Fargo CA see the CA certificate list link above. I'll provide some more comments soon.
Accepting the bug. One major question thus far: Are there subordinate CAs under the Wells Fargo Root CA? If so, how many, and what kind of certificates do they issue?
Status: NEW → ASSIGNED
There are currently two sub-CAs under the Wells Fargo Root Certificate Authority.  One is slated to be decommissioned.  It is no longer issuing certificates, and remains online only to continue to provide CRLs for certificates that have been issued and are still being used.  The other subCA is the currently active and issuing CA that issues personal certificates (S/MIME and client authentication), code signing, and SSL server certificates.  Of course, the number of subCAs is subject to change over time.

The Wells Fargo Root CA itself is an offline CA and does not issue directly to end-entities.  It only issues certificates to subCAs and to infrastructure entities (such as OCSP responders).
Thanks for the quick response! So, just to clarify, the 2004 CPS states (in sections 1.2.2 and 1.3.6) that certs are issued according to the following policies (with corresponding policy OIDs):

* Organization Certificate (2.16.840.1.114171.903.x.1.11) 
* Personal Certificate (2.16.840.1.114171.901.x.1.11)
* System Certificate (2.16.840.1.114171.902.x.1.11) 
* Application Certificate (2.16.840.1.114171.904.x.1.11) 
* Infrastructure Component Certificate (2.16.840.1.114171.905.x.1.11)

Is this still correct?

If so, how do these map against the various certificate uses (S/MIME, client authentication, code signing, and SSL server)? (For example, per 1.3.6.2 and 1.3.6.3 it appears that SSL server certs could be issued under either the System Certificate policy or the Personal Certificate policy.)
Those policies and policy OIDs are correct for certificates currently being issued.

S/MIME and client auth certs are issued under the Personal policy.
Code Signing certs are issued under the Organization policy.
SSL certs are issued under the System policy.

Thanks for the response. The next thing I looked at was identification requirements. Based on the 2004 CPS it appears that the actual I&A procedures used in practice are (or at least may be) specified in "authentication policies" separate from the CPS itself. (For example, it appears that such a policy might be  in place in cases where an organization acts as a Registration Authority for the Wells Fargo CA.)

However section 3 of the 2004 CPS, and in particular sections 3.1.8 and 3.1.9, appear to specify minimum requirements for what such an authentication policy should contain with respect to verifying organizational and individual identity (and in the former case, authorization of an applicant to make a request on behalf on an organization).

At first glance these appear to satisfy the minimum requirements of the Mozilla CA certificate policy.
Another useful bit of information from the 2004 CPS: CRLs for the subordinate CA (the one that issues end-entity certs) are published at least every four (4) hours. CRLs for the root CA (which just issues the subordinate CA cert(s)) are published at least every year. (The CPS doesn't explicitly say this, but I presume that if there were a key compromise or other problem with a subordinate CA then a new root CA CRL would be published in reasonably short order :-)

Also, per Wells Fargo, OCSP is supported for validating end-entity certificates
issued by the subordinate CA(s), with the OCSP URL(s) contained in the AIA extension of the EE certificates.  There will also be an OCSP responder for the root CA itself (with URL <http://ocsp-root.pki.wellsfargo.com/>); it is not online but is expected to be so soon.
Here are more detailed comments on Wells Fargo in relation to the Mozilla CA certificate policy:

Section 4. I'm not aware of any technical issues with certificates issued by the Wells Fargo root CA or subordinate CA. If anyone sees any technical problems with the Wells Fargo root CA cert or other Wells Fargo certs please note them in this bug report.

Section 6. Wells Fargo appears to provide a service relevant to Mozilla users: It is a public CA issuing certificates to persons and organizations (who may or may not be existing Wells Fargo customers), and its certificates might be used by Mozilla users interacting with such people or organizations (or web sites operated by them). Wells Fargo policies are documented in the CPS document listed on the ca-certificate-list page referenced above. (Although note that Wells Fargo is apparently planning to update its CPS later this year.)

Section 7. Wells Fargo appears to meet the minimum requirements for subscriber
verification: For all classes of certificates applicants are required to prove
peronal identity either directly to Wells Fargo or to authorized agents of
Wells Fargo.

Section 8-10. Wells Fargo has successfully completed an independent audit using
the WebTrust for CAs criteria. The auditors were KPMG.

Section 13. As noted above, Wells Fargo has a single subordinate CA under the
single Wells Fargo root. Although different classes of certificates are issued under the subordinate CA, the level of verification for all such certificates appears to be comparable.

Other: Wells Fargo issues CRLs for the root CA and the subordinate CAs as noted above. It also operates an OCSP responder as noted above.
  
Based on the information available to me thus far I'm inclined to approve inclusion of this CA certificate into the default Mozilla list. I'll allow a few days of comment and then make my final decision.
OK, comment period is over. Based on my comments above and other comments I've recieved, I'm approving the Wells Fargo root CA certificate for inclusion in NSS/Mozilla. Now I'll go file the requisite bug against NSS...
Depends on: 344394
Frank filed Bug 344394 against NSS to include this root.
Bug 344394 is now marked resolved/fixed.  
NSS 3.11.4 includes the requestd root.
So, I am marking this request resolved/fixed.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Product: mozilla.org → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.