Closed
Bug 367670
Opened 18 years ago
Closed 17 years ago
Add SecureTrust root certificates
Categories
(CA Program :: CA Certificate Root Program, task, P1)
CA Program
CA Certificate Root Program
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: Scott, Assigned: hecker)
Details
(Whiteboard: EV)
Attachments
(5 files)
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727) Build Identifier: Please add the following roots to the mozilla root store. Both roots are embedded in IE and are marked as Extended Validation ("EV") roots. SecureTrust CA SHA1 thumbprint: 87 82 c6 c3 04 35 3b cf d2 96 92 d2 59 3e 7d 44 d9 34 ff 11 Secure Global CA SHA1 thumbprint: 3a 44 73 5a e5 81 90 1f 24 86 61 46 1e 3b 9c c4 5f f5 3a 1b Contact information: SecureTrust Corporation Attn: Scott Harris 10000 Vista Verde San Antonio, TX 78255 210-249-4750 Please let me know what other information you require. Best Regards, Scott Harris SecureTrust Corporation XRamp Security Services, Inc. Reproducible: Always Steps to Reproduce: 1. 2. 3.
Comment 1•18 years ago
|
||
Scott Harris sent me these files for this RFE
Comment 2•18 years ago
|
||
Comment 3•18 years ago
|
||
Comment 4•18 years ago
|
||
Additional info from Scott Harris: 3. Company Web page address URL http://www.SecureTrust.com/ 4. List of new roots and their SHA1 thumbprint. SecureTrust CA SHA1 thumbprint: 87 82 c6 c3 04 35 3b cf d2 96 92 d2 59 3e 7d 44 d9 34 ff 11 Secure Global CA SHA1 thumbprint: 3a 44 73 5a e5 81 90 1f 24 86 61 46 1e 3b 9c c4 5f f5 3a 1b (in attached zip file) 5. CPS (URL or attachment) Scott wrote: ... as far as the CPS goes, due to the new EV processes we will be issuing certificates off the same root but under different certificate policies. I could attach a CPS, but it would only be for ONE of the policies that we will use when issuing certificates off that root. We took the approach of no longer associating a root with a CPS, only associating end entity certs with policies that link to the CPS that the certificate was issued under. ... Rather than having a CPS for SecureTrust CA, we will have an OV policy, an EV policy, a Code Signing policy, an S/MIME policy and a DV (maybe) policy. 6. Audit results from a licensed auditor (in attached zip file) 7. EV policy OID(s) and the SHA1 hash of the applicable root(s) EV Policy OID: 2.16.840.1.114404.1.1.2.4.1 This OID will be used for EV certificates issued from EITHER/BOTH of the new roots submitted with this application (See #4 for SHA1 thumbprints). 8. List of EKUs for each new root. Both new roots submitted with this application are for "All Issuance Policies" or All Purposes. 9. One test certificate for every root. The Test Certificates can be found live on the following links: SecureTrust CA: https://stca.securetrust.com/ Secure Global CA: http://sgca.securetrust.com/ The test certificates can also be found in the attached zip file:
Severity: normal → enhancement
Status: UNCONFIRMED → NEW
Ever confirmed: true
Updated•17 years ago
|
Priority: -- → P1
Comment 5•17 years ago
|
||
Hi Scott, here are a large number of outstanding CA requests, and it will take me some time to work through them. You can, should you wish, speed up the processing of your request by providing the following data in the following format, as a *plain text comment* in this bug. This will help me do whatever evaluation is necessary, and then will be part of a public record describing the Mozilla default root certificates. Some of the information may already be present in, or calculable from, data in this bug or other Mozilla-maintained documents. However, having it all in one place in a standard plain format for each request will save me a great deal of time, and help me to make everyone happier quicker. :-) CA Details ---------- CA Name: Website: One Paragraph Summary of CA, including the following: - General nature (e.g., commercial, government, academic/research, nonprofit) - Primary geographical area(s) served - Number and type of subordinate CAs Audit Type (WebTrust, ETSI etc.): Auditor: Auditor Website: Audit Document URL(s): Certificate Details ------------------- (To be completed once for each certificate) Certificate Name: Summary Paragraph, including the following: - End entity certificate issuance policy Certificate URL (on CA website): Version: SHA1 Fingerprint: MD5 Fingerprint: Modulus Length (a.k.a. "key length"): Valid From (YYYY-MM-DD): Valid To (YYYY-MM-DD): CRL URL: OCSP URL: Class (domain-validated, identity-validated or EV): Certificate Policy URL: CPS URL: Requested Trust Indicators (email and/or SSL and/or code): Thanks for your help in this matter. :-) Gerv
Comment 6•17 years ago
|
||
Scott: It's been over a month. Are you able to provide the requested information? Thanks, Gerv
Reporter | ||
Comment 7•17 years ago
|
||
CA Name: SecureTrust Corporation Website: http://www.SecureTrust.com/ One Paragraph Summary of CA, including the following: We are a commercial CA serving customers worldwide. At this time we do not have any subordinates off of either root. Audit Type (WebTrust, ETSI etc.): WebTrust Auditor: Boysen & Miller PLLC Auditor Website: NA Audit Document URL(s): https://cert.webtrust.org/SealFile?seal=359&file=pdf Certificate Details ------------------- (To be completed once for each certificate) Certificate Name: SecureTrust CA Summary Paragraph, including the following: Root certificate utilized for issuing all certificate types Version: V3 SHA1 Fingerprint: 87 82 c6 c3 04 35 3b cf d2 96 92 d2 59 3e 7d 44 d9 34 ff 11 MD5 Fingerprint: N/A Modulus Length (a.k.a. "key length"): 2048 Valid From (YYYY-MM-DD): 2006-11-07 Valid To (YYYY-MM-DD): 2029-12-31 CRL URL: http://crl.securetrust.com/STCA.crl OCSP URL: N/A Class (domain-validated, identity-validated or EV): All, inc. EV Certificate Policy URL: https://www.securetrust.com/legal/ CPS URL: https://www.securetrust.com/legal/ Requested Trust Indicators (email and/or SSL and/or code): Server Auth, Client Auth, S/MIME, CodeSigning, Timestamping Certificate Name: Secure Global CA Summary Paragraph, including the following: Root certificate utilized for issuing all certificate types Version: V3 SHA1 Fingerprint: 3a 44 73 5a e5 81 90 1f 24 86 61 46 1e 3b 9c c4 5f f5 3a 1b MD5 Fingerprint: N/A Modulus Length (a.k.a. "key length"): 2048 Valid From (YYYY-MM-DD): 2006-11-07 Valid To (YYYY-MM-DD): 2029-12-31 CRL URL: http://crl.securetrust.com/SGCA.crl OCSP URL: N/A Class (domain-validated, identity-validated or EV): All, incl. EV Certificate Policy URL: https://www.securetrust.com/legal/ CPS URL: https://www.securetrust.com/legal/ Requested Trust Indicators (email and/or SSL and/or code): Server Auth, Client Auth, S/MIME, CodeSigning, Timestamping Please let me know if you need anything else! Thanks, Scott
Comment 8•17 years ago
|
||
Reassign all open CA bugs to me. Apologies for the bugspam. Gerv
Assignee: hecker → gerv
Comment 9•17 years ago
|
||
- How can I verify that Boysen & Miller, PLLC actually exists and is a legal CPA? The only hit Google has for them is your audit document. :-) The AICPA does not have a membership list on their site. - The audit documents relate to an "XRamp Corporation". How can I verify that this and SecureTrust Corporation are the same thing? :-) - Please can you provide HTTP download URLs for each certificate, along with a (test?) website using an end entity certificate issued by each? - Is there actually any difference between the two roots, in terms of types of certs issued or issuing conditions? (Just for my own interest.) - Do you have a certificate hierarchy diagram? Gerv
Comment 10•17 years ago
|
||
Scott: there are open questions in this bug; I'm waiting for a response from someone at SecureTrust. Gerv
Reporter | ||
Comment 11•17 years ago
|
||
(In reply to comment #10) > Scott: there are open questions in this bug; I'm waiting for a response from > someone at SecureTrust. > Gerv (In reply to comment #9) > - How can I verify that Boysen & Miller, PLLC actually exists and is a legal > CPA? The only hit Google has for them is your audit document. :-) The AICPA > does not have a membership list on their site. I would think you would rather check to make sure that they are Licensed to perform WebTrust audits... :) To check if they exist and are legal you would need to check with the Texas Board of Accountancy, found here: http://www.tsbpa.state.tx.us/ Here is the results of a search of their database: BOYSEN & MILLER, PLLC C04172 02/19/1997 09/31/2008 SAN ANTONIO, TX > - The audit documents relate to an "XRamp Corporation". How can I verify that > this and SecureTrust Corporation are the same thing? :-) XRamp Security Services, Inc. and SecureTrust Corporation are distinct and separate entities, which is why they were both included in our audit results. In fact, we got two separate EV Readiness audit reports, one for each company. > - Please can you provide HTTP download URLs for each certificate, along with a > (test?) website using an end entity certificate issued by each? https://stca.securetrust.com/ https://sgca.securetrust.com/ > - Is there actually any difference between the two roots, in terms of types of > certs issued or issuing conditions? (Just for my own interest.) Yes, but we can discuss the differences in a different forum - shoot me a private email if you are truly curious. > - Do you have a certificate hierarchy diagram? No - it would be completely flat at this point in any case. > Gerv Thanks Gerv, Scott
Comment 12•17 years ago
|
||
Scott, > XRamp Security Services, Inc. and SecureTrust Corporation are distinct and > separate entities, which is why they were both included in our audit results. > In fact, we got two separate EV Readiness audit reports, one for each > company. However, only XRamp Security Services, Inc. has a WebTrust audit... - at least, that's the URL you've given me. Does SecureTrust Corporation have one? > > - Please can you provide HTTP download URLs for each certificate, along > > with a > > (test?) website using an end entity certificate issued by each? > > https://stca.securetrust.com/ > https://sgca.securetrust.com/ Thanks for the test sites. Do you have an HTTP(S) download URL for the roots themselves? Gerv
Reporter | ||
Comment 13•17 years ago
|
||
Hi Gerv, Actually, it may not matter at this point - all of our roots are owned by XRamp Security Services, Inc. including the SecureTrust CA and Secure Global CA. I do not have a http download URL for the roots, can you simply save the certificate to disk? I can email them to you if you wish. Cheers, Scott
Comment 14•17 years ago
|
||
Scott: could you clarify exactly the legal relationship between XRamp Security Services, Inc. and SecureTrust Corporation? Is it your understanding of the WebTrust procedures and criteria that the WebTrust audit for XRamp covers SecureTrust? If so, why do the two have separate EV Readiness audits? If not, do you plan to get a WebTrust audit for SecureTrust? Regarding the certificates, we like to put an HTTP download URL on our "pending certificates" page so that people can install the certificates even before we have approved them. Also, having them available from the domain of the CA makes it obvious that we are downloading the correct, approved certificates. However, if you wish, you can attach them to this bug individually (not as a zip). Please use the "add attachment" link at the top of the page. Thanks, Gerv
Reporter | ||
Comment 15•17 years ago
|
||
Reporter | ||
Comment 16•17 years ago
|
||
Comment 17•17 years ago
|
||
OK, thanks. I have gathered together all the information you have provided, and placed it in the "pending" CA root certificate request list, which is here: http://www.mozilla.org/projects/security/certs/pending/ (Note: may take an hour or two to update.) Please confirm that the information for your CA is correct, and add a comment to this bug to that effect. Once you have done that, your application will turn "green" and be ready for consideration. (The question of how the audits work and how the companies relate has, in effect, been breached prematurely - it's really part of the next phase.) If your CA or certificate does not have a summary paragraph, please feel free to provide one. Note: these paragraphs are not supposed to be marketing statements :-) Gerv
Reporter | ||
Comment 18•17 years ago
|
||
Hi Gerv, The information looks correct - please move the application to a green status for consideration. Thanks! Scott
Comment 19•17 years ago
|
||
Scott: thanks for this. I've started the evaluation, and here are my first round of questions: - We really need some sort of public clarification of the exact relationship between XRamp, SecureTrust and AmbironTrustWave, and some confirmation from an appropriate authority that the WebTrust audit for XRamp covers these roots. How do you think we can best go about this? - The CPSes listed in your entry in the pending list seem to cover only SSL signing. Do you have documentation covering email and code signing, or should I remove those types of certificate from your application? - At what frequency do you issue CRL updates for end-entity certificates? Thanks, Gerv
Comment 20•17 years ago
|
||
Scott: Are you able to provide answers to these questions? This bug may be closed if no response is received... Gerv
Reporter | ||
Comment 21•17 years ago
|
||
Gerv, SecureTrust Corporation is a wholly owned subsidiary of TrustWave Holdings, Inc. dba AmbironTrustWave. XRamp was merged with SecureTrust at the time of the acquisition. Our WebTrust Auditor has been in contact with Bryan Walker and he assures us that we are still covered under WebTrust. If you are in need of more validation, you may want to call Bryan Walker yourself. Our Public CPS does not deal with Code Signing Certificates, most notably because we do not offer Code Signing certificates to the public. We do have a CPS for S/MIME, it is available on our website in the email certificate section. Most importantly, we WILL be issuing a new type of S/MIME certificate and we WILL be issuing code signing certificates soon, so it is important to include these extensions in Mozilla. As a WebTrust certified CA we will have to put a code signing CP in place prior to issuing a code signing certificate or we risk our WebTrust certification. All our roots are accepted by Microsoft for code signing and S/MIME. I would think it would be acceptable to have those types of certificates approved by Mozilla, but not issued by the CA until a later date. As far as the CRL goes, we update our CRL daily. Thanks, Scott
Comment 22•17 years ago
|
||
I'm afraid I'm on holiday for the next two weeks, so no more will happen here until after that. My apologies :-( Gerv
Comment 23•17 years ago
|
||
Scott, If you don't offer code signing certificates to the public, and the relevant CPS is not public, then we can't enable your roots for code signing. So you can either publish the CPS you are going to be using, or withdraw that part of the request for now, and put in a later request to modify the trust bits on the root. (That would be a rather simpler request than the addition of new roots.) I can't seem to find the S/MIME CPS you refer to. It's not at https://www.securetrust.com/legal/ . Could you give me the URL? I have sent an email to Bryan Walker just to confirm the WebTrust situation. BTW, https://www.securetrust.com/resources/evfaq/ erroneously lists Apple as a member of the CAB Forum. Gerv
Reporter | ||
Comment 24•17 years ago
|
||
Hi Gerv, I have copied our S/MIME CPS into our legal directory and posted our Code Signing CPS there as well. I hope this meets the requirement. Thanks for your patience! Please let me know if there is anything else I need to do. https://www.securetrust.com/legal/ Thanks again, Scott
Updated•17 years ago
|
Whiteboard: EV
Comment 25•17 years ago
|
||
Bryan Walker of CICA says in an email to me: "Gervase I have had some discussions with the auditor of Xramp and based on my understanding of the current situation the audit report is valid." Scott: I have some questions about the S/MIME and Code Signing CPSes. III B) of both says: "Other than as provided in Section III.B.3, SecureTrust does not verify the authority of the Subscriber to request a Certificate." However, there is no section numbered III.B.3 in either CPS! In the S/MIME CPS, III.B.2 says: "S/MIME certificates issued under this CPS are validated as to the email address only." However, it gives no information as to what validation is done or how. As you will know, our policy states that: "for a certificate to be used for digitally signing and/or encrypting email messages, the CA takes reasonable measures to verify that the entity submitting the request controls the email account associated with the email address referenced in the certificate or has been authorized by the email account holder to act on the account holder's behalf;" Do you confirm this? If so, how? When you are updating your CPS to fix the above error, can these steps please be spelled out? As for the Code Signing CPS, Section III.B.2 suggests that the CPS permits issuance of code signing certificates based on faxed documentation. Is this correct? It also suggests that you validate only the Organisational Name. Is that also correct? Gerv
Comment 26•17 years ago
|
||
Gerv/Frank, New versions of both the code signing and S/MIME CPSs are at https://www.securetrust.com/legal/. Changes to the practice statements are twofold: 1) legal review necessitating minor edits in regards to language by one of our in-house attorneys (Ms. Annabel R. Lewis) and myself. Syntax/spelling errors corrected including III.B.3 error mentioned above. 2) expansion of the verification and validation processes for both S/MIME & code signing CPSs . Due to the higher assurance levels required for code signing certificates, internal SecureTrust processes for diligence match corresponding processes for EV organization and legal entity validation and verification. In regards to the issuance of code signing certificates based on faxed documentation, Internal processes may _gather_ information from applicants based upon faxed documentation. Validation and verification of accuracy of documentation is done separately for code signing. Due to the high assurance level implicitly required for the issuance of a code signing certificate, as we do not want to issue to an "rogue" entity, validation processes are aligned much like the EV process - in regards to legal and organizational verification. Thank you, Andrew W. Gray SecureTrust CA Architect
Comment 27•17 years ago
|
||
Reassigning all open CA certificate inclusion request bugs to Frank Hecker, who is currently running the root program. Gerv
Assignee: gerv → hecker
Assignee | ||
Comment 28•17 years ago
|
||
I'm resolving this bug as INVALID, not because I'm rejecting the application, but because it is superseded by bug 409837 and bug 409838 (along with bug 409840 which refers to the separate XRamp CA operated by Trustwave. The most recent information can be found in the new bugs, and any follow-up comments should be directed there.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → INVALID
Updated•7 years ago
|
Product: mozilla.org → NSS
Comment hidden (spam) |
Updated•2 years ago
|
Product: NSS → CA Program
You need to log in
before you can comment on or make changes to this bug.
Description
•