Closed Bug 393166 Opened 14 years ago Closed 12 years ago
Add Certigna certificates to Mozilla root CA list
98.50 KB, application/msword
83.88 KB, application/pdf
97.26 KB, application/pdf
309.71 KB, application/pdf
92.00 KB, application/pdf
344.44 KB, application/pdf
506.31 KB, application/pdf
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; fr; rv:126.96.36.199) Gecko/20070725 Firefox/188.8.131.52 Build Identifier: The certificates are : Certigna ROOT authority certificate Certigna SSL secondary authority certificate Certigna ID secondary authority certificate and optionnally Certigna Chiffrement secondary authority certificate you can find them to the address : http://www.certigna.fr/chaine_certification.php Certificate policies are on this page. The CAs are compliant with ETSI-102042 : We have obtain a TS-102042 certification on august, the 20th in France Reproducible: Always Certigna ROOT is the root for Certigna SSL, Certigna ID, Certigna Chiffrement. Certigna SSL is for SSL-enabled servers Certigna ID is for authentication and digitally-signed email Certigna Chiffrement is for encrypted emails If you need more informations you can contact us ( Yannick LEPLARD or Arnauld DUBOIS ) : - DHIMYOTIS, 20 allée de la raperie 59493 Villeneuve d'Ascq - email : email@example.com - +(33)320 792 409 Best Regards, Y. LEPLARD
Please fill out the following form, and place the result as a plain text comment in this bug: CA Details ---------- CA Name: Website: One Paragraph Summary of CA, including the following: - General nature (e.g., commercial, government, academic/research, nonprofit) - Primary geographical area(s) served - Number and type of subordinate CAs Audit Type (WebTrust, ETSI etc.): Auditor: Auditor Website: Audit Document URL(s): URL of certificate hierarchy diagram: Certificate Details ------------------- (To be completed once for each certificate; note that we only include root certificates in the store, not intermediates.) Certificate Name: Summary Paragraph, including the following: - End entity certificate issuance policy, i.e. what you plan to do with the root Certificate HTTP URL (on CA website): Version: SHA1 Fingerprint: Modulus Length (a.k.a. "key length"): Valid From (YYYY-MM-DD): Valid To (YYYY-MM-DD): CRL HTTP URL: CRL issuing frequency for end-entity certificates: OCSP URL: Class (domain-validated, identity/organisationally-validated or EV): Certificate Policy URL: CPS URL: Requested Trust Indicators (email and/or SSL and/or code): URL of website using certificate chained to this root (if applying for SSL): Many thanks, Gerv
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: Request for certificates to be added to the default set → Add Certigna certificates to NSS root store
CA Name: Certigna Website: http://www.certigna.fr One Paragraph Summary of CA, including the following: -CERTIGNA is a commercial CA - CERTIGNA is a French CA for European market at the beginning, and we expect to deserve soon other countries ( India, USA, South America ... ) - 3 subordinates CAs : Certigna ID ( authentication and signing CA is TS-102042 compliant ), Certigna SSL ( SSL CA is TS-102042 compliant ), Certigna Chiffrement ( encryption CA is the complement of Certigna ID ) Audit Type (WebTrust, ETSI etc.): ETSI TS-102042 Auditor: LSTI Auditor Website: http://www.lsti.fr Audit Document URL(s): see http://www.lsti.fr URL of certificate hierarchy diagram: http://www.certigna.fr/chaine_certification.php 1. Certificate Details ------------------- Certificate Name: Certigna SSL Summary Paragraph, including the following: SSL certificate, for verification of web sites Certificate HTTP URL (on CA website): http://www.certigna.fr/chaine_certification.php Version: X509v3 SHA1 Fingerprint: 08 D9 2B 6E 2E 81 C0 B4 C7 A7 9C 44 84 8A 71 20 02 EB 94 DF Modulus Length (a.k.a. "key length"): 2048 Valid From (YYYY-MM-DD): 2007-07-03 Valid To (YYYY-MM-DD): 2017-07-03 CRL HTTP URL: http://www.certigna.fr/crl/certignassl.crl and http://www.dhimyotis.com/crl/certignassl.crl CRL issuing frequency for end-entity certificates: after a certificate's revocation, or every 72 hours. OCSP URL: http://ocsp.certigna.fr/certignassl Class (domain-validated, identity/organisationally-validated or EV): identity/organisationally-validated Certificate Policy URL: http://www.certigna.fr/chaine_certification.php CPS URL: not public. see http://www.certigna.fr/chaine_certification.php Requested Trust Indicators (email and/or SSL and/or code): SSL URL of website using certificate chained to this root (if applying for SSL): https://www.certigna.fr 2. Certificate Details ------------------- Certificate Name: Certigna ID Summary Paragraph, including the following: authentication and electronic signing of mails and documents Certificate HTTP URL (on CA website): http://www.certigna.fr/chaine_certification.php Version: X509v3 SHA1 Fingerprint: 75 19 EC 92 9A E4 A0 2D 90 68 F9 71 92 F9 73 45 56 A9 69 47 Modulus Length (a.k.a. "key length"): 2048 Valid From (YYYY-MM-DD): 2007-07-03 Valid To (YYYY-MM-DD): 2017-07-03 CRL HTTP URL: http://www.certigna.fr/crl/certignaid.crl and http://www.dhimyotis.com/crl/certignaid.crl CRL issuing frequency for end-entity certificates: after a certificate's revocation, or every 72 hours. OCSP URL: http://ocsp.certigna.fr/certignaid Class (domain-validated, identity/organisationally-validated or EV): identity/organisationnally-validated Certificate Policy URL: http://www.certigna.fr/chaine_certification.php CPS URL: not public. see http://www.certigna.fr/chaine_certification.php Requested Trust Indicators (email and/or SSL and/or code): email and SSL and code URL of website using certificate chained to this root (if applying for SSL): -
Mr. Leplard, We only include root certificates, not intermediates. Please can you provide a similar set of information for your root certificate, and we will consider it for inclusion. Gerv
Status: NEW → ASSIGNED
Priority: -- → P2
OK. Here are the informations for the root Certigna. Best regards, Y. LEPLARD Certificate Details for Certigna root ------------------- Certificate Name: Certigna Summary Paragraph, including the following: authentication and electronic signing of mails and documents Certificate HTTP URL (on CA website): http://www.certigna.fr/chaine_certification.php Version: X509v3 SHA1 Fingerprint: B1 2E 13 63 45 86 A4 6F 1A B2 60 68 37 58 2D C4 AC FD 94 97 Modulus Length (a.k.a. "key length"): 2048 Valid From (YYYY-MM-DD): 2007-06-29 Valid To (YYYY-MM-DD): 2027-06-29 CRL HTTP URL: - CRL issuing frequency for end-entity certificates: after a certificate's revocation, or every 72 hours for Certigna SSL and Certigna ID ( for the LAR = after a certificate's revocation, or every 365 days ) OCSP URL: - Class (domain-validated, identity/organisationally-validated or EV): identity/organisationnally-validated Certificate Policy URL: http://www.certigna.fr/chaine_certification.php CPS URL: not public. see http://www.certigna.fr/chaine_certification.php Requested Trust Indicators (email and/or SSL and/or code): SSL CA, S/MIME CA, Object Signing CA URL of website using certificate chained to this root (if applying for SSL): https://www.certigna.fr
Dear Mr Markham, any news about the process of inclusion ? do you have all the informations you need ? Best regards, Yannick LEPLARD
Mr Leplard, I have handed over responsibility for CA certs to Frank Hecker, who should be in touch soon. Gerv
Mr hecker, Did you find time to have a look at our reqest ? do you need more informations ? Some news about our root CA Certigna : we have been accepted in the Microsoft root CA program last week ( and Certigna should be added in the store in februrary 2008 ). The process is in progress with Apple. Best regards, Yannick Leplard
Mr Hecker, it's okay with Apple's root CA program. Certigna will be added to the keychain in 6 weeks. Any news about our request ? Many of our customers are Firefox users. Best Regards, Yannick LEPLARD
Reassigning all open CA certificate inclusion request bugs to Frank Hecker, who is currently running the root program. Gerv
Assignee: gerv → hecker
Status: ASSIGNED → NEW
Assigning this bug to myself. Right now I am prioritizing work on bugs related to CAs issuing Extended Validation certificates; I will look at this bug after I finish processing those other bugs.
Status: NEW → ASSIGNED
Mr Hecker, I'm back to you to get information about our request for Certigna root. Some informations about Certigna : - the Microsoft root certificates update is now effective in both Windows Vista and Windows XP. - we are in the final stage for the PRIS certification ( a French government standard ) Best regards, Yannick Leplard
Assigning to Kathleen Wilson to do information gathering for this request. This is the first step in considering this request and potentially approving it. The whole process might take 2-3 months.
Assignee: hecker → kathleen95014
Status: ASSIGNED → NEW
As per Frank’s note, I have been asked to do the information gathering and verification for this request. Attached is the initial information-gathering document which summarizes the information that has been gathered. Within the document I have highlighted in yellow the information that is still needed, and I will summarize below. 1) When I add this entry to the pending list (http://www.mozilla.org/projects/security/certs/pending/), should I enter “Certigna of Dhimyotis” for the company name? For the company url should I use http://www.dhimyotis.com or http://www.certigna.fr ? 2) I am supposed to review the CP/CPS to ensure that procedures are in place to do the following. Would you please translate the relevant text from the latest CP or CPS into English? a) For SSL, verify that the domain referenced in the certificate is owned/controlled by the certificate subscriber. b) Verify the email account associated with the email address in the cert is owned by the subscriber, in addition to verification of subscriber’s legal identity. c) Verify identity information in code signing certificates is that of subscriber d) Make sure it’s clear which checks are done for which context (cert usage) We are looking for text that describes exactly what information is verified, and how the information is verified. 3) Please provide the translated text from the CP/CPS that states that the identity and organization of the certificate subscriber are validated. 4) I’m supposed to review the CP/CPS for potentially problematic practices, as per http://wiki.mozilla.org/CA:Problematic_Practices. Would you please comment as to whether any of these are relevant. If relevant, please provide further info: • Long-Lived Domain-Validated SSL certs • Wildcard DV SSL certs • Issuing end entity certs directly from root rather than using an offline root and issuing certs through a subordinate CA • Allowing external entities to operate subordinate CAs – in this case need to demonstrate that the external entities are required to follow the CPS and are audited as such. Thanks, Kathleen
1) "Certigna of Dhimyotis" is all right for the company name in the pending list. ( Dhimyotis is the name of the company and Certigna is the brand for our certificates. ) For the company url we would like http://www.certigna.fr 2) 3) 4) I provide you the informations as soon as possible. Best regards Yannick
2) a) CERTIGNA SSL CP and CPS "Chapter 3.2.3. Identity validation …. The certificate request file sent to the RA must include : • … • Proof of possession by the organization of domain name corresponding to the FQDN" b) CERTIGNA ID CP and CPS "Chapter 3.2.3. Identity validation ... The certificate request file sent to the RA must include : • The Certigna ID certificate request form, available on Certigna Web site, fully filled and signed by the subscriber. It includes : o Acceptance of terms and conditions o First and last name to be included in certificate o Subscriber informations (name, address, e-mail) o Copy of a valid identity document when recording the subscriber In some cases, the request file must include : If the subscriber belongs to an organization : • Proof of attachment to this organization • Authorized representative of the organization informations (name, organization, addresse, phone, e-mail), whose name is mentioned in the certificate request form • Copy of a valid official document when recording the request, including the SIREN number (DUNS equivalent for France), or by default another valid document proving unique identity of the organization." c) no code signing certificates. d) CERTIGNA ID CP and CPS "1.4. Certificates usage 1.4.1. Certificate usage applicability It is expressly agreed that the certificate owner can use his/her certificate only in purposes of authentication and signature. In the specific cases of financial transactions signature, these transactions are guaranteed for a maximal 10000 € amount. All other uses are made under the only responsibility of the certificate owner. ... 1.4.2. Prohibited domains of use Key pairs and certificates usage restrictions are described in chapter 4.5 below. ... 4.5. Key pairs and certificates usage 4.5.1. Private key and certificate owner usage Use of the private key and the certificate is restricted to authentication and signature services. Owners must strictly conform to this usage. Their responsibility can be engaged in case of non respect. Permitted use of key pair and corresponding certificate is mentioned in the certificate itself, in the Key Usage extension which specify nonRepudiation and digitalSignature values. 4.5.2. User public key and certificate usage Certificate users must strictly conform to permitted usages. Their responsibility can be engaged in case of non respect." 3) This point has been exposed in b). For reminder : "In some cases, the request file must include : If the subscriber belongs to an organization : • Proof of attachment to this organization • Authorized representative of the organization informations (name, organization, address, phone, e-mail), whose name is mentioned in the certificate request form • Copy of a valid official document when recording the request, including the SIREN number (DUNS equivalent for France), or by default another valid document proving unique identity of the organization." 4) We don't have potentially problematic practices as per http://wiki.mozilla.org/CA:Problematic_Practices. Best regards, Yannick
Hi Yannick, Thank you for the information. I need to make sure a couple of items are crystal clear before we can move on to the discussion phase. I apologize if this seems redundant. #2a: Does the RA do anything to verify the proof-of-possession information provided for the domain name? Is this a documented practice/policy for the RA? #2b: Does the RA do anything to verify that the email address provided is indeed owned/controlled by the subscriber? Is this a documented practice/policy for the RA? #2c: Since there are no code signing certificates, can I change the requested trust bits to not include code signing? Thanks, Kathleen
Hi Kathleen, #2a : Yes, we verify the information in whois registries. This is documented in an internal document. #2b : Yes. - There is a registration form with the email address signed and dispatched to us by the subscriber. - We verify that the CSR contains the same address than the one in the form - We send the certificate to the subscriber by mail (to the e-mail address of the form). This is documented in an internal document. #2c : No, because we have planned to make code signing certificates in the near future. If the need arises our CP/ CPS will have text about : "Verify identity information in code signing certificates is that of subscriber" Bests regards, Yannick
Attaching the completed information gathering document which summarizes the info that has been gathered and verified.
The Information Gathering phase of this request is complete. Assigning to Frank, so he can proceed with the public discussion phase. Thanks, Kathleen
Assignee: kathleen95014 → hecker
Status: NEW → ASSIGNED
Whiteboard: Information confirmed complete
Hi, For more than three weeks Certigna is in the Pending Certificate List with the state "Information confirmed complete". How long is the process - if it's ok - to get the state "Public discussion/inclusion", and before the inclusion ? Best regards, Yannick
I do not yet know when this request will be scheduled for public discussion. However, there has been a renewed interest in working through the backlog of CA requests. We have noticed that due to the backlog of CA requests, some of the audit documents have become outdated. Do you happen to have an updated audit document? Thanks, Kathleen
Yes, we have updated audit documents. The surveillance audit was done on july 2008, and it's ok. You can call the auditor of LSTI ( Mr Bouchet +33 1 30 61 50 60 ) Best regards, Yannick
Did you contact LSTI ? is it ok for the audit documents ? Best Regards, Yannick
Yes, I did contact LSTI via their website, and received the following email: --- Sent: Tuesday, October 14, 2008 10:42:17 AM Subject: certigna certification Dear Madam, I confirm, as CEO of LSTI , that Dhymiotis has been audited in july 2008 and that their ETSI 102042 certificate is maintained for the certigna certificate. Don't hesitate to call us for further information Best regards Armelle Trotin Directrice LSTI Organisme certificateur --- I also asked if they can provide a link to the latest audit info, but no further reply. Perhaps you can provide a link to the latest audit statement? Thanks, Kathleen
I send you by email the audit report. It's not a public document. Best regards, yannick
A public statement of compliance with ETSI 102.042 has been provided by their 2008 auditor and posted on Certigna's website: http://www.certigna.fr/downloads/attestation_lsti.pdf I have independently verified this information with the auditor, and have updated the pending list with the new audit info: http://www.mozilla.org/projects/security/certs/pending/ Kathleen
The entire team of Dhimyotis wishes you a great year 2009. is anything ok with Certigna ? Yannick
Converting from msword format to pdf. I plan to put this request into public discussion next week as per the queue shown at https://wiki.mozilla.org/CA:Schedule
Attachment #335057 - Attachment is obsolete: true
I am now opening the first public discussion period for this request from Certigna to add the Certigna CA root certificate to Mozilla. Public discussion will be in the mozilla.dev.tech.crypto newsgroup and the corresponding firstname.lastname@example.org mailing list. http://www.mozilla.org/community/developer-forums.html https://lists.mozilla.org/listinfo/dev-tech-crypto Please actively review, respond, and contribute to the discussion.
Whiteboard: Information confirmed complete → In Public Discussion
This concludes the first public discussion about Certigna’s request to add one new root CA certificate to the Mozilla root store. The summary of the action items resulting from this first public discussion is as follows. A publicly available document that is evaluated as part of the annual audit needs to be provided, and it must include information that satisfies section 7, parts a, b, and c of the Mozilla CA Certificate Policy at http://www.mozilla.org/projects/security/certs/policy/. This document also needs to address the potentially problematic practices as per https://wiki.mozilla.org/CA:Problematic_Practices. Certigna’s CPS contains sensitive information that cannot be posted publicly at this time. As such, the following possible solutions are recommended: 1) Publish a version of the CPS with the confidential material redacted. 2) Publish just those portions of the CPS that address the items noted above, and have your auditor confirm to us that the sections provided are from the CPS that was referenced in your audit.
I believe it is necessary that, if option 1 is chosen, the outside auditor must confirm that the public information in redacted version of the CPS is identical to the corresponding statements in the private CPS.
I removed the reference to NSS from the subject to reduce confusion.
Summary: Add Certigna certificates to NSS root store → Add Certigna certificates to Mozilla root CA list
I have sent a translation of a portion of the CPS to Kathleen Wilson, and Mr Bouchet, the lead auditor from LSTI, has confimed to Mrs Wilson the translation was reviewed during the certification audit.
I am attaching the portion of the CPS that can be publicly posted, and that is relevant to the previous discussion. I have received email from the lead auditor for LSTI which states that this part of the CPS was indeed reviewed during Certigna’s last audit. LSTI is an accredited certification body in France who provided the previous audit statement dated 8/20/2008.
I am now opening the second public discussion period for this request from Certigna to add the Certigna CA root certificate to Mozilla. http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thread/06bbc8886796cb2d# The discussion topic is: Certigna Root Inclusion Request Round 2 Please actively review, respond, and contribute to the discussion.
Re-assigning this bug to Kathleen Wilson, since she's the person actively working on it.
Assignee: hecker → kathleen95014
The public comment period for this request is now over. This request has been evaluated as per sections 1, 5 and 15 of the official CA policy at http://www.mozilla.org/projects/security/certs/policy/ Here follows a summary of the assessment. If anyone sees any factual errors, please point them out. To summarize, this assessment is for the request to add a new root CA certificate for the Certigna root. Section 4 [Technical]. I am not aware of any technical issues with certificates issued by Certigna, or of instances where they have knowingly issued certificates for fraudulent use. If anyone knows of any such issues or instances, please note them in this bug report. Section 6 [Relevancy and Policy]. Certigna appears to provide a service relevant to Mozilla users: It is a French certificate authority serving the European market, with plans to expand into other countries. The certificate policies for Certigna’s SSL and ID subordinate CAs are published on their website and listed in the entry on the pending applications list. These are provided in French. http://www.certigna.fr/documents/pc_certigna_ssl.php http://www.certigna.fr/documents/pc_certigna_id.php The public portion of the Certigna CPS has been attached to this bug, and the English translations have also been attached. CPS: https://bugzilla.mozilla.org/attachment.cgi?id=364343 English: https://bugzilla.mozilla.org/attachment.cgi?id=364146 Code Signing: https://bugzilla.mozilla.org/attachment.cgi?id=365278 During the discussions two items have been requested: 1) The public portion of the Certigna CPS should be made public and posted on their website. 2) The internal document for code signing should be made part of the CPS. While Certigna is encouraged to do these two action items, these will not block the inclusion request. Section 7 [Validation]. Certigna appears to meet the minimum requirements for subscriber verification, as follows: * Email: When the requested certificate contains an email address, Certigna verifies that the CSR contains the same email address as on the registration form. Certigna also checks the email address as per CPS section 5.2.6 to verify that the left-hand side of the email address matches the applicant name, and the right-hand side of the email address matches the organization’s website or name. Certigna sends the certificate to the subscriber by email to the email address of the registration form. * SSL: Certigna’s CPS section 5.2.7 specifies the controls for applications for server certificates. It says that in addition to verifying the identity of the applicant, Certigna uses the whois service (www.whois.net) to verify that the organization owns the FQDN in the requested certificate. * Code: There is a separate internal document for the new code-signing sub-CA. The section of the document that describes the verification of the identity of the subscriber has been translated into English and attached to the bug at the link provided above. Section 8-10 [Audit]. Section 8-10 [Audit]. Certigna is audited by La Sécurité des Technologies de l'Information (LSTI) using the ETSI 102.042 criteria. The LSTI website lists the criteria, audit procedures, and certificate of compliance for Certigna and the SSL and ID sub-CAs. LSTI has also provided a separate statement that Certigna is compliant with the ETSI 102.042 criteria. Section 13 [Certificate Hierarchy]. The Certigna root has four internally-operated subordinated CA’s: Certigna SSL is for SSL-enabled servers, Certigna ID is for authentication and digitally-signed email, Certigna Chiffrement is for encrypting email, and a new sub-CA for code-signing has been recently created. The request is to enable all three trust bits. Other: Certigna issues its CRL every 72 hours. OCSP is also provided. Potentially problematic practices: None noted. Based on this assessment I recommend that Mozilla approve this request to add the Certigna Certificate Authority root certificate to NSS.
To Kathleen: Thank you for your work on this request. To the representatives of Certigna: Thank you for your cooperation and your patience. To all others who have commented on this bug: Thank you for volunteering your time to assist in reviewing this CA request. I have reviewed the summary and recommendation in comment #39, and on behalf of the Mozilla project I approve the request from Certigna to add the following root certificate to NSS, with trust bits set as indicated: * Certigna (email, SSL) It's unclear to me what the status is with regard to code signing, and in particular whether code signing was referenced in the audit that was done. I'm therefore postponing approval of this root for code signing, and would like Certigna to submit a separate new request to have the code signing trust bit enabled. Kathleen, could you please do the following: 1. File the necessary bug against NSS. 2. Mark this bug as dependent on the NSS bug. 4. When that bug is RESOLVED FIXED, change the status of this bug to RESOLVED FIXED as well. Thanks in advance!
I have filed bug 483889 against NSS for the actual changes. As indicated in Comment #40, the websites and email trust bits have been requested. The code signing trust bit will need to be handled through a new request when the CPS and audit covering the new sub-CA have been completed.
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.