398944 - EV Root CA certificate tracking umbrella bug for FF3

Status: RESOLVED FIXED

(CA Program :: CA Certificate Root Program, task)

Description

[Nelson Bolyard (seldom reads bugmail)]

For EV to work in FF3, mozilla.org needs to collect all (or most) of the
new EV root CAs from CABForum CAs and add them to the root CA list. 

This bug exists to track the EV root CA certs that have been added, and
to track the ones that have not yet been added.  This bug blocks the 
completion of the overall EV effort for FF3.

Comment 1

[Nelson Bolyard (seldom reads bugmail)]

Bug 386871 comment 16 documents that Thawte has a new EV Root CA cert, and
web sites are starting to use it.  I'd file an RFE for it, but I know that
mozilla policy presently only accepts such requests from representatives 
of the CAs themselves, not from third parties (like me).

Comment 2

[Eddy Nigg (StartCom)]

To all of my understanding there isn't a need to include any new CA certificate from Thawte, since the certificate is issued from an included root:

Thawte Premium Server CA
 \
  thawte Primary Root CA
   \
    thawte Extended Validation SSL CA

Thawte Premium Server CA is present in the NSS CA store. The issue mentioned in Bug 386871 comment 16 is an incorrect configured server which doesn't serve the chain of CA certificates as required.

Comment 3

[Nelson Bolyard (seldom reads bugmail)]

The "Thawte Primary Root CA" cert is a new CA setup to issue EV certs.
There are TWO certs for that CA, a self-signed root, and an intermediate
CA cert issued by the older "Premium server CA" root.  The subordinate 
EV certs will not be treated as EV certs until the EV root CA cert is 
known and recognized as an EV root in mozilla.

Comment 4

[Nelson Bolyard (seldom reads bugmail)]

Attachment: Image of typical new EV cert verification path

This image, made by Kelvin Yiu for the CABForum, shows the set of CAs
and CA certificates made for EV by a typical EV CA.  I believe this 
picture describes exactly what's going on with Thawte.  Thawte's 
"Legacy Root" is their "Premium Server" root, if I'm not mistaken.

In the typical case, the CA company set up a new EV Root CA with a new
EV Root CA cert, and a new EV intermediate CA with its own intermediate 
CA cert (called the "Issuing CA" in this picture), to issue the EV server 
certs (called the "EE" cert in this picture).  

But since old browsers don't have the new EV root CA cert in them, the 
EV CA companies then issued a second certificate for their EV Root CA.
This second certificate (called the "Cross Certificate" in the picture) 
is an intermediate CA cert, despite being named as a Root CA.  It has the
same public key and same subject name as in the EV Root CA cert, and is 
issued by another older "Legacy Root" CA that is already in the older 
browsers.  In some cases, the Legacy Root is actually a competitor's 
Root CA (!), but in many cases, the Legacy Root is just an older non-EV 
root that belongs to the same company as the new EV Root CA.

Server administrators are supposed to configure their servers to send out 
their EE (server) cert, the "Issuing CA" cert, and the "Cross Certificate".
Server administrators who do not configure their servers to send out the
"Cross Certificate" have the problem that their EE certs do not work in 
browsers that don't have the EV root CA certs in them.  

Until Mozilla browsers have the EV root CA certs in them, they will 
continue to only be able to validate EV EE certs via the path through the 
old "Cross Certificate" and the "Legacy Root".  EE certs validated that 
way will NOT show up as EV certs, but only as ordinary SSL server certs.  
That's why we need to get the new EV Roots into FF3, so that EV certs will
be recognized as EV certs.

Comment 5

[Eddy Nigg (StartCom)]

In any case - whatever the reasons - CAs must apply for including any of their new/additional/cross-signed/whatever CA root certificates. This bug is superfluous and not relevant! 

There are various reasons why a CA must apply by themselves, which is beyond the scope of discussion via the Bugzilla bug reporting tool. Whatever was suggested in this bug would require a change of the Mozilla policy through the appropriate channels.

The NSS library might however find other ways to mark a CA certificate as EV and it might be rather a technical problem then a policy related issue. Not sure, but worth investigating.

Comment 6

[Eddy Nigg (StartCom)]

In continuation of this bug, may I remind that the current Mozilla CA policy doesn't even mention EV. Various sections such as section 7 have to be expanded and defined clearly before EV certificates shall be treated any different then section 7 suggests. What are the accepted minimum requirements to have an EV certificate marked as such in the browser? What is the criteria to have a CA root marked as EV worthy? There might be other sections of the Mozilla policy which might require adjustments as well.

Comment 7

[Eddy Nigg (StartCom)]

Cross posting to bug 383183.

Sections 8 and 14 also requires an update IMO. Perhaps an additional policy dedicated to EV might be appropriate, something like the "Mozilla EV extension policy" or similar.

Comment 8

[Gervase Markham [:gerv]]

Reassigning all open CA certificate inclusion request bugs to Frank Hecker, who is currently running the root program.

Gerv

Comment 9

[Eddy Nigg (StartCom)]

Bug 495044 is not fixed in FF3 - not sure if it will and when, but since all the bugs which are part of bug 495044 were marked as fixed (on which this bug depends) I thought to add it here.