For EV to work in FF3, mozilla.org needs to collect all (or most) of the new EV root CAs from CABForum CAs and add them to the root CA list. This bug exists to track the EV root CA certs that have been added, and to track the ones that have not yet been added. This bug blocks the completion of the overall EV effort for FF3.
Bug 386871 comment 16 documents that Thawte has a new EV Root CA cert, and web sites are starting to use it. I'd file an RFE for it, but I know that mozilla policy presently only accepts such requests from representatives of the CAs themselves, not from third parties (like me).
To all of my understanding there isn't a need to include any new CA certificate from Thawte, since the certificate is issued from an included root: Thawte Premium Server CA \ thawte Primary Root CA \ thawte Extended Validation SSL CA Thawte Premium Server CA is present in the NSS CA store. The issue mentioned in Bug 386871 comment 16 is an incorrect configured server which doesn't serve the chain of CA certificates as required.
The "Thawte Primary Root CA" cert is a new CA setup to issue EV certs. There are TWO certs for that CA, a self-signed root, and an intermediate CA cert issued by the older "Premium server CA" root. The subordinate EV certs will not be treated as EV certs until the EV root CA cert is known and recognized as an EV root in mozilla.
Created attachment 283962 [details] Image of typical new EV cert verification path This image, made by Kelvin Yiu for the CABForum, shows the set of CAs and CA certificates made for EV by a typical EV CA. I believe this picture describes exactly what's going on with Thawte. Thawte's "Legacy Root" is their "Premium Server" root, if I'm not mistaken. In the typical case, the CA company set up a new EV Root CA with a new EV Root CA cert, and a new EV intermediate CA with its own intermediate CA cert (called the "Issuing CA" in this picture), to issue the EV server certs (called the "EE" cert in this picture). But since old browsers don't have the new EV root CA cert in them, the EV CA companies then issued a second certificate for their EV Root CA. This second certificate (called the "Cross Certificate" in the picture) is an intermediate CA cert, despite being named as a Root CA. It has the same public key and same subject name as in the EV Root CA cert, and is issued by another older "Legacy Root" CA that is already in the older browsers. In some cases, the Legacy Root is actually a competitor's Root CA (!), but in many cases, the Legacy Root is just an older non-EV root that belongs to the same company as the new EV Root CA. Server administrators are supposed to configure their servers to send out their EE (server) cert, the "Issuing CA" cert, and the "Cross Certificate". Server administrators who do not configure their servers to send out the "Cross Certificate" have the problem that their EE certs do not work in browsers that don't have the EV root CA certs in them. Until Mozilla browsers have the EV root CA certs in them, they will continue to only be able to validate EV EE certs via the path through the old "Cross Certificate" and the "Legacy Root". EE certs validated that way will NOT show up as EV certs, but only as ordinary SSL server certs. That's why we need to get the new EV Roots into FF3, so that EV certs will be recognized as EV certs.
In any case - whatever the reasons - CAs must apply for including any of their new/additional/cross-signed/whatever CA root certificates. This bug is superfluous and not relevant! There are various reasons why a CA must apply by themselves, which is beyond the scope of discussion via the Bugzilla bug reporting tool. Whatever was suggested in this bug would require a change of the Mozilla policy through the appropriate channels. The NSS library might however find other ways to mark a CA certificate as EV and it might be rather a technical problem then a policy related issue. Not sure, but worth investigating.
In continuation of this bug, may I remind that the current Mozilla CA policy doesn't even mention EV. Various sections such as section 7 have to be expanded and defined clearly before EV certificates shall be treated any different then section 7 suggests. What are the accepted minimum requirements to have an EV certificate marked as such in the browser? What is the criteria to have a CA root marked as EV worthy? There might be other sections of the Mozilla policy which might require adjustments as well.
Cross posting to bug 383183. Sections 8 and 14 also requires an update IMO. Perhaps an additional policy dedicated to EV might be appropriate, something like the "Mozilla EV extension policy" or similar.
Reassigning all open CA certificate inclusion request bugs to Frank Hecker, who is currently running the root program. Gerv
Assignee: gerv → hecker
Summary: EV Root CA certificate umbrella bug for FF3 → EV Root CA certificate tracking umbrella bug for FF3
Bug 495044 is not fixed in FF3 - not sure if it will and when, but since all the bugs which are part of bug 495044 were marked as fixed (on which this bug depends) I thought to add it here.
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.