Closed Bug 403437 Opened 17 years ago Closed 16 years ago

Request Valicert/Starfield/GoDaddy Root Certificates be enabled for EV

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: waynezilla, Assigned: hecker)

References

Details

(Whiteboard: EV) 

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9
Build Identifier: 

Please EV Enable the three roots owned By Go Daddy that are currently in the Mozilla root store:

1.  Valicert Class 2 Policy Validation Authority
2.  Go Daddy Class 2 CA
3.  Starfield Class 2 CA

These roots can be downloaded from:
- https://certificates.godaddy.com/repository
- https://certificates.starfieldtech.com/repository

You will also find the CPS (the Starfield CPS covers all three roots) and the WebTrust and EV audit report at the above URL (click on the WebTrust seal for the audit reports).

EV OIDs:
Go Daddy root - 2.16.840.1.114413.1.7.23.3
Valicert and Starfield roots - 2.16.840.1.114414.1.7.23.3


Reproducible: Always

Steps to Reproduce:
1.
2.
3.
Clarification on the OIDs:
a.  The Go Daddy Class 2 CA issues EV certificates using 2.16.840.1.114413.1.7.23.3

b.  The Starfield Class 2 CA issues EV certificates using 2.16.840.1.114414.1.7.23.3

c.  Both of the above certificates are cross-signed to the Valicert Class 2 Policy Validation Authority root for legacy support.  Therefore, the Valicert Class 2 root should be configured to enable EV with BOTH OIDs.
OS: Windows Vista → All
Severity: normal → enhancement
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: EV
Independent of approval process, for technical testing purposes: Could you please supply an https:// URL to an example SSL server (customer or demo) that uses a server cert issued (directly or through intermediates) by this root? Should you request multiple roots to be enabled for EV, please provide one example URL for each root. Thank you.
I've now included an entry for Go Daddy in the pending list:

http://www.mozilla.org/projects/security/certs/pending/#Go%20Daddy

Wayne, could you please double-check the information in that entry? I'm especially interested in the situation with regard to OCSP; you seem to have something at ocsp.godaddy.com, but I don't know whether you have official OCSP support yet. Note that the answer has implications for whether EV certs actually get EV UI; see bug 413997 for more information.
The test sites are as follows:

Go Daddy Class 2 CA:  https://www.gdfutureroot.com
Starfield Class 2 CA:  https://www.sffutureroot.com

Valicert Class 2 CA:  https://www.godaddy.com (this site serves up a cross-certificate that chains to the Valicert Class 2 root, but the browser will prefer the Go Daddy Class 2 root - you can remove it from your root store for testing purposes)
Go Daddy has supported OCSP for all of our certificates since we went live with EV in Jan 2007 (and we had unofficial support for a while before that).

Updates to the pending list entries for Go Daddy Certificates:

1.  Please update the Link URL for the Go Daddy root from "certificates.godaddy.com..." to "certs.godaddy.com..." (we have moved everything EXCEPT our CRLs and OCSP under this new URL.  Old one redirects)
2.  Please update the CPS Document URL for for the Go Daddy root to https://certs.godaddy.com/repository/StarfieldCP-CPS.pdf
3.  The OCSP URL for the Go Daddy root is ocsp.godaddy.com
4.  Please update the Link URL for the Valicert and Starfield roots from "certificates.starfieldtech.com..." to "certs.starfieldtech.com..." (we have moved everything EXCEPT our CRLs and OCSP under this new URL.  Old one redirects)
5.  Please update the CPS Document URL for for the Valicert and Starfield roots to https://certs.starfieldtech.com/repository/StarfieldCP-CPS.pdf
6.  The OCSP URL for the Valicert and Starfield roots is ocsp.starfieldtech.com
7.  The Go Daddy Class 2 CA is valid to June 29, 2034
(In reply to comment #5)
> Go Daddy has supported OCSP for all of our certificates since we went live
> with EV in Jan 2007 (and we had unofficial support for a while before that).

Great, good to know.

> Updates to the pending list entries for Go Daddy Certificates:
> 
> 1.  Please update the Link URL for the Go Daddy root from
> "certificates.godaddy.com..." to "certs.godaddy.com..." (we have moved
> everything EXCEPT our CRLs and OCSP under this new URL.  Old one redirects)

Done.

> 2.  Please update the CPS Document URL for for the Go Daddy root to
> https://certs.godaddy.com/repository/StarfieldCP-CPS.pdf

Done.

> 3.  The OCSP URL for the Go Daddy root is ocsp.godaddy.com

Done.

> 4.  Please update the Link URL for the Valicert and Starfield roots from
> "certificates.starfieldtech.com..." to "certs.starfieldtech.com..." (we have
> moved everything EXCEPT our CRLs and OCSP under this new URL.  Old one
> redirects)

Note that I actually had the Valicert and Starfield roots at certificates.godaddy.com, so have changed these to certs.starfieldtech.com.

I also had the Valicert and Starfield CRLs at godaddy.com, not starfieldtech.com; I've updated links for those to use certificates.starfieldtech.com.

> 5.  Please update the CPS Document URL for for the Valicert and Starfield roots
> to https://certs.starfieldtech.com/repository/StarfieldCP-CPS.pdf

Done.

> 6.  The OCSP URL for the Valicert and Starfield roots is ocsp.starfieldtech.com

Done.

> 7.  The Go Daddy Class 2 CA is valid to June 29, 2034

Done.

I've corrected the Go Daddy entry in the pending list and checked it in. Please check it one more time to make sure I got all the changes right.


Looks good with one exception - remove the version number from all three of the CP/CPS links.
I've marked the Go Daddy entry in the pending list as complete, and am ready to make a preliminary judgment. As noted above and in the Go Daddy entry, this request is to add EV capability to roots already included in NSS, so I'm going to confine my comments to the EV aspects of this.

The CPS referenced in the Go Daddy entry applies to all three roots and their subordinate CAs (which are the ones actually issuing end entity certificates, per section 1.3.1 of the CPS). Section 3.1.11 describes procedures for validation of subscribers requesting EV certificates, referencing the EV guidlines. (Unlike CPSs from some CAs, the CPS basically incorporates the EV guidelines by reference, as opposed to cutting and pasting from the guidelines.)

As referenced in the Go Daddy entry, Go Daddy has successfully completed WebTrust for CAs and WebTrust EV audits, as attested by the standard document(s) available from the WebTrust site. The auditor in both cases was KPMG. The EV audit was done against the draft guidelines.

As far as I can tell Go Daddy has met the requirements of our policy relating to issuance of EV certs, and I therefore intend to approve this application to EV-enable its root CA certs, after allowing for a period of public comments.

The comment period has ended, and there are no outstanding issues and questions, so I'm formally approving the Go Daddy request to EV-enable its existing roots. I've filed bug 418958 to make the actual code changes required.
Depends on: 418958
(In reply to comment #4)
> The test sites are as follows:
> 
> Go Daddy Class 2 CA:  https://www.gdfutureroot.com
> Starfield Class 2 CA:  https://www.sffutureroot.com
> 
> Valicert Class 2 CA:  https://www.godaddy.com (this site serves up a
> cross-certificate that chains to the Valicert Class 2 root, but the browser
> will prefer the Go Daddy Class 2 root - you can remove it from your root store
> for testing purposes)

https://www.godaddy.com is a test site for your ...114413... OID

Do you have a 4th test site that chains to the Valicert root and uses the ...114414... OID?

I'd appreciate such a test site, because it's the first live example where the same root shall be valid for multple OIDs. Thanks in advance!

https://seal.starfieldtech.com/ uses a cert with the 114414 OID and presents a chain in the handshake that chains to the Valicert root.  When accessed via current FireFox versions, it shows the chain as terminating at the Starfield Class 2 Certification Authority, presumably because that root is already built-in.

cc'ing Bob and Nelson, as this bug has examples for certs pointing to multiple roots via cross certs, see comment 10 and 11.
Since bug 418958 is now FIXED, resolving this bug as FIXED as well.
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Product: mozilla.org → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.