Request for CA Root Certificate be enabled for EV (DigiCert High Assurance EV Root CA)

RESOLVED FIXED

Status

task
RESOLVED FIXED
12 years ago
2 years ago

People

(Reporter: ken, Assigned: hecker)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: EV, URL)

(Reporter)

Description

12 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9
Build Identifier: 

Per Frank Hecker's instructions we are formally requesting that EV be enabled for the following DigiCert root: DigiCert High Assurance EV Root CA. 

DigiCert has successfully completed the WebTrust for Certification Authorities Extended Validation Criteria audit. Below is the requested information:

----------------------------
CA Root Certificate: DigiCert High Assurance EV Root CA
*Note: you can download a copy of our CA Root Certificate at the following link: http://www.digicert.com/CACerts/DigiCertHighAssuranceEVRootCA.crt

Certificate Details (also view: http://www.mozilla.org/projects/security/certs/included/):
SHA1 - 5F:B7:EE:06:33:E2:59:DB:AD:OC:4C:9A:E6:D3:8F:1A:61:C7:DC:25
Version - 3
Modulus (key length) - 2048
Valid From - 2006/11/10
Valid To - 2031/11/10
Revocation - CRL, OCSP
Type - OV, EV
Requested Trust Bits - Websites, Email
Inclusion Date - 2007/06/05

DigiCert EV OID: 2.16.840.1.114412.2.1
----------------------------
DigiCert's EV CPS is located at the following link: http://www.digicert.com/DigiCert_EV-CPS.pdf
----------------------------
DigiCert displays the WebTrust for Extended Validation seal on our home page which links to the following completed Audit Report/Management’s Assertions: https://www.digicert.com/ev-final-webtrust-report.pdf
----------------------------

I believe the details provided above are complete based on Frank's outline. If you require any additional information please let me know.

Best Regards,

Ken Bretschneider
DigiCert, Inc.
ken@digicert.com

Reproducible: Always

Steps to Reproduce:
1.
2.
3.
(Assignee)

Updated

12 years ago
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: EV
(Assignee)

Comment 1

12 years ago
I've put an entry for this request in the pending request list at

http://www.mozilla.org/projects/security/certs/pending/#DigiCert

Please double-check the information and links and let me know if any corrections or additions are needed.
Independent of approval process, for technical testing purposes: Could you please supply an https:// URL to an example SSL server (customer or demo) that uses a server cert issued (directly or through intermediates) by this root? Should you request multiple roots to be enabled for EV, please provide one example URL for each root. Thank you.
(Assignee)

Comment 3

12 years ago
I have evaluated this request, as per the Mozilla CA policy:

http://www.mozilla.org/projects/security/certs/policy/

I apologize for my delays in processing the request.

This root CA cert is already included in Mozilla; for details on the original application see bug 364568. As far as I can tell nothing substantive has changed since the original approval, so I won't repeat all the material Gerv posted in that bug. This bug is simply to upgrade the root CA cert for EV use, based on successful completion of a WebTrust EV audit by KPMG; the other cert-related data, including the trust bits, are not changing. For full details of the process by which Digicert validates the identity of applicants, see section 3.2 of the EV CPS:

http://www.digicert.com/DigiCert_EV-CPS.pdf

The WebTrust EV audit document appears to be in order; the only issue I can see is that the document was provided by the CA, not by the auditors. (Incidentally, based on the applications I'm seeing I think this is going to be a common problem with WebTrust EV audits, at least until WebTrust EV audits get fully incorporated in the "WebTrust seal" program and the reports get posted on the cert.webtrust.org site.) Note that the audit was completed in August 2007, which means that the it was against the final 1.0 version of the EV guidelines.

Based on the above information, I propose to approve the enabling of the
existing DigiCert High Assurance EV Root CA root for EV use in NSS and thence in Firefox and other Mozilla-based products, contingent only upon verification by the auditor that the audit report provided by the CA is valid. (I'll most likely just contact KPMG directly and verify this, unless KPMG wants to put a copy of the report on their own site.) In the meantime I'm opening up a period of public discussion of this request in the mozilla.dev.tech.crypto newsgroup [1].

[1] The mozilla.dev.tech.crypto newsgroup is accessible via NNTP-capable
newsreaders at:

  news://news.mozilla.org/mozilla.dev.tech.crypto

via email by subscribing to the associated mailing list:

  https://lists.mozilla.org/listinfo/dev-tech-crypto

and via the web at:

  http://groups.google.com/group/mozilla.dev.tech.crypto/topics

(Reporter)

Comment 4

12 years ago
(In reply to comment #2)
> Independent of approval process, for technical testing purposes: Could you
> please supply an https:// URL to an example SSL server (customer or demo) that
> uses a server cert issued (directly or through intermediates) by this root?
> Should you request multiple roots to be enabled for EV, please provide one
> example URL for each root. Thank you.
> 

Hello Kai,

You can view an example of our EV root directly on our website at: https://www.digicert.com/

Only the above listed root will be enabled for EV.

Cheers, Ken
(Reporter)

Comment 5

12 years ago
(In reply to comment #3)
> I have evaluated this request, as per the Mozilla CA policy:
> 
> http://www.mozilla.org/projects/security/certs/policy/
> 
> I apologize for my delays in processing the request.
> 
> This root CA cert is already included in Mozilla; for details on the original
> application see bug 364568. As far as I can tell nothing substantive has
> changed since the original approval, so I won't repeat all the material Gerv
> posted in that bug. This bug is simply to upgrade the root CA cert for EV use,
> based on successful completion of a WebTrust EV audit by KPMG; the other
> cert-related data, including the trust bits, are not changing. For full details
> of the process by which Digicert validates the identity of applicants, see
> section 3.2 of the EV CPS:
> 
> http://www.digicert.com/DigiCert_EV-CPS.pdf
> 
> The WebTrust EV audit document appears to be in order; the only issue I can see
> is that the document was provided by the CA, not by the auditors.
> (Incidentally, based on the applications I'm seeing I think this is going to be
> a common problem with WebTrust EV audits, at least until WebTrust EV audits get
> fully incorporated in the "WebTrust seal" program and the reports get posted on
> the cert.webtrust.org site.) Note that the audit was completed in August 2007,
> which means that the it was against the final 1.0 version of the EV guidelines.
> 
> Based on the above information, I propose to approve the enabling of the
> existing DigiCert High Assurance EV Root CA root for EV use in NSS and thence
> in Firefox and other Mozilla-based products, contingent only upon verification
> by the auditor that the audit report provided by the CA is valid. (I'll most
> likely just contact KPMG directly and verify this, unless KPMG wants to put a
> copy of the report on their own site.) In the meantime I'm opening up a period
> of public discussion of this request in the mozilla.dev.tech.crypto newsgroup
> [1].
> 
> [1] The mozilla.dev.tech.crypto newsgroup is accessible via NNTP-capable
> newsreaders at:
> 
>   news://news.mozilla.org/mozilla.dev.tech.crypto
> 
> via email by subscribing to the associated mailing list:
> 
>   https://lists.mozilla.org/listinfo/dev-tech-crypto
> 
> and via the web at:
> 
>   http://groups.google.com/group/mozilla.dev.tech.crypto/topics
> 

Hi Frank,

Yes WebTrust did not have the EV section of their website enabled so we were told to post the EV seal/report details directly on our website. I believe it is the same for all other CAs as well. I can provide the direct contact information to our auditor at KPMG if needed (off-line). Otherwise I have notified our auditor at KPMG via email that you will be contacting them to very our EV report/seal.

Let me know if I can provide further assistance.

Thanks, Ken
(Assignee)

Comment 6

12 years ago
(In reply to comment #5)
> I can provide the direct contact
> information to our auditor at KPMG if needed (off-line).

Your WebTrust EV report has general contact information, and I have independently confirmed its accuracy. So I think I have everything I need to get in touch with them. However please feel free to send me additional contact information to my email address if you'd like; the only proviso is that I need a way to independently confirm it (e.g., through lookup in a well-known third-party business directory or other reputable source).
Note that the actual work to mark a cert as EV is done in PSM, not NSS.
The RFE would be filed against product "core", component "Security:PSM".
(Assignee)

Comment 8

12 years ago
Thanks for the info, Nelson. I'm guessing that means that if we approve a new root cert and want to mark it as EV, I should file two separate bugs, one against NSS for the addition of the root itself, and one against PSM for marking it as EV, with the former blocking the latter. Does this sound right?
In answer to comment 8:  
Yes, in that case, filing two bugs is probably best.  But Kai will likely be
the assignee for both of them, so he may be OK with just one bug.  

Kai, what do you think is best?  One bug or two?
(Assignee)

Comment 10

12 years ago
(In reply to comment #3)
> Based on the above information, I propose to approve the enabling of the
> existing DigiCert High Assurance EV Root CA root for EV use in NSS and thence
> in Firefox and other Mozilla-based products, contingent only upon verification
> by the auditor that the audit report provided by the CA is valid. (I'll most
> likely just contact KPMG directly and verify this, unless KPMG wants to put a
> copy of the report on their own site.)

I did in fact contact KPMG by telephone (using a third-party directory to obtain the number, which turned out to be the same number on the report itself) and spoke with the KPMG person named on the report. So this last remaining contingency is now removed.
(In reply to comment #9)
> Kai, what do you think is best?  One bug or two?

I was scratching my head, trying to come up with an idea to simplify the process and to avoid bug inflation.

However, I think all such reduction of number of bugs has the risk for confusion.

I think it's best to go with two separate bugs for each new inclusion request and each request to enable for EV, because it involves patches to two different products, each with their own release schedule.
(Assignee)

Updated

11 years ago
Depends on: 416827
(Assignee)

Comment 12

11 years ago
Since bug 416827 (the PSM code change for EV enabling) was resolved FIXED, marking this bug as resolved FIXED as well.
Status: ASSIGNED → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED

Updated

2 years ago
Product: mozilla.org → NSS
You need to log in before you can comment on or make changes to this bug.