Request for QuoVadis Root CA2 to be enabled for EV SSL (Extended Validation)

RESOLVED FIXED

Status

task
RESOLVED FIXED
12 years ago
2 years ago

People

(Reporter: sdavidson, Assigned: hecker)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: EV, URL)

Attachments

(1 attachment)

(Reporter)

Description

12 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9

QuoVadis is a commercial certificate authority with three roots currently distributed in NSS.

We request that the "QuoVadis Root CA2" be enabled for Extended Validation (EV) SSL.  This root was originally approved for distribution under Bug 365281.

QuoVadis Root CA2
Description:  This root is used for SSL/device certificates, including
standard “organisation validated” certificates as well as EV certificates.  
Download:  http://www.quovadis.bm/public/qvrca2.crt 
Thumbprint:  ca 3a fb cf 12 40 36 4b 44 b2 16 20 88 80 48 39 19 93 7c f7
Purposes/Usage: ALL
CRL:  http://crl.quovadisglobal.com/qvrca2.crl
OCSP:  Active
The EV OID associated with Root CA2 is:  1.3.6.1.4.1.8024.0.2.100.1.2

The CP/CPS for QuoVadis Root CA2 may be found at https://www.quovadis.bm/policies/QV_RCA2_CPCPS_v1.8.pdf

Among its audits and accreditations, QuoVadis holds a valid WebTrust for Certification Authorities seal.  See https://cert.webtrust.org/ViewSeal?id=612

QuoVadis has completed the WebTrust for Extended Validation Certificates readiness review.  See attached.  The WebTrust EV procedures will be integrated into our recurring WebTrust audit.




Reproducible: Always

Steps to Reproduce:
1.
2.
3.
(Reporter)

Comment 1

12 years ago
(Assignee)

Comment 2

12 years ago
I updated the pending list to include an entry for this QuoVadis EV application:

  http://www.mozilla.org/projects/security/certs/pending/#QuoVadis

I used the previous QuoVadis entry from the "included" list as a based and then added the information from this bug. Please double-check to make sure all the info is correct. 
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
(Reporter)

Comment 3

12 years ago
Hello Frank - I confirm that the "pending" details are correct.
Regards, Stephen Davidson, QuoVadis
Whiteboard: EV
Independent of approval process, for technical testing purposes: Could you please supply an https:// URL to an example SSL server (customer or demo) that uses a server cert issued (directly or through intermediates) by this root? Should you request multiple roots to be enabled for EV, please provide one example URL for each root. Thank you.
(Reporter)

Comment 5

11 years ago
Hello Kai:
Here is a live customer site:  https://www.boxoffice.bm/SignIn.asp? 
Note that the EV root (known as RCA 2) is relatively new - and is cross certified with our more established RCA root.  
As with (all?) the other EV CAs, we are using a beacon (in this case buried in the site seal) to force a connection without the cross-cert and trigger the auto-install of RCA2 in IE7.
Best, Stephen Davidson, QuoVadis
(Assignee)

Comment 6

11 years ago
I have evaluated this request, as per the Mozilla CA policy:

http://www.mozilla.org/projects/security/certs/policy/

I apologize for my delays in processing the request.

This root CA cert is already included in Mozilla; for details on the original application see bug 365281. As far as I can tell nothing substantive has changed since the original approval, so I won't repeat all the material Gerv posted in that bug. This bug is simply to upgrade the root CA cert for EV use, based on successful completion of a WebTrust EV audit by Ernst & Young; the other cert-related data, including the trust bits, are not changing. For full details of the process by which QuoVadis validates the identity of applicants for EV certs, see section 3.2 and Appendix B of the QuoVadis Root CA2 CP/CPS:

https://www.quovadis.bm/policies/QV_RCA2_CPCPS_v1.8.pdf

The WebTrust EV audit document appears to be in order; the document was provided by the CA, not by the auditors, so we'll need independent confirmation that it is genuine. Note that the audit was completed prior to adoption of the final 1.0 version of the EV guidelines; per revision 1.2 of the Mozilla CA certificate policy, this is not an issue.

Based on the above information, I propose to approve the enabling of the
existing QuoVadis Root CA2 root for EV use in NSS and thence in Firefox and other Mozilla-based products, contingent only upon verification by the auditor that the audit report provided by the CA is valid. (I'll most likely just contact Ernst & Young directly and verify this, unless E&Y wants to put a copy of the report on its own site.) In the meantime I'm opening up a period
of public discussion of this request in the mozilla.dev.tech.crypto newsgroup
[1].

[1] The mozilla.dev.tech.crypto newsgroup is accessible via NNTP-capable
newsreaders at:

  news://news.mozilla.org/mozilla.dev.tech.crypto

via email by subscribing to the associated mailing list:

  https://lists.mozilla.org/listinfo/dev-tech-crypto

and via the web at:

  http://groups.google.com/group/mozilla.dev.tech.crypto/topics
(Assignee)

Comment 7

11 years ago
(In reply to comment #6)
> Based on the above information, I propose to approve the enabling of the
> existing QuoVadis Root CA2 root for EV use in NSS...

s/NSS/PSM/ (per Nelson Bolyard's comments in bug 403644)

(Assignee)

Comment 8

11 years ago
(In reply to comment #6)
> Based on the above information, I propose to approve the enabling of the
> existing QuoVadis Root CA2 root for EV use in NSS and thence in Firefox and
> other Mozilla-based products, contingent only upon verification by the auditor
> that the audit report provided by the CA is valid. (I'll most likely just
> contact Ernst & Young directly and verify this, unless E&Y wants to put a copy
> of the report on its own site.)

I did indeed contact the Bermuda office of Ernst & Young by phone, and verified that E&Y did issue the report in question. I'm therefore removing this contingency.

(Assignee)

Comment 9

11 years ago
The comment period has ended, and there are no outstanding issues and questions, so I'm formally approving the Quo Vadis request to EV-enable its existing root. I've filed bug 418701 to make the actual code changes required.
Depends on: 418701
(In reply to comment #5)
> Here is a live customer site:  https://www.boxoffice.bm/SignIn.asp? 
> Note that the EV root (known as RCA 2) is relatively new - and is cross
> certified with our more established RCA root.  
> As with (all?) the other EV CAs, we are using a beacon (in this case buried in
> the site seal) to force a connection without the cross-cert and trigger the
> auto-install of RCA2 in IE7.

Is the server at www.boxoffice.bm configured incorrectly?
When I connect with latest firefox beta, I get an "invalid cert", we don't find any issuer.
Should that server deliver both the server cert and the intermediate?
I saw the cert lists a intermediate in one of its extensions:
  http://trust.quovadisglobal.com/qvsslica.crt

Please note that Firefox does NOT automatically download data from that extension.
You should change the server configuration to deliver the required intermediates.
(Reporter)

Comment 11

11 years ago
Apologies, it appears that server has been reconfigured, incorrectly.  We've informed them.  
Here's another example closer to home:  https://www.securecentre.com/secure/  Thank you!
FIXED now, since bug 418701 has landed?
(Assignee)

Comment 13

11 years ago
(In reply to comment #12)
> FIXED now, since bug 418701 has landed?

Yes, resolving as FIXED.
Status: ASSIGNED → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED
(Reporter)

Comment 14

11 years ago
Hello:  QuoVadis EV certs were showing the correct EV indicators properly in the nightlies until the past few days when uniformly they started acting like plain SSL again.  Is this known/expected?
Best, Stephen
(In reply to comment #14)
> Hello:  QuoVadis EV certs were showing the correct EV indicators properly in
> the nightlies until the past few days when uniformly they started acting like
> plain SSL again.  Is this known/expected?
> Best, Stephen

The root certificate that has been approved for EV is:
  CN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM
  SHA1=CA:3A:FB:CF:12:40:36:4B:44:B2:16:20:88:80:48:39:19:93:7C:F7

However, using the latest Firefox to connect to the test site from comment 11, NSS returns the following topmost root:
  CN=QuoVadis Root Certification Authority,OU=Root Certification Authority,O=QuoVadis Limited,C=BM
  SHA1: DE:3F:40:BD:50:93:D3:9B:6C:60:F6:DA:BC:07:62:01:00:89:76:C9

This root has not been approved for EV.
(Reporter)

Comment 16

11 years ago
Our EV root (RCA2) is cross certified to a legacy root (RCA) so all our EV certs have that chain.

Jonathan and I discussed a few months ago the extensive use of cross-certification by CAs for their new EV roots.  Some of these roots cannot be tagged as EV in Microsoft because they contain OIDs other than the CAs' EV OID.  It was confirmed then (and later in practice) that this would not be a problem.

Indeed, our EV certs all displayed as EV in the latest Firefox as recently as last week with that chain.  Firefox showed the entire chain to RCA, but gave the EV indicator from RCA2.

Please let me know if you require any additional information.  
Best, Stephen
In my understanding, both chains are equally valid, and NSS may pick a random chain.

We plan to implement a fix in PSM that will pass the EV approved roots into NSS, so NSS would prefer the approved chain.

I want to get this done within the next few days.
This should fix it.
(In reply to comment #17)
> We plan to implement a fix in PSM that will pass the EV approved roots into
> NSS, so NSS would prefer the approved chain.
> 
> I want to get this done within the next few days.

According to my tests, this issue is fixed with the patch in bug 406755.

Updated

2 years ago
Product: mozilla.org → NSS
You need to log in before you can comment on or make changes to this bug.