Closed
Bug 403665
Opened 17 years ago
Closed 17 years ago
Request for QuoVadis Root CA2 to be enabled for EV SSL (Extended Validation)
Categories
(CA Program :: CA Certificate Root Program, task)
CA Program
CA Certificate Root Program
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: sdavidson, Assigned: hecker)
References
()
Details
(Whiteboard: EV)
Attachments
(1 file)
43.21 KB,
application/pdf
|
Details |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9
QuoVadis is a commercial certificate authority with three roots currently distributed in NSS.
We request that the "QuoVadis Root CA2" be enabled for Extended Validation (EV) SSL. This root was originally approved for distribution under Bug 365281.
QuoVadis Root CA2
Description: This root is used for SSL/device certificates, including
standard “organisation validated” certificates as well as EV certificates.
Download: http://www.quovadis.bm/public/qvrca2.crt
Thumbprint: ca 3a fb cf 12 40 36 4b 44 b2 16 20 88 80 48 39 19 93 7c f7
Purposes/Usage: ALL
CRL: http://crl.quovadisglobal.com/qvrca2.crl
OCSP: Active
The EV OID associated with Root CA2 is: 1.3.6.1.4.1.8024.0.2.100.1.2
The CP/CPS for QuoVadis Root CA2 may be found at https://www.quovadis.bm/policies/QV_RCA2_CPCPS_v1.8.pdf
Among its audits and accreditations, QuoVadis holds a valid WebTrust for Certification Authorities seal. See https://cert.webtrust.org/ViewSeal?id=612
QuoVadis has completed the WebTrust for Extended Validation Certificates readiness review. See attached. The WebTrust EV procedures will be integrated into our recurring WebTrust audit.
Reproducible: Always
Steps to Reproduce:
1.
2.
3.
Reporter | ||
Comment 1•17 years ago
|
||
Assignee | ||
Comment 2•17 years ago
|
||
I updated the pending list to include an entry for this QuoVadis EV application:
http://www.mozilla.org/projects/security/certs/pending/#QuoVadis
I used the previous QuoVadis entry from the "included" list as a based and then added the information from this bug. Please double-check to make sure all the info is correct.
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Reporter | ||
Comment 3•17 years ago
|
||
Hello Frank - I confirm that the "pending" details are correct.
Regards, Stephen Davidson, QuoVadis
Updated•17 years ago
|
Whiteboard: EV
Comment 4•17 years ago
|
||
Independent of approval process, for technical testing purposes: Could you please supply an https:// URL to an example SSL server (customer or demo) that uses a server cert issued (directly or through intermediates) by this root? Should you request multiple roots to be enabled for EV, please provide one example URL for each root. Thank you.
Reporter | ||
Comment 5•17 years ago
|
||
Hello Kai:
Here is a live customer site: https://www.boxoffice.bm/SignIn.asp?
Note that the EV root (known as RCA 2) is relatively new - and is cross certified with our more established RCA root.
As with (all?) the other EV CAs, we are using a beacon (in this case buried in the site seal) to force a connection without the cross-cert and trigger the auto-install of RCA2 in IE7.
Best, Stephen Davidson, QuoVadis
Assignee | ||
Comment 6•17 years ago
|
||
I have evaluated this request, as per the Mozilla CA policy:
http://www.mozilla.org/projects/security/certs/policy/
I apologize for my delays in processing the request.
This root CA cert is already included in Mozilla; for details on the original application see bug 365281. As far as I can tell nothing substantive has changed since the original approval, so I won't repeat all the material Gerv posted in that bug. This bug is simply to upgrade the root CA cert for EV use, based on successful completion of a WebTrust EV audit by Ernst & Young; the other cert-related data, including the trust bits, are not changing. For full details of the process by which QuoVadis validates the identity of applicants for EV certs, see section 3.2 and Appendix B of the QuoVadis Root CA2 CP/CPS:
https://www.quovadis.bm/policies/QV_RCA2_CPCPS_v1.8.pdf
The WebTrust EV audit document appears to be in order; the document was provided by the CA, not by the auditors, so we'll need independent confirmation that it is genuine. Note that the audit was completed prior to adoption of the final 1.0 version of the EV guidelines; per revision 1.2 of the Mozilla CA certificate policy, this is not an issue.
Based on the above information, I propose to approve the enabling of the
existing QuoVadis Root CA2 root for EV use in NSS and thence in Firefox and other Mozilla-based products, contingent only upon verification by the auditor that the audit report provided by the CA is valid. (I'll most likely just contact Ernst & Young directly and verify this, unless E&Y wants to put a copy of the report on its own site.) In the meantime I'm opening up a period
of public discussion of this request in the mozilla.dev.tech.crypto newsgroup
[1].
[1] The mozilla.dev.tech.crypto newsgroup is accessible via NNTP-capable
newsreaders at:
news://news.mozilla.org/mozilla.dev.tech.crypto
via email by subscribing to the associated mailing list:
https://lists.mozilla.org/listinfo/dev-tech-crypto
and via the web at:
http://groups.google.com/group/mozilla.dev.tech.crypto/topics
Assignee | ||
Comment 7•17 years ago
|
||
(In reply to comment #6)
> Based on the above information, I propose to approve the enabling of the
> existing QuoVadis Root CA2 root for EV use in NSS...
s/NSS/PSM/ (per Nelson Bolyard's comments in bug 403644)
Assignee | ||
Comment 8•17 years ago
|
||
(In reply to comment #6)
> Based on the above information, I propose to approve the enabling of the
> existing QuoVadis Root CA2 root for EV use in NSS and thence in Firefox and
> other Mozilla-based products, contingent only upon verification by the auditor
> that the audit report provided by the CA is valid. (I'll most likely just
> contact Ernst & Young directly and verify this, unless E&Y wants to put a copy
> of the report on its own site.)
I did indeed contact the Bermuda office of Ernst & Young by phone, and verified that E&Y did issue the report in question. I'm therefore removing this contingency.
Assignee | ||
Comment 9•17 years ago
|
||
The comment period has ended, and there are no outstanding issues and questions, so I'm formally approving the Quo Vadis request to EV-enable its existing root. I've filed bug 418701 to make the actual code changes required.
Depends on: 418701
Comment 10•17 years ago
|
||
(In reply to comment #5)
> Here is a live customer site: https://www.boxoffice.bm/SignIn.asp?
> Note that the EV root (known as RCA 2) is relatively new - and is cross
> certified with our more established RCA root.
> As with (all?) the other EV CAs, we are using a beacon (in this case buried in
> the site seal) to force a connection without the cross-cert and trigger the
> auto-install of RCA2 in IE7.
Is the server at www.boxoffice.bm configured incorrectly?
When I connect with latest firefox beta, I get an "invalid cert", we don't find any issuer.
Should that server deliver both the server cert and the intermediate?
I saw the cert lists a intermediate in one of its extensions:
http://trust.quovadisglobal.com/qvsslica.crt
Please note that Firefox does NOT automatically download data from that extension.
You should change the server configuration to deliver the required intermediates.
Reporter | ||
Comment 11•17 years ago
|
||
Apologies, it appears that server has been reconfigured, incorrectly. We've informed them.
Here's another example closer to home: https://www.securecentre.com/secure/ Thank you!
Comment 12•17 years ago
|
||
FIXED now, since bug 418701 has landed?
Assignee | ||
Comment 13•17 years ago
|
||
(In reply to comment #12)
> FIXED now, since bug 418701 has landed?
Yes, resolving as FIXED.
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 14•17 years ago
|
||
Hello: QuoVadis EV certs were showing the correct EV indicators properly in the nightlies until the past few days when uniformly they started acting like plain SSL again. Is this known/expected?
Best, Stephen
Comment 15•17 years ago
|
||
(In reply to comment #14)
> Hello: QuoVadis EV certs were showing the correct EV indicators properly in
> the nightlies until the past few days when uniformly they started acting like
> plain SSL again. Is this known/expected?
> Best, Stephen
The root certificate that has been approved for EV is:
CN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM
SHA1=CA:3A:FB:CF:12:40:36:4B:44:B2:16:20:88:80:48:39:19:93:7C:F7
However, using the latest Firefox to connect to the test site from comment 11, NSS returns the following topmost root:
CN=QuoVadis Root Certification Authority,OU=Root Certification Authority,O=QuoVadis Limited,C=BM
SHA1: DE:3F:40:BD:50:93:D3:9B:6C:60:F6:DA:BC:07:62:01:00:89:76:C9
This root has not been approved for EV.
Reporter | ||
Comment 16•17 years ago
|
||
Our EV root (RCA2) is cross certified to a legacy root (RCA) so all our EV certs have that chain.
Jonathan and I discussed a few months ago the extensive use of cross-certification by CAs for their new EV roots. Some of these roots cannot be tagged as EV in Microsoft because they contain OIDs other than the CAs' EV OID. It was confirmed then (and later in practice) that this would not be a problem.
Indeed, our EV certs all displayed as EV in the latest Firefox as recently as last week with that chain. Firefox showed the entire chain to RCA, but gave the EV indicator from RCA2.
Please let me know if you require any additional information.
Best, Stephen
Comment 17•17 years ago
|
||
In my understanding, both chains are equally valid, and NSS may pick a random chain.
We plan to implement a fix in PSM that will pass the EV approved roots into NSS, so NSS would prefer the approved chain.
I want to get this done within the next few days.
This should fix it.
Comment 18•17 years ago
|
||
(In reply to comment #17)
> We plan to implement a fix in PSM that will pass the EV approved roots into
> NSS, so NSS would prefer the approved chain.
>
> I want to get this done within the next few days.
According to my tests, this issue is fixed with the patch in bug 406755.
Updated•7 years ago
|
Product: mozilla.org → NSS
Updated•2 years ago
|
Product: NSS → CA Program
You need to log in
before you can comment on or make changes to this bug.
Description
•