Add thawte EV CA Root certificate to root store

RESOLVED FIXED

Status

--
enhancement
RESOLVED FIXED
11 years ago
2 years ago

People

(Reporter: jschiavo, Assigned: hecker)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: EV - information confirmed complete)

Attachments

(4 attachments, 1 obsolete attachment)

(Reporter)

Description

11 years ago
User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Build Identifier: 

Please accept this thawte EV root certificate for inclusion in Firefox:

-----BEGIN CERTIFICATE-----
MIIFCjCCA/KgAwIBAgIQexFV63iakIW1jJL/Qrf+VjANBgkqhkiG9w0BAQUFADCB
qTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf
Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIw
MDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNV
BAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwHhcNMDYxMTE3MDAwMDAwWhcNMTYx
MTE2MjM1OTU5WjCBizELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5j
LjE5MDcGA1UECxMwVGVybXMgb2YgdXNlIGF0IGh0dHBzOi8vd3d3LnRoYXd0ZS5j
b20vY3BzIChjKTA2MSowKAYDVQQDEyF0aGF3dGUgRXh0ZW5kZWQgVmFsaWRhdGlv
biBTU0wgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC1jUf3sEh2
m737qcu/BDGiPZp+MCnTKLj+aM7P6TBqU5UOUGWAJsmYv/IU/wZ8anvcUAfimPrf
zzBdyqi5ipstLX5Zixr3s8nDaYAPiRkId7JSVa14g51ruYfkUyQ3LPwZDot5FE2+
gJ60m3N0MfI47IqvKjaOZM4xJhQDVFOO+4QIwX5HMj1x4Lq6jIJYlk1oQ1Ya80Za
MpmVsGBv6UGKSMwWDURosYrd3Rc9pJt4fy4pBvDc1dITP8A2Bf3HtbmAG4pGdC/x
q3mel274pRNa8/y118iWGTfuBrzGJxSBBRQzOBafS+IP2zi78wHvNS7er/Hkb2/3
lgBWXo9glB0vAgMBAAGjggFIMIIBRDA7BggrBgEFBQcBAQQvMC0wKwYIKwYBBQUH
MAGGH2h0dHA6Ly9FVlNlY3VyZS1vY3NwLnRoYXd0ZS5jb20wEgYDVR0TAQH/BAgw
BgEB/wIBADA7BgNVHSAENDAyMDAGBFUdIAAwKDAmBggrBgEFBQcCARYaaHR0cHM6
Ly93d3cudGhhd3RlLmNvbS9jcHMwNAYDVR0fBC0wKzApoCegJYYjaHR0cDovL2Ny
bC50aGF3dGUuY29tL1RoYXd0ZVBDQS5jcmwwDgYDVR0PAQH/BAQDAgEGMC4GA1Ud
EQQnMCWkIzAhMR8wHQYDVQQDExZQcml2YXRlTGFiZWwzLTIwNDgtMjM0MB0GA1Ud
DgQWBBTNMuLyXSVHAqqPeUsy7gOZ/TBJ0TAfBgNVHSMEGDAWgBR7W0XPr87Lev0x
khpqtvNG61dIUDANBgkqhkiG9w0BAQUFAAOCAQEAC7SWzgMM0Z2vy+M5Vg3GIqDJ
cX3qZZUx8dy2HvKNMV1hs1SEE8wrPwJcxx8VAYKQHjElBuMyDIfww76axABB9saR
5Ww+kl2j5D0fMi0xHlDBAiG0I+MHdZpSRVH60x39AW9gbSXZv0Oxp0NsrYy7vPeZ
QevWlc8gXH5vxCraS00bW8KfsJTUv0eX/Z1JeWCOrpYZobDr6N9CxyJ0YQwlo3+P
RdJ+50puHU9Iu8LaGn5KWYH6HOP7FHNBA6F3+psG/HwzvUY9DAYXhXsqe+M26IPf
+qrLMgx5qoZ0bERU9tgHns2Y9CMFCS+iU7XbCoHMXyPLeRHFEVuFaycBifMOuw==
-----END CERTIFICATE-----

This CA is currently used to sign certificates for SSL-enabled servers, and may
in the future be used to sign certificates for digitally-signed executable code
objects.

The CPS is at http://www.thawte.com/cps/index.html

Attestation of our conformance to the stated verification requirements can be
found here: http://www.thawte.com/repository/index.html (Click on the
"AICPA/CICA WebTrust for Certification Authorities Audit Report" link)



Reproducible: Always

Steps to Reproduce:
1.
2.
3.
(Reporter)

Comment 1

11 years ago
Created attachment 292805 [details]
Document contains thawte EV OID and link to download EV root

Adding document that contains EV OIDs for thawte, Verisign and GeoTrust as well as a link to download all the root certs.
(Reporter)

Comment 2

11 years ago
thawte EV OID: 2.16.840.1.113733.1.7.48.1

Link to download EV roots for all Verisign brands:

http://www.verisign.com/support/roots.html

Comment 3

11 years ago
Mozilla root CA inclusion policy requires requests be made by the organization running the CA itself.
err, Wikipedia and the corporate site (https://www.thawte.com/corporate/) both say thawte was acquired by verisign.

UNCO -> NEW
Status: UNCONFIRMED → NEW
Ever confirmed: true
(Assignee)

Updated

11 years ago
Status: NEW → ASSIGNED
Whiteboard: EV

Comment 4

11 years ago
Independent of approval process, for technical testing purposes: Could you please supply an https:// URL to an example SSL server (customer or demo) that uses a server cert issued (directly or through intermediates) by this root? Should you request multiple roots to be enabled for EV, please provide one example URL for each root. Thank you.

Comment 5

11 years ago
An example of an EV cert signed under this root can be found at https://www.thawte.com
What is the desired "nickname" for this cert?
And if I may ask, by what "friendly name" (if any) is this cert known in 
Windows?
The subject name for the certificate in this bug (line wrapped here) is:

CN=thawte Primary Root CA,
OU="(c) 2006 thawte, Inc. - For authorized use only",
OU=Certification Services Division,O="thawte,Inc.",C=US
(Reporter)

Comment 8

11 years ago
(In reply to comment #6)
> What is the desired "nickname" for this cert?
> And if I may ask, by what "friendly name" (if any) is this cert known in 
> Windows?

The Friendly name for this cert is 'thawte' - that is the friendly name we use in windows.

In NSS, each unique subject name must have a unique Nickname.  
One cannot have a number of different certs, all with somewhat different 
subject names, all using the same Nickname in NSS.  
For this reason, the existing Thawte certs in NSS use these nicknames:

Thawte Personal Basic CA
Thawte Personal Freemail CA
Thawte Personal Premium CA
Thawte Premium Server CA
Thawte Server CA
Thawte Time Stamping CA

Some other Thawte certs commonly have these Nicknames:

Thawte Universal CA Root
Thawte Personal Freemail Issuing CA - Thawte Consulting

Having written that, do you still want this new cert to have a nickname
that is simply "thawte" ?
(Reporter)

Comment 10

11 years ago
The new Webtrust report containing EV is now online at https://cert.webtrust.org/ViewSeal?id=527. 
(Reporter)

Comment 11

11 years ago
(In reply to comment #9)
> In NSS, each unique subject name must have a unique Nickname.  
> One cannot have a number of different certs, all with somewhat different 
> subject names, all using the same Nickname in NSS.  
> For this reason, the existing Thawte certs in NSS use these nicknames:
> Thawte Personal Basic CA
> Thawte Personal Freemail CA
> Thawte Personal Premium CA
> Thawte Premium Server CA
> Thawte Server CA
> Thawte Time Stamping CA
> Some other Thawte certs commonly have these Nicknames:
> Thawte Universal CA Root
> Thawte Personal Freemail Issuing CA - Thawte Consulting
> Having written that, do you still want this new cert to have a nickname
> that is simply "thawte" ?

Let's use thawte Primary Root CA as the nickname.
(Assignee)

Comment 12

11 years ago
Created attachment 306720 [details]
thawte Primary Root CA certificate

Added the certificate requested for inclusion as an attachment.
(Assignee)

Comment 13

11 years ago
I'm confused. The cert I added as an attachment (per comment #12) is not the thawte Primary Root CA cert, it's a cert for the thawte Extended Validation SSL CA, which is a subordinate CA under the thawte Primary Root CA.

Looking at the cert chains for https://www.thawte.com/ it looks like the intended setup for thawte is very similar to that for the new VeriSign Class 3 Public Primary - G5 root: There's a new EV root (thawte Primary Root CA) that has a subordinate CA (thawte Extended Validation SSL CA) that actually issues the end entity EV certs. There's also a cross-signing scheme for compatibility, so that older browsers will see the thawte Primary Root CA cert as a subordinate to the Thawte Premium Server CA, which is already preloaded in Firefox et.al.

In other words, the scheme is supposed to look as follows:

                                    Thawte Premium Server CA
                                               |
      thawte Primary Root CA ---------- cross-signing cert
                 |
   thawte Extended Validation SSL CA
                 |
  end entity EV certs (e.g., for www.thawte.com)

Do I have this right? If so, I presume that the thawte Primary Root CA cert is the one that we want to add and mark with the EV OID, correct? If so then I think I have the wrong cert attached to this bug.
(Assignee)

Comment 14

11 years ago
(In reply to comment #10)
> The new Webtrust report containing EV is now online at
> https://cert.webtrust.org/ViewSeal?id=527. 

Excellent. This is exactly what we need in terms of the audit-related requirements. Now if we can just straighten out exactly which cert is to be included... :-)

(Assignee)

Comment 15

11 years ago
Ive added a new entry for thawte to the pending list; it should show up on www.mozilla.org in an hour or so:

http://www.mozilla.org/projects/security/certs/pending/#thawte

Please double-check the information in the entry. Note that I'm waiting on resolution of the correct cert to be included. I'd also like info on the URLs for the CRL and OCSP responder. (These are for information only, we just like to keep track of these.)
(Reporter)

Comment 16

11 years ago
Created attachment 306733 [details]
thawte Primary Root CA

Here is the correct thawte EV root
(Reporter)

Comment 17

11 years ago
(In reply to comment #13)
> I'm confused. The cert I added as an attachment (per comment #12) is not the
> thawte Primary Root CA cert, it's a cert for the thawte Extended Validation SSL
> CA, which is a subordinate CA under the thawte Primary Root CA.
> Looking at the cert chains for https://www.thawte.com/ it looks like the
> intended setup for thawte is very similar to that for the new VeriSign Class 3
> Public Primary - G5 root: There's a new EV root (thawte Primary Root CA) that
> has a subordinate CA (thawte Extended Validation SSL CA) that actually issues
> the end entity EV certs. There's also a cross-signing scheme for compatibility,
> so that older browsers will see the thawte Primary Root CA cert as a
> subordinate to the Thawte Premium Server CA, which is already preloaded in
> Firefox et.al.
> In other words, the scheme is supposed to look as follows:
>                                     Thawte Premium Server CA
>                                                |
>       thawte Primary Root CA ---------- cross-signing cert
>                  |
>    thawte Extended Validation SSL CA
>                  |
>   end entity EV certs (e.g., for www.thawte.com)
> Do I have this right? If so, I presume that the thawte Primary Root CA cert is
> the one that we want to add and mark with the EV OID, correct? If so then I
> think I have the wrong cert attached to this bug.

Sorry Frank. Here is the correct EV cert for the thawte Primary CA:

-----BEGIN CERTIFICATE-----
MIIEIDCCAwigAwIBAgIQNE7VVyDV7exJ9C/ON9srbTANBgkqhkiG9w0BAQUFADCB
qTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf
Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIw
MDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNV
BAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwHhcNMDYxMTE3MDAwMDAwWhcNMzYw
NzE2MjM1OTU5WjCBqTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5j
LjEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYG
A1UECxMvKGMpIDIwMDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNl
IG9ubHkxHzAdBgNVBAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsoPD7gFnUnMekz52hWXMJEEUMDSxuaPFs
W0hoSVk3/AszGcJ3f8wQLZU0HObrTQmnHNK4yZc2AreJ1CRfBsDMRJSUjQJib+ta
3RGNKJpchJAQeg29dGYvajig4tVUROsdB58Hum/u6f1OCyn1PoSgAfGcq/gcfomk
6KHYcWUNo1F77rzSImANuVud37r8UVsLr5iy6S7pBOhih94ryNdOwUxkHt3Ph1i6
Sk/KaAcdHJ1KxtUvkcx8cXIcxcBn6zL9yZJclNqFwJu/U30rCfSMnZEfl2pSy94J
NqR32HuHUETVPm4pafs5SSYeCaWAe0At6+gnhcn+Yf1+5nyXHdWdAgMBAAGjQjBA
MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBR7W0XP
r87Lev0xkhpqtvNG61dIUDANBgkqhkiG9w0BAQUFAAOCAQEAeRHAS7ORtvzw6WfU
DW5FvlXok9LOAz/t2iWwHVfLHjp2oEzsUHboZHIMpKnxuIvW1oeEuzLlQRHAd9mz
YJ3rG9XRbkREqaYB7FViHXe4XI5ISXycO1cRrK1zN44veFyQaEfZYGDm/Ac9IiAX
xPcW6cTYcvnIc3zfFi8VqT79aie2oetaupgf1eNNZAqdE8hhuvU5HIe6uL17In/2
/qxAeeWsEG89jxt5dovEN7MhGITlNgDrYyCZuen+MwS7QcjBAvlEYyCegc5C09Y/
LHbTY5xZ3Y+m4Q6gLkH3LpVHz7z9M/P2C2F+fpErgUfCJzDupxBdN49cOSvkBPB7
jVaMaA==
-----END CERTIFICATE-----
(Reporter)

Comment 18

11 years ago
Created attachment 306735 [details]
Here is the thawte Primary CA as an attachment

This is the correct file.
(Assignee)

Comment 19

11 years ago
Created attachment 306736 [details]
thawte Primary Root CA certificate

Adding the correct cert to replace the one I previously attached.
Attachment #306720 - Attachment is obsolete: true
(Assignee)

Comment 20

11 years ago
I updated the thawte entry in the pending list to reflect the corrected cert; the correction should show up in an hour or so:

http://www.mozilla.org/projects/security/certs/pending/#thawte

I think the only other information to make the entry complete is the URLs for the CRL and OCSP responder. For the CRLs, since there are multiple CAs involved (i.e., thawte Primary Root CA and the subordinate issuing CAs), it would probably be most useful to have a general URL pointing to info on how to get the CRLs. I found

https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=S:SO7413&actp=search&searchid=1204385623315

but this apparently links to an Windows-only executable file. Is there a better URL to get thawte CRL-related info?
shortening summary
Summary: Add thawte EV CA Root certificate to be included in the default certifricate root store → Add thawte EV CA Root certificate to root store
Frank, the link you found, to https://www.thawte.com/cgi/lifecycle/roots.exe
doesn't download an executable.  It just sends your browser an ordinary html 
page with links to thawte's CRLs.  I gather that the .exe is actually a cgi
script that runs on the server, producing as output the html page that you 
see.  
(Assignee)

Comment 23

11 years ago
(In reply to comment #22)
> Frank, the link you found, to https://www.thawte.com/cgi/lifecycle/roots.exe
> doesn't download an executable.  It just sends your browser an ordinary html 
> page with links to thawte's CRLs.  I gather that the .exe is actually a cgi
> script that runs on the server, producing as output the html page that you 
> see.  

Weird; why isn't it just a .asp or .cgi page then? (I didn't test this myself as I have an aversion to downloading things that look like executables, even though my old Powerbook can't actually execute Intel code :-)

Having now actually looked at the page in question, I see that it apparently doesn't have CRLs for the thawte Primary Root CA or the thawte Extended Validation SSL CA. So my question about CRLs is still unanswered.
(Reporter)

Comment 24

11 years ago
The CRL/OCSP URL is http://crl.thawte.com/ThawteEVCA2006.crl
(Assignee)

Comment 25

11 years ago
Thanks, I should have checked inside the certs. I've updated the thawte entry in the pending list and marked it as complete. It should show up on the www.mozilla.org web site in an hour or so.
According to http://www.mozilla.org/projects/security/certs/pending/ 
as of this date, the information in this request is incomplete. 
The request is waiting for more information from the applicant.
Whiteboard: EV → EV - information incomplete
According to http://www.mozilla.org/projects/security/certs/pending/ 
the status of this request has changed to "information confirmed complete"
Whiteboard: EV - information incomplete → EV - information confirmed complete
(Assignee)

Comment 28

11 years ago
I have now completed my review of thawte's application for adding the thawte Primary Root CA root CA certificate and enabling it for EV use, per the official Mozilla CA certificate policy at:

http://www.mozilla.org/projects/security/certs/policy/

I apologize for any delays on my part in doing the review.

Here follows my assessment. If anyone sees any factual errors, please point them out.

Section 4 [Technical]. I'm not aware of any technical issues with certificates issued by thawte, or of instances where thawte has knowingly issued certificates for fraudulent use. If anyone knows of any such issues or instances, please note them in this bug report.

Section 6 [Relevancy and Policy]. thawte appears to provide a service
relevant to Mozilla users; it is a commercial CA serving customers worldwide, and operates various thawte-branded CAs. Its policies are documented in its CPS:

  http://www.thawte.com/guides/pdf/Thawte_CPS_3_5.pdf

* Email: thawte has not requested that the email trust bit be turned on for the thawte Primary Root CA.

* SSL: Only EV SSL certificates are issued under the hierarchy rooted at the thawte Primary Root CA, with verification procedures per the EV guidelines. (See Appendix A1 of the CPS.)

* Code: thawte has not requested that the code signing trust bit be turned on for the thawte Primary Root CA.

Section 8-10 [Audit]. thawte has successfully completed an independent
audit using the WebTrust for CAs criteria and the WebTrust EV criteria. The
audit was done by KPMG. Attestation of the successful completion of the audit is in the form of a standard WebTrust/WebTrust EV report available at

https://cert.webtrust.org/SealFile?seal=527&file=pdf

Note that the WebTrust EV audit was done against the final 1.0 version of the
EV guidelines. Audits are done annually (section 2.7 of the CPS).

Section 13 [Certificate Hierarchy]. The thawte Primary Root CA has two subordinate CAs, the thawte Extended Validation SSL CA and thawte Extended Validation SSL SGC CA, which issue the end entity EV certificates.

Other: thawte issues CRLs for EV certificates at least every week, and within 24 hours in the event of a certificate revocation. (See section 26 of the CPS.) thawte also has an OCSP responder.

Based on the above information, I am minded to approve the inclusion of the
thawte Primary Root CA root in NSS (and thence in Firefox and other Mozilla-based products), with the trust bit for SSL set, and the root's
enabling for EV with policy OID 2.16.840.1.113733.1.7.48.1. Before I issue my final approval, I'm opening up a period of public discussion of this request in the mozilla.dev.tech.crypto newsgroup [1].

[1] The mozilla.dev.tech.crypto newsgroup is accessible via NNTP-capablen ewsreaders at:

  news://news.mozilla.org/mozilla.dev.tech.crypto

via email by subscribing to the associated mailing list:

  https://lists.mozilla.org/listinfo/dev-tech-crypto

and via the web at:

  http://groups.google.com/group/mozilla.dev.tech.crypto/topics
(Assignee)

Comment 29

11 years ago
The comment period has ended, and there are no outstanding issues and questions, so I'm formally approving the thawte request to add the thawte Primary Root CA root to NSS and to mark it as suitable for EV use. I've filed bug 424152 against NSS and bug 424154 against PSM to make the actual code changes required.

Comment 30

11 years ago
Can you please file another bug against NSS (and assign it to me) once the additional trust flags are approved? Thanks.
(Assignee)

Comment 31

10 years ago
Since the associated NSS and PSM actions are completed, I'm resolving this bug as FIXED. If thawte wants the trust bit for object signing enabled, that can be submitted as a new request.
Status: ASSIGNED → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED

Updated

2 years ago
Product: mozilla.org → NSS
You need to log in before you can comment on or make changes to this bug.