Closed Bug 407163 Opened 17 years ago Closed 16 years ago

Add thawte EV CA Root certificate to root store

Categories

(CA Program :: CA Certificate Root Program, task)

task
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: jschiavo, Assigned: hecker)

References

Details

(Whiteboard: EV - information confirmed complete)

Attachments

(4 files, 1 obsolete file)

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Build Identifier: Please accept this thawte EV root certificate for inclusion in Firefox: -----BEGIN CERTIFICATE----- MIIFCjCCA/KgAwIBAgIQexFV63iakIW1jJL/Qrf+VjANBgkqhkiG9w0BAQUFADCB qTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIw MDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNV BAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwHhcNMDYxMTE3MDAwMDAwWhcNMTYx MTE2MjM1OTU5WjCBizELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5j LjE5MDcGA1UECxMwVGVybXMgb2YgdXNlIGF0IGh0dHBzOi8vd3d3LnRoYXd0ZS5j b20vY3BzIChjKTA2MSowKAYDVQQDEyF0aGF3dGUgRXh0ZW5kZWQgVmFsaWRhdGlv biBTU0wgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC1jUf3sEh2 m737qcu/BDGiPZp+MCnTKLj+aM7P6TBqU5UOUGWAJsmYv/IU/wZ8anvcUAfimPrf zzBdyqi5ipstLX5Zixr3s8nDaYAPiRkId7JSVa14g51ruYfkUyQ3LPwZDot5FE2+ gJ60m3N0MfI47IqvKjaOZM4xJhQDVFOO+4QIwX5HMj1x4Lq6jIJYlk1oQ1Ya80Za MpmVsGBv6UGKSMwWDURosYrd3Rc9pJt4fy4pBvDc1dITP8A2Bf3HtbmAG4pGdC/x q3mel274pRNa8/y118iWGTfuBrzGJxSBBRQzOBafS+IP2zi78wHvNS7er/Hkb2/3 lgBWXo9glB0vAgMBAAGjggFIMIIBRDA7BggrBgEFBQcBAQQvMC0wKwYIKwYBBQUH MAGGH2h0dHA6Ly9FVlNlY3VyZS1vY3NwLnRoYXd0ZS5jb20wEgYDVR0TAQH/BAgw BgEB/wIBADA7BgNVHSAENDAyMDAGBFUdIAAwKDAmBggrBgEFBQcCARYaaHR0cHM6 Ly93d3cudGhhd3RlLmNvbS9jcHMwNAYDVR0fBC0wKzApoCegJYYjaHR0cDovL2Ny bC50aGF3dGUuY29tL1RoYXd0ZVBDQS5jcmwwDgYDVR0PAQH/BAQDAgEGMC4GA1Ud EQQnMCWkIzAhMR8wHQYDVQQDExZQcml2YXRlTGFiZWwzLTIwNDgtMjM0MB0GA1Ud DgQWBBTNMuLyXSVHAqqPeUsy7gOZ/TBJ0TAfBgNVHSMEGDAWgBR7W0XPr87Lev0x khpqtvNG61dIUDANBgkqhkiG9w0BAQUFAAOCAQEAC7SWzgMM0Z2vy+M5Vg3GIqDJ cX3qZZUx8dy2HvKNMV1hs1SEE8wrPwJcxx8VAYKQHjElBuMyDIfww76axABB9saR 5Ww+kl2j5D0fMi0xHlDBAiG0I+MHdZpSRVH60x39AW9gbSXZv0Oxp0NsrYy7vPeZ QevWlc8gXH5vxCraS00bW8KfsJTUv0eX/Z1JeWCOrpYZobDr6N9CxyJ0YQwlo3+P RdJ+50puHU9Iu8LaGn5KWYH6HOP7FHNBA6F3+psG/HwzvUY9DAYXhXsqe+M26IPf +qrLMgx5qoZ0bERU9tgHns2Y9CMFCS+iU7XbCoHMXyPLeRHFEVuFaycBifMOuw== -----END CERTIFICATE----- This CA is currently used to sign certificates for SSL-enabled servers, and may in the future be used to sign certificates for digitally-signed executable code objects. The CPS is at http://www.thawte.com/cps/index.html Attestation of our conformance to the stated verification requirements can be found here: http://www.thawte.com/repository/index.html (Click on the "AICPA/CICA WebTrust for Certification Authorities Audit Report" link) Reproducible: Always Steps to Reproduce: 1. 2. 3.
Adding document that contains EV OIDs for thawte, Verisign and GeoTrust as well as a link to download all the root certs.
thawte EV OID: 2.16.840.1.113733.1.7.48.1 Link to download EV roots for all Verisign brands: http://www.verisign.com/support/roots.html
Mozilla root CA inclusion policy requires requests be made by the organization running the CA itself. err, Wikipedia and the corporate site (https://www.thawte.com/corporate/) both say thawte was acquired by verisign. UNCO -> NEW
Status: UNCONFIRMED → NEW
Ever confirmed: true
Status: NEW → ASSIGNED
Whiteboard: EV
Independent of approval process, for technical testing purposes: Could you please supply an https:// URL to an example SSL server (customer or demo) that uses a server cert issued (directly or through intermediates) by this root? Should you request multiple roots to be enabled for EV, please provide one example URL for each root. Thank you.
An example of an EV cert signed under this root can be found at https://www.thawte.com
What is the desired "nickname" for this cert? And if I may ask, by what "friendly name" (if any) is this cert known in Windows?
The subject name for the certificate in this bug (line wrapped here) is: CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division,O="thawte,Inc.",C=US
(In reply to comment #6) > What is the desired "nickname" for this cert? > And if I may ask, by what "friendly name" (if any) is this cert known in > Windows? The Friendly name for this cert is 'thawte' - that is the friendly name we use in windows.
In NSS, each unique subject name must have a unique Nickname. One cannot have a number of different certs, all with somewhat different subject names, all using the same Nickname in NSS. For this reason, the existing Thawte certs in NSS use these nicknames: Thawte Personal Basic CA Thawte Personal Freemail CA Thawte Personal Premium CA Thawte Premium Server CA Thawte Server CA Thawte Time Stamping CA Some other Thawte certs commonly have these Nicknames: Thawte Universal CA Root Thawte Personal Freemail Issuing CA - Thawte Consulting Having written that, do you still want this new cert to have a nickname that is simply "thawte" ?
The new Webtrust report containing EV is now online at https://cert.webtrust.org/ViewSeal?id=527.
(In reply to comment #9) > In NSS, each unique subject name must have a unique Nickname. > One cannot have a number of different certs, all with somewhat different > subject names, all using the same Nickname in NSS. > For this reason, the existing Thawte certs in NSS use these nicknames: > Thawte Personal Basic CA > Thawte Personal Freemail CA > Thawte Personal Premium CA > Thawte Premium Server CA > Thawte Server CA > Thawte Time Stamping CA > Some other Thawte certs commonly have these Nicknames: > Thawte Universal CA Root > Thawte Personal Freemail Issuing CA - Thawte Consulting > Having written that, do you still want this new cert to have a nickname > that is simply "thawte" ? Let's use thawte Primary Root CA as the nickname.
Attached file thawte Primary Root CA certificate (obsolete) —
Added the certificate requested for inclusion as an attachment.
I'm confused. The cert I added as an attachment (per comment #12) is not the thawte Primary Root CA cert, it's a cert for the thawte Extended Validation SSL CA, which is a subordinate CA under the thawte Primary Root CA. Looking at the cert chains for https://www.thawte.com/ it looks like the intended setup for thawte is very similar to that for the new VeriSign Class 3 Public Primary - G5 root: There's a new EV root (thawte Primary Root CA) that has a subordinate CA (thawte Extended Validation SSL CA) that actually issues the end entity EV certs. There's also a cross-signing scheme for compatibility, so that older browsers will see the thawte Primary Root CA cert as a subordinate to the Thawte Premium Server CA, which is already preloaded in Firefox et.al. In other words, the scheme is supposed to look as follows: Thawte Premium Server CA | thawte Primary Root CA ---------- cross-signing cert | thawte Extended Validation SSL CA | end entity EV certs (e.g., for www.thawte.com) Do I have this right? If so, I presume that the thawte Primary Root CA cert is the one that we want to add and mark with the EV OID, correct? If so then I think I have the wrong cert attached to this bug.
(In reply to comment #10) > The new Webtrust report containing EV is now online at > https://cert.webtrust.org/ViewSeal?id=527. Excellent. This is exactly what we need in terms of the audit-related requirements. Now if we can just straighten out exactly which cert is to be included... :-)
Ive added a new entry for thawte to the pending list; it should show up on www.mozilla.org in an hour or so: http://www.mozilla.org/projects/security/certs/pending/#thawte Please double-check the information in the entry. Note that I'm waiting on resolution of the correct cert to be included. I'd also like info on the URLs for the CRL and OCSP responder. (These are for information only, we just like to keep track of these.)
Attached file thawte Primary Root CA
Here is the correct thawte EV root
(In reply to comment #13) > I'm confused. The cert I added as an attachment (per comment #12) is not the > thawte Primary Root CA cert, it's a cert for the thawte Extended Validation SSL > CA, which is a subordinate CA under the thawte Primary Root CA. > Looking at the cert chains for https://www.thawte.com/ it looks like the > intended setup for thawte is very similar to that for the new VeriSign Class 3 > Public Primary - G5 root: There's a new EV root (thawte Primary Root CA) that > has a subordinate CA (thawte Extended Validation SSL CA) that actually issues > the end entity EV certs. There's also a cross-signing scheme for compatibility, > so that older browsers will see the thawte Primary Root CA cert as a > subordinate to the Thawte Premium Server CA, which is already preloaded in > Firefox et.al. > In other words, the scheme is supposed to look as follows: > Thawte Premium Server CA > | > thawte Primary Root CA ---------- cross-signing cert > | > thawte Extended Validation SSL CA > | > end entity EV certs (e.g., for www.thawte.com) > Do I have this right? If so, I presume that the thawte Primary Root CA cert is > the one that we want to add and mark with the EV OID, correct? If so then I > think I have the wrong cert attached to this bug. Sorry Frank. Here is the correct EV cert for the thawte Primary CA: -----BEGIN CERTIFICATE----- MIIEIDCCAwigAwIBAgIQNE7VVyDV7exJ9C/ON9srbTANBgkqhkiG9w0BAQUFADCB qTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIw MDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNV BAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwHhcNMDYxMTE3MDAwMDAwWhcNMzYw NzE2MjM1OTU5WjCBqTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5j LjEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYG A1UECxMvKGMpIDIwMDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNl IG9ubHkxHzAdBgNVBAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsoPD7gFnUnMekz52hWXMJEEUMDSxuaPFs W0hoSVk3/AszGcJ3f8wQLZU0HObrTQmnHNK4yZc2AreJ1CRfBsDMRJSUjQJib+ta 3RGNKJpchJAQeg29dGYvajig4tVUROsdB58Hum/u6f1OCyn1PoSgAfGcq/gcfomk 6KHYcWUNo1F77rzSImANuVud37r8UVsLr5iy6S7pBOhih94ryNdOwUxkHt3Ph1i6 Sk/KaAcdHJ1KxtUvkcx8cXIcxcBn6zL9yZJclNqFwJu/U30rCfSMnZEfl2pSy94J NqR32HuHUETVPm4pafs5SSYeCaWAe0At6+gnhcn+Yf1+5nyXHdWdAgMBAAGjQjBA MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBR7W0XP r87Lev0xkhpqtvNG61dIUDANBgkqhkiG9w0BAQUFAAOCAQEAeRHAS7ORtvzw6WfU DW5FvlXok9LOAz/t2iWwHVfLHjp2oEzsUHboZHIMpKnxuIvW1oeEuzLlQRHAd9mz YJ3rG9XRbkREqaYB7FViHXe4XI5ISXycO1cRrK1zN44veFyQaEfZYGDm/Ac9IiAX xPcW6cTYcvnIc3zfFi8VqT79aie2oetaupgf1eNNZAqdE8hhuvU5HIe6uL17In/2 /qxAeeWsEG89jxt5dovEN7MhGITlNgDrYyCZuen+MwS7QcjBAvlEYyCegc5C09Y/ LHbTY5xZ3Y+m4Q6gLkH3LpVHz7z9M/P2C2F+fpErgUfCJzDupxBdN49cOSvkBPB7 jVaMaA== -----END CERTIFICATE-----
This is the correct file.
Adding the correct cert to replace the one I previously attached.
Attachment #306720 - Attachment is obsolete: true
I updated the thawte entry in the pending list to reflect the corrected cert; the correction should show up in an hour or so: http://www.mozilla.org/projects/security/certs/pending/#thawte I think the only other information to make the entry complete is the URLs for the CRL and OCSP responder. For the CRLs, since there are multiple CAs involved (i.e., thawte Primary Root CA and the subordinate issuing CAs), it would probably be most useful to have a general URL pointing to info on how to get the CRLs. I found https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=S:SO7413&actp=search&searchid=1204385623315 but this apparently links to an Windows-only executable file. Is there a better URL to get thawte CRL-related info?
shortening summary
Summary: Add thawte EV CA Root certificate to be included in the default certifricate root store → Add thawte EV CA Root certificate to root store
Frank, the link you found, to https://www.thawte.com/cgi/lifecycle/roots.exe doesn't download an executable. It just sends your browser an ordinary html page with links to thawte's CRLs. I gather that the .exe is actually a cgi script that runs on the server, producing as output the html page that you see.
(In reply to comment #22) > Frank, the link you found, to https://www.thawte.com/cgi/lifecycle/roots.exe > doesn't download an executable. It just sends your browser an ordinary html > page with links to thawte's CRLs. I gather that the .exe is actually a cgi > script that runs on the server, producing as output the html page that you > see. Weird; why isn't it just a .asp or .cgi page then? (I didn't test this myself as I have an aversion to downloading things that look like executables, even though my old Powerbook can't actually execute Intel code :-) Having now actually looked at the page in question, I see that it apparently doesn't have CRLs for the thawte Primary Root CA or the thawte Extended Validation SSL CA. So my question about CRLs is still unanswered.
Thanks, I should have checked inside the certs. I've updated the thawte entry in the pending list and marked it as complete. It should show up on the www.mozilla.org web site in an hour or so.
According to http://www.mozilla.org/projects/security/certs/pending/ as of this date, the information in this request is incomplete. The request is waiting for more information from the applicant.
Whiteboard: EV → EV - information incomplete
According to http://www.mozilla.org/projects/security/certs/pending/ the status of this request has changed to "information confirmed complete"
Whiteboard: EV - information incomplete → EV - information confirmed complete
I have now completed my review of thawte's application for adding the thawte Primary Root CA root CA certificate and enabling it for EV use, per the official Mozilla CA certificate policy at: http://www.mozilla.org/projects/security/certs/policy/ I apologize for any delays on my part in doing the review. Here follows my assessment. If anyone sees any factual errors, please point them out. Section 4 [Technical]. I'm not aware of any technical issues with certificates issued by thawte, or of instances where thawte has knowingly issued certificates for fraudulent use. If anyone knows of any such issues or instances, please note them in this bug report. Section 6 [Relevancy and Policy]. thawte appears to provide a service relevant to Mozilla users; it is a commercial CA serving customers worldwide, and operates various thawte-branded CAs. Its policies are documented in its CPS: http://www.thawte.com/guides/pdf/Thawte_CPS_3_5.pdf * Email: thawte has not requested that the email trust bit be turned on for the thawte Primary Root CA. * SSL: Only EV SSL certificates are issued under the hierarchy rooted at the thawte Primary Root CA, with verification procedures per the EV guidelines. (See Appendix A1 of the CPS.) * Code: thawte has not requested that the code signing trust bit be turned on for the thawte Primary Root CA. Section 8-10 [Audit]. thawte has successfully completed an independent audit using the WebTrust for CAs criteria and the WebTrust EV criteria. The audit was done by KPMG. Attestation of the successful completion of the audit is in the form of a standard WebTrust/WebTrust EV report available at https://cert.webtrust.org/SealFile?seal=527&file=pdf Note that the WebTrust EV audit was done against the final 1.0 version of the EV guidelines. Audits are done annually (section 2.7 of the CPS). Section 13 [Certificate Hierarchy]. The thawte Primary Root CA has two subordinate CAs, the thawte Extended Validation SSL CA and thawte Extended Validation SSL SGC CA, which issue the end entity EV certificates. Other: thawte issues CRLs for EV certificates at least every week, and within 24 hours in the event of a certificate revocation. (See section 26 of the CPS.) thawte also has an OCSP responder. Based on the above information, I am minded to approve the inclusion of the thawte Primary Root CA root in NSS (and thence in Firefox and other Mozilla-based products), with the trust bit for SSL set, and the root's enabling for EV with policy OID 2.16.840.1.113733.1.7.48.1. Before I issue my final approval, I'm opening up a period of public discussion of this request in the mozilla.dev.tech.crypto newsgroup [1]. [1] The mozilla.dev.tech.crypto newsgroup is accessible via NNTP-capablen ewsreaders at: news://news.mozilla.org/mozilla.dev.tech.crypto via email by subscribing to the associated mailing list: https://lists.mozilla.org/listinfo/dev-tech-crypto and via the web at: http://groups.google.com/group/mozilla.dev.tech.crypto/topics
The comment period has ended, and there are no outstanding issues and questions, so I'm formally approving the thawte request to add the thawte Primary Root CA root to NSS and to mark it as suitable for EV use. I've filed bug 424152 against NSS and bug 424154 against PSM to make the actual code changes required.
Can you please file another bug against NSS (and assign it to me) once the additional trust flags are approved? Thanks.
Since the associated NSS and PSM actions are completed, I'm resolving this bug as FIXED. If thawte wants the trust bit for object signing enabled, that can be submitted as a new request.
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Product: mozilla.org → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: