Closed Bug 407168 Opened 17 years ago Closed 16 years ago

Add GeoTrust EV Root CA to Root Store

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jschiavo, Assigned: hecker)

References

Details

(Whiteboard: EV - information confirmed complete)

Attachments

(4 files)

Document contains GeoTrust EV OID and link to download EV root
23.50 KB, application/msword
Details
WebTrust Audit and EV Audit documentation
18.77 KB, application/x-zip-compressed
Details
WebTrust Audit and EV Audit documentation
18.77 KB, application/x-zip-compressed
Details
GeoTrust Primary CA certificate
1.24 KB, application/x-x509-ca-cert
Details 
User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Build Identifier: 

Please accept this GeoTrust EV root certificate for inclusion in Firefox:

-----BEGIN CERTIFICATE-----
MIIDfDCCAmSgAwIBAgIQGKy1av1pthU6Y2yv2vrEoTANBgkqhkiG9w0BAQUFADBY
MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjExMC8GA1UEAxMo
R2VvVHJ1c3QgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNjEx
MjcwMDAwMDBaFw0zNjA3MTYyMzU5NTlaMFgxCzAJBgNVBAYTAlVTMRYwFAYDVQQK
Ew1HZW9UcnVzdCBJbmMuMTEwLwYDVQQDEyhHZW9UcnVzdCBQcmltYXJ5IENlcnRp
ZmljYXRpb24gQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAvrgVe//UfH1nrYNke8hCUy3f9oQIIGHWAVlqnEQRr+92/ZV+zmEwu3qDXwK9
AWbK7hWNb6EwnL2hhZ6UOvNWiAAxz9juapYC2e0DjPt1befquFUWBRaa9OBesYjA
ZIVcFU2Ix7e64HXprQU9nceJSOC7KMgD4TCTZF5SwFlwIjVXiIrxlQqD17wxcwE0
7e9GceBrAqg1cmuXm2bgyxx5X9gaBGgeRwLmnWDiNpcB3841kt++Z8dtd1k7j53W
kBWUvEI0EME5+bEnPn7WinXFsq+W06Lem+SYvn3h6YGttm/81w7a4DSwDRp35+MI
mO9Y+pyEtzavwt+s0vQQBnBxNQIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4G
A1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQULNVQQZcVi/CPNmFbSvtr2ZnJM5IwDQYJ
KoZIhvcNAQEFBQADggEBAFpwfyzdtzRP9YZRqSa+S7iq8XEN3GHHoOo0Hnp3DwQ1
6CePbJC/kRYkRj5KTs4rFtULUh38H2eiAkUxT87z+gOneZ1TatnaYzr4gNfTmeGl
4b7UVXGYNTq+k+qurUKykG/g/CFNNWMziUnWm07Kx+dOCQD32sfvmWKZd7aVIl6K
oKv0uHiYyjgZmclynnjNS6yvGaBzEi38wkG6gZHaFloxt/m0cYASSJlyc1pZU8Fj
UjPtp8nSOQJw+uCxQmYpqptR7TBUIhRf2asdweSU8Pj1K/fqynhG1riR/aYNKxoU
AT6A8EKglQdebc3MS6RFjasS6LPeWuWgfOgPIh1a6Vk=
-----END CERTIFICATE-----

This CA is currently used to sign certificates for SSL-enabled servers, and may
in the future be used to sign certificates for digitally-signed executable code
objects.

The CPS is at http://www.geotrust.com/resources/repository/legal.aspdf

Attestation of our conformance to the stated verification requirements can be
found here: https://cert.webtrust.org/ViewSeal?id=650



Reproducible: Always

Steps to Reproduce:
1.
2.
3.
GeoTrust EV OID: 1.3.6.1.4.1.14370.1.6

Link to download EV roots for all Verisign brands:

http://www.verisign.com/support/roots.html

Adding document that contains EV OIDs for all three Verisign brands (VRSN, GeoTrust and thawte) as well as a link to download all our root CAs.
GeoTrust WebTrust audit in 2007 by KPMG which includes GeoTrust's True BusinessID with EV is published at: https://cert.webtrust.org/SealFile?seal=650&file=pdf
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: EV
Independent of approval process, for technical testing purposes: Could you please supply an https:// URL to an example SSL server (customer or demo) that uses a server cert issued (directly or through intermediates) by this root? Should you request multiple roots to be enabled for EV, please provide one example URL for each root. Thank you.
An example of an EV cert signed under this root can be found at
https://www.geotrust.com
Here is some additional documentation on the GT WebTrust audit including EV.
Here is some additional documentation on the GT WebTrust audit including EV.
The subject name in this certificate is:
CN=GeoTrust Primary Certification Authority,O=GeoTrust Inc.,C=US

What "nickname" is requested for this certificate?
By what "friendly name" (if any) is this cert known in Windows?
The nickname requested for this certificate is 'GeoTrust' - which is the friendly name in Windows.
The existing GeoTrust certs in NSS have these nicknames:

GeoTrust Global CA
GeoTrust Global CA 2
GeoTrust Universal CA
GeoTrust Universal CA 2
(In reply to comment #10)
> The existing GeoTrust certs in NSS have these nicknames:
> GeoTrust Global CA
> GeoTrust Global CA 2
> GeoTrust Universal CA
> GeoTrust Universal CA 2

Nelson, what is the nickname used for? Looks like you typically take the CN for the cert. Is that how you came up with the nicknames for the above?

(In reply to comment #7)
> Created an attachment (id=304135) [details]
> WebTrust Audit and EV Audit documentation
> Here is some additional documentation on the GT WebTrust audit including EV.

The final WebTrust report for GT is online at https://cert.webtrust.org/ViewSeal?id=650. 
(In reply to comment #10)
> The existing GeoTrust certs in NSS have these nicknames:
> GeoTrust Global CA
> GeoTrust Global CA 2
> GeoTrust Universal CA
> GeoTrust Universal CA 2

(In reply to comment #10)
> The existing GeoTrust certs in NSS have these nicknames:
> GeoTrust Global CA
> GeoTrust Global CA 2
> GeoTrust Universal CA
> GeoTrust Universal CA 2

We should be consistent and use GeoTrust Primary Certificate Authority as the nickname.

Adding the cert from above as an attachment.
I've added an entry for GeoTrust to the pending list; it should show up on the public www.mozilla.org site in an hour or so:

http://www.mozilla.org/projects/security/certs/pending/#GeoTrust

Please double-check the info and provide corrections as necessary. Note that I'd like URLs for the CRL and/or OCSP; these are informational only but we like to keep track of them. (We don't do a good job of making it clear which CRL we track, especially in the case of multi-level CA hierarchies; in this case I think the most relevant CRL would be that used for revocation of end entity EV certs, presumably the one associated with the GeoTrust Extended Validation SSL CA.)

Also note that I've listed the CA nickname as "GeoTrust Primary Certification Authority" (*not* "GeoTrust Primary *Certificate* Authority", as requested in comment #13) to match the name in the cert itself
shortening summary
Summary: Add GeoTrust EV Root CA to FireFox Default Certificate Root Store → Add GeoTrust EV Root CA to Root Store
The GeoTrust EV OCSP server is listed in the AIA extension.  The URL for our CRL/OCSP is URL=http://EVSSL-crl.geotrust.com/crls/gtextvalca.crl. 
All of the GeoTrust CAs/Roots have had CDPs inside of the certificate.
Thanks, I should have checked inside the certs. I've updated the GeoTrust entry in the pending list and marked it as complete. It should show up on the www.mozilla.org web site in an hour or so.
According to http://www.mozilla.org/projects/security/certs/pending/ 
as of this date, the information in this request is incomplete. 
The request is waiting for more information from the applicant.
Whiteboard: EV → EV - information incomplete
According to http://www.mozilla.org/projects/security/certs/pending/ 
the status of this request has changed to "information confirmed complete".
Whiteboard: EV - information incomplete → EV - information confirmed complete
I have now completed my review of GeoTrust's application for adding the GeoTrust Primary Certification Authority root CA certificate and enabling it for EV use, per the official Mozilla CA certificate policy at:

http://www.mozilla.org/projects/security/certs/policy/

I apologize for any delays on my part in doing the review.

Here follows my final assessment. If anyone sees any factual errors, please point them out.

Section 4 [Technical]. I'm not aware of any technical issues with certificates issued by GeoTrust, or of instances where GeoTrust has knowingly issued certificates for fraudulent use. If anyone knows of any such issues or instances, please note them in this bug report.

Section 6 [Relevancy and Policy]. GeoTrust appears to provide a service
relevant to Mozilla users; it is a commercial CA operating in the United States and serving customers worldwide, and operates various GeoTrust-branded CAs. Its policies are documented in its CPS:

  http://www.geotrust.com/resources/cps/pdfs/GeoTrustCPS-Version1.pdf

* Email: GeoTrust has not requested that the email trust bit be turned on for the GeoTrust Primary Certification Authority.

* SSL: Only EV SSL certificates are issued under the hierarchy rooted at the GeoTrust Primary Certification Authority, with verification procedures per the EV guidelines. (See Appendix A1 of the CPS.)

* Code: GeoTrust has not requested that the code signing trust bit be turned on for the GeoTrust Primary Certification Authority.

Section 8-10 [Audit]. GeoTrust has successfully completed an independent
audit using the WebTrust for CAs criteria and the WebTrust EV criteria. The
audit was done by KPMG. Attestation of the successful completion of the audit is in the form of a standard WebTrust/WebTrust EV report available at

https://cert.webtrust.org/SealFile?seal=650&file=pdf

Note that the WebTrust EV audit was done against the final 1.0 version of the
EV guidelines. Audits are done annually (section 8.1 of the CPS).

Section 13 [Certificate Hierarchy]. The GeoTrust Primary Certification Authority has one subordinate CA, the GeoTrust Extended Validation SSL CA, which issues the end entity EV certificates.

Other: GeoTrust issues CRLs at least every week, and within 24 hours in the event of a certificate revocation. (See section 4.9.7 of the CPS.) GeoTrust also has an OCSP responder.

Based on the above information, I am minded to approve the inclusion of the
GeoTrust Primary Certification Authority root in NSS (and thence in Firefox and other Mozilla-based products), with the trust bit for SSL set, and the root's
enabling for EV with policy OID 1.3.6.1.4.1.14370.1.6. Before I issue my final approval, I'm opening up a period of public discussion of this request in the mozilla.dev.tech.crypto newsgroup [1].

[1] The mozilla.dev.tech.crypto newsgroup is accessible via NNTP-capablen ewsreaders at:

  news://news.mozilla.org/mozilla.dev.tech.crypto

via email by subscribing to the associated mailing list:

  https://lists.mozilla.org/listinfo/dev-tech-crypto

and via the web at:

  http://groups.google.com/group/mozilla.dev.tech.crypto/topics
An issue arising from the public comment on this request: There's been a concern expressed that the published GeoTrust EV CPS (version 1.0, effective date January 31, 2008) is dated after the period of the WebTrust EV audit itself (July 31 through November 30, 2007). Can you clarify what changes, if any, were made to the GeoTrust EV CPS after the audit period?
(In reply to comment #23)
> An issue arising from the public comment on this request: There's been a
> concern expressed that the published GeoTrust EV CPS (version 1.0, effective
> date January 31, 2008) is dated after the period of the WebTrust EV audit
> itself (July 31 through November 30, 2007). Can you clarify what changes, if
> any, were made to the GeoTrust EV CPS after the audit period?

We did consolidate all our CPSs into one document. However, The EV sections included in the CPS were copied over from the True business ID with EV CPS. There were no changes to the EV procedures in the new document from what was previously published. 

Addiitonally, Please Note: the latest WebTrust audit does refer to the version 1.0, January 2008 CPS: https://cert.webtrust.org/SealFile?seal=650&file=pdf so this should not be an issue.

Also, you can compare Appendix A, which is the EV section, in the older CPS (http://www.geotrust.com/resources/cps/pdfs/true_businessid_CPS_v2.7.pdf) to the one in the new  CPS( http://www.geotrust.com/resources/cps/pdfs/GeoTrustCPS-Version1.pdf )

(In reply to comment #24)
> We did consolidate all our CPSs into one document. However, The EV sections
> included in the CPS were copied over from the True business ID with EV CPS.
> There were no changes to the EV procedures in the new document from what was
> previously published. 

That indeed appears to be the case based on my inspection. Appendix A1 in the 2.7 CPS of July 1, 2007, appears to be identical to Appendix A1 in the new 1.0 consolidated CPS of January 31, 2008.

> Addiitonally, Please Note: the latest WebTrust audit does refer to the version
> 1.0, January 2008 CPS: https://cert.webtrust.org/SealFile?seal=650&file=pdf so
> this should not be an issue.

Actually, it was the reference to the new 1.0 CPS of January 2008 in the latest WebTrust audit report that prompted the issue in the first place, since that CPS didn't exist during the audit period of July-November 2007.

My interpretation is as follows: The old 2.7 CPS of July 2007 was the relevant CPS for the purposes of the EV audit itself (i.e., the audit period of July-November 2007). The new consolidated 1.0 CPS was listed in the audit report because it existed as of the date that the audit report was issued (January 31, 2008) and was thus included among the documents by which GeoTrust disclosed its practices, even though the consolidated 1.0 CPS didn't actually exist as an official document during the actual July-November 2007 period of the audit.

Is my interpretation correct?
Here is an update from our practices team - this CPS was approved during the audit period. KPMG was aware that we were working on a new CPS during our audit and they required a final copy of the approved CPS on or before 11/30/2007, which we provided. The CPS was published shortly thereafter on 12/3/2007. The reason for the 1/31/2008 effective date in the document is due to contractual obligations to notify some customers before publishing  a CPS. 

Thanks for the additional information. This resolves the issue as far as I'm concerned.
The comment period has ended. There was one significant issue raised with this application, regarding the actual CPSs in effect at the time of the WebTrust EV audit. This issue was resolved to my satisfaction; see my previous messages in the relevant thread in m.d.t.crypto and comment #27 in this bug.

I'm therefore formally approving the GeoTrust request to add the GeoTrust Primary Certification Authority root to NSS and to mark it as suitable for EV use. I've filed bug 424169 against NSS and bug 424171 against PSM to make the actual code changes required.
Can you please file another bug against NSS (and assign it to me) once the additional trust flags are approved? Thanks.
Since the associated NSS and PSM actions are completed, I'm resolving this bug as FIXED. If GeoTrust wants the trust bit for object signing enabled, that can be submitted as a new request.
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Product: mozilla.org → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: