Last Comment Bug 408008 - Add FNMT Root CA cert for SSL (Spain)
: Add FNMT Root CA cert for SSL (Spain)
Status: RESOLVED DUPLICATE of bug 435736
:
Product: mozilla.org
Classification: Other
Component: CA Certificates (show other bugs)
: other
: All All
-- enhancement (vote)
: ---
Assigned To: Frank Hecker
:
:
Mentors:
https://www.nic.es/
Depends on: 435736
Blocks:
  Show dependency treegraph
 
Reported: 2007-12-11 17:23 PST by Fernando García Gómez, stripTM
Modified: 2008-05-26 05:25 PDT (History)
13 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
cert details (46.50 KB, application/octet-stream)
2008-04-07 05:07 PDT, Pascal Chevrel:pascalc
no flags Details
Cert details in HTML format (5.85 KB, text/html)
2008-05-19 16:26 PDT, Nelson Bolyard (seldom reads bugmail)
no flags Details

Description User image Fernando García Gómez, stripTM 2007-12-11 17:23:57 PST
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9b2pre) Gecko/2007121105 Minefield/3.0b2pre
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9b2pre) Gecko/2007121105 Minefield/3.0b2pre

In Spain, the official SSL Certificates certifying entity is FNMT (Fabrica nacional de moneda y timbre / Coin and Stamps National manufacture). But when trying to access a web page with a certificate issued by that entity, a warning is displayed by the web browser. This will be increased in Firefox 3 as instead of displaying a warning it will show a web page with the error but nothing of the web page is displayed.

I don't know whether the problem is that Mozilla does not recognize the FNMT as an SSL Certificates certifying entity or there is another problem. Anyway, no error is displayed with Internet Explorer, but surely this is not significant ;-)

Reproducible: Always

Steps to Reproduce:
1. Enter https://www.nic.es/
2. Show (Código de error: sec_error_untrusted_issuer)
Actual Results:  
https://www.nic.es/ dont show

Expected Results:  
Mozilla reconize the FNMT SSL Certificates
Comment 1 User image Nelson Bolyard (seldom reads bugmail) 2007-12-11 18:21:42 PST
IINM, Mozilla policy is to accept requests to include CA certs ONLY from 
representatives of the CA itself, and not from third parties (e.g. users).
Perhaps you can ask someone at that CA to apply for inclusion in Mozilla.
Comment 2 User image Gervase Markham [:gerv] 2007-12-12 03:32:25 PST
Nelson is correct. Resolving as INCOMPLETE. You may use this bug as evidence of our policy in your email to FNMT.

Gerv
Comment 3 User image Cristina 2008-02-26 01:44:55 PST
Hola.
Pertenezco a la CA FNMT. Estoy intentando realizar los pasos para poder incluir el certificado raíz de la FNMT en el almacén de autoridades de Firefox. ¿Qué debo hacer?
Gracias
Comment 4 User image Pascal Chevrel:pascalc 2008-02-26 03:28:21 PST
Reopening, Cristina is from FNMT and is asking what the steps are to include their certificate in Firefox.

(cristina, toda la comunicación en Bugzilla se hace en inglés)
Comment 5 User image Nelson Bolyard (seldom reads bugmail) 2008-03-06 02:11:21 PST
Christina,
I've written the first draft of a wiki page on  
"How to apply for root CA certificate inclusion in Mozilla products".  
I think it will help you advance your request to the next stage.
See it at http://wiki.mozilla.org/CA:Root_Certificate_Requests 
I invite your feedback by email.
Comment 6 User image Nelson Bolyard (seldom reads bugmail) 2008-03-06 02:17:07 PST
I must give credit to Gervase Markham for writing the original guide,
which I adapted into the wiki page.  Thanks, Gerv.
Comment 7 User image Jose Carlos Garcia Sogo 2008-04-04 04:54:11 PDT
Cristina, si necesitas ayuda para proporcionar la información necesaria para poder incluir el certificado, por favor, ponte en contacto conmigo e intentaré ayudarte. Esta mañana estaba usando Firefox 3 Beta 5 y me enconté con este problema. Yo tengo los conocimientos necessarios para resolverlo, pero la mayoría de la gente no, y el certificado de la FNMT CA es importante en España.


Cristina, if you need help with providing the needed info to get the certificate included, please, you can contact me and I will help you. I was just using Firefox 3 Beta 5 this morning and I just faced this problem. I am technically skilled to solve it, but a lot of people is not, and FNMT CA is important in Spain.
Comment 8 User image Pascal Chevrel:pascalc 2008-04-07 05:07:58 PDT
Created attachment 314067 [details]
cert details

Here are the certificate details sent to me by cristina
Comment 9 User image Rubén Martín [:Nukeador] 2008-05-13 16:12:25 PDT
Gervase, any news about this?

Most official sites in Spain use certificates from FNMT and would be a pity that users think that "that warning page" means they have to use IE to access to the site.
Comment 10 User image Gervase Markham [:gerv] 2008-05-14 00:50:28 PDT
Nukeador: Frank Hecker (the assignee of this bug) is currently running the root program. He's the man to speak to.

Gerv
Comment 11 User image Ramón García 2008-05-19 06:53:53 PDT
Hecker: What is the current status of this request?
Comment 12 User image Rubén Martín [:Nukeador] 2008-05-19 12:44:48 PDT
Frank this is a hight priority bug for all the Spanish users, I'm checking it and most of public services are using now these certificates.
Comment 13 User image Guillermo López :willyaranda (probably SLOW response) 2008-05-19 13:46:25 PDT
I vote for this bug.

A lot of official Spanish websites uses this CA, so I think that this CA must be supported in Firefox 3.
Comment 14 User image Jose Carlos Garcia Sogo 2008-05-19 14:17:41 PDT
You have to understand that FNMT is the issuer designed by Goverment as CA. Thought there are other recognised CAs, it is the main one, used in every official website. Also, to get the extent of this, every new National ID card (which is mandatory for every citizen) is an smartcard with a cert issued by FNMT CA, which can be legally used to digitally sign any document, and it, by Spanish Digital Signature Law, as to be recognized as such not only by Goverment, but by every citizen.
Please, it is an important certificate, that has to be included to promote Firefox use within Spanish users. Not having it will mean that a lot of official webpages 'won't work' with FF from users point of view. And they will use IE instead.

Thanks
Comment 15 User image Nelson Bolyard (seldom reads bugmail) 2008-05-19 16:26:06 PDT
Created attachment 321673 [details]
Cert details in HTML format

Jose, Guillermo, Ramon, and Nukeador,

This bug is the place where Mozilla and the representatives of FNMT should
communicate with each other, communicating the essential fact necessary for
Mozilla to make the technical evaluation of the CA's application.  

It is NOT the place for advocacy.  It's not the place for people to try to 
present persuasive and compelling arguments for acceptance of the applicant.
The places for such advocacy are the newsgroup 
news://news.mozilla.org:119/mozilla.dev.tech.crypto and the associated 
mailing list, dev-tech-crypto@lists.mozilla.org .
Note that the mailing list only accepts emails from list subscribers.  
Subscribe at https://lists.mozilla.org/listinfo/dev-tech-crypto
Comment 16 User image Rubén Martín [:Nukeador] 2008-05-20 00:27:56 PDT
To follow the discussion in the Usenet group via web:

http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thread/da33d24030fe5e6f#
Comment 17 User image [:rickiees] Ricardo Palomares 2008-05-20 15:50:21 PDT
(In reply to comment #15)
> Created an attachment (id=321673) [details]
> Cert details in HTML format
> 
> Jose, Guillermo, Ramon, and Nukeador,
> 
> This bug is the place where Mozilla and the representatives of FNMT should
> communicate with each other, communicating the essential fact necessary for
> Mozilla to make the technical evaluation of the CA's application.


I fully agree with your remark about this place not being for advocacy (and therefore I'm sticking to BugZilla nettiquete).

However, looking at the comment history I'd say that Mozilla is the one with the ball in his court. I'm pretty sure these days are not boring for anyone at Mozilla Corp., esp. those directly involved in Firefox 3 release, :-) but it would be a pity to fail to resolve this bug just because FNMT representatives and Mozilla staff were waiting each other to take the next step.

So, just to clarify (and I'm not inquiring you, Nelson, as I think you're just trying to help to move forward this bug, and I thank you for that), is Mozilla staff waiting for FNMT people to do something else?

TIA
Comment 18 User image Rubén Martín [:Nukeador] 2008-05-26 03:15:42 PDT
Cristina has open a new bug (bug #435736) with all the information.

Please, close this bug.
Comment 19 User image Cristina 2008-05-26 03:41:41 PDT
I didn´t open this bug. I can´t close it.
Comment 20 User image Johnathan Nightingale [:johnath] 2008-05-26 05:25:48 PDT
Closing as a duplicate of bug 435736

*** This bug has been marked as a duplicate of bug 435736 ***

Note You need to log in before you can comment on or make changes to this bug.