Closed Bug 409838 Opened 17 years ago Closed 16 years ago

add Trustwave "Secure Global CA" EV root

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: agray, Assigned: hecker)

References

Details

(Whiteboard: EV - inclusion approved)

Attachments

(2 files)

Publicly-disclosed intermediate certs
6.54 KB, application/x-gzip
Details
TrustwaveIntermediates.tgz
9.84 KB, application/x-gzip
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11 Build Identifier: Name of the CA certificate in question: The Trustwave "Secure Global CA" root certificate is located here: https://www.securetrust.com/legal/SGCA.txt) Published CP/CPS where we describe how we're operating in accordance with the EV guidelines: http://www.securetrust.com/legal/issuer.html includes: SecureTrust Extended Validation CPS Extended Validation SSL Relying Party Agreement Extended Validation Subcriber Agreement CRL for Secure Global CA CRL: http://crl.securetrust.com/SGCA.crl Published CPSs for other uses: https://www.securetrust.com/legal/ Current (1ssued November 2007) AICPA/CICA WebTrust for Certification Authorities Audit Report including EV audit can be found here: https://cert.webtrust.org/ViewSeal?id=359 EV OID(s) for the CA certificate in question: 2.16.840.1.114404.1.1.2.4.1 (http://www.securetrust.com/legal/issuer.html) This CA is currently/soon shall be used to issue certificates marked for: 1.3.6.1.5.5.7.3.1 - id_kp_serverAuth 1.3.6.1.5.5.7.3.2 - id_kp_clientAuth 1.3.6.1.5.5.7.3.3 - id_kp_codeSigning 1.3.6.1.5.5.7.3.4 - id_kp_emailProtection 1.3.6.1.5.5.7.3.8 - id_kp_timeStamping 1.3.6.1.5.5.7.3.9 - OCSPSigning We currently issue SMIME, EV, and OV certificates off of this root. Based upon outcome of current cabforum activity, we may also issue code signing certificates off it as well. SHA1 thumbprint: 3a 44 73 5a e5 81 90 1f 24 86 61 46 1e 3b 9c c4 5f f5 3a 1b Certificate: Data: Version: 3 (0x2) Serial Number: 07:56:22:a4:e8:d4:8a:89:4d:f4:13:c8:f0:f8:ea:a5 Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=SecureTrust Corporation, CN=Secure Global CA Validity Not Before: Nov 7 19:42:28 2006 GMT Not After : Dec 31 19:52:06 2029 GMT Subject: C=US, O=SecureTrust Corporation, CN=Secure Global CA Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:af:35:2e:d8:ac:6c:55:69:06:71:e5:13:68:24: b3:4f:d8:cc:21:47:f8:f1:60:38:89:89:03:e9:bd: ea:5e:46:53:09:dc:5c:f5:5a:e8:f7:45:2a:02:eb: 31:61:d7:29:33:4c:ce:c7:7c:0a:37:7e:0f:ba:32: 98:e1:1d:97:af:8f:c7:dc:c9:38:96:f3:db:1a:fc: 51:ed:68:c6:d0:6e:a4:7c:24:d1:ae:42:c8:96:50: 63:2e:e0:fe:75:fe:98:a7:5f:49:2e:95:e3:39:33: 64:8e:1e:a4:5f:90:d2:67:3c:b2:d9:fe:41:b9:55: a7:09:8e:72:05:1e:8b:dd:44:85:82:42:d0:49:c0: 1d:60:f0:d1:17:2c:95:eb:f6:a5:c1:92:a3:c5:c2: a7:08:60:0d:60:04:10:96:79:9e:16:34:e6:a9:b6: fa:25:45:39:c8:1e:65:f9:93:f5:aa:f1:52:dc:99: 98:3d:a5:86:1a:0c:35:33:fa:4b:a5:04:06:15:1c: 31:80:ef:aa:18:6b:c2:7b:d7:da:ce:f9:33:20:d5: f5:bd:6a:33:2d:81:04:fb:b0:5c:d4:9c:a3:e2:5c: 1d:e3:a9:42:75:5e:7b:d4:77:ef:39:54:ba:c9:0a: 18:1b:12:99:49:2f:88:4b:fd:50:62:d1:73:e7:8f: 7a:43 Exponent: 65537 (0x10001) X509v3 extensions: 1.3.6.1.4.1.311.20.2: ...C.A X509v3 Key Usage: Digital Signature, Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: AF:44:04:C2:41:7E:48:83:DB:4E:39:02:EC:EC:84:7A:E6:CE:C9:A4 X509v3 CRL Distribution Points: URI:http://crl.securetrust.com/SGCA.crl 1.3.6.1.4.1.311.21.1: ... Signature Algorithm: sha1WithRSAEncryption 63:1a:08:40:7d:a4:5e:53:0d:77:d8:7a:ae:1f:0d:0b:51:16: 03:ef:18:7c:c8:e3:af:6a:58:93:14:60:91:b2:84:dc:88:4e: be:39:8a:3a:f3:e6:82:89:5d:01:37:b3:ab:24:a4:15:0e:92: 35:5a:4a:44:5e:4e:57:fa:75:ce:1f:48:ce:66:f4:3c:40:26: 92:98:6c:1b:ee:24:46:0c:17:b3:52:a5:db:a5:91:91:cf:37: d3:6f:e7:27:08:3a:4e:19:1f:3a:a7:58:5c:17:cf:79:3f:8b: e4:a7:d3:26:23:9d:26:0f:58:69:fc:47:7e:b2:d0:8d:8b:93: bf:29:4f:43:69:74:76:67:4b:cf:07:8c:e6:02:f7:b5:e1:b4: 43:b5:4b:2d:14:9f:f9:dc:26:0d:bf:a6:47:74:06:d8:88:d1: 3a:29:30:84:ce:d2:39:80:62:1b:a8:c7:57:49:bc:6a:55:51: 67:15:4a:be:35:07:e4:d5:75:98:37:79:30:14:db:29:9d:6c: c5:69:cc:47:55:a2:30:f7:cc:5c:7f:c2:c3:98:1c:6b:4e:16: 80:eb:7a:78:65:45:a2:00:1a:af:0c:0d:55:64:34:48:b8:92: b9:f1:b4:50:29:f2:4f:23:1f:da:6c:ac:1f:44:e1:dd:23:78: 51:5b:c7:16 -----BEGIN CERTIFICATE----- MIIDvDCCAqSgAwIBAgIQB1YipOjUiolN9BPI8PjqpTANBgkqhkiG9w0BAQUFADBK MQswCQYDVQQGEwJVUzEgMB4GA1UEChMXU2VjdXJlVHJ1c3QgQ29ycG9yYXRpb24x GTAXBgNVBAMTEFNlY3VyZSBHbG9iYWwgQ0EwHhcNMDYxMTA3MTk0MjI4WhcNMjkx MjMxMTk1MjA2WjBKMQswCQYDVQQGEwJVUzEgMB4GA1UEChMXU2VjdXJlVHJ1c3Qg Q29ycG9yYXRpb24xGTAXBgNVBAMTEFNlY3VyZSBHbG9iYWwgQ0EwggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvNS7YrGxVaQZx5RNoJLNP2MwhR/jxYDiJ iQPpvepeRlMJ3Fz1Wuj3RSoC6zFh1ykzTM7HfAo3fg+6MpjhHZevj8fcyTiW89sa /FHtaMbQbqR8JNGuQsiWUGMu4P51/pinX0kuleM5M2SOHqRfkNJnPLLZ/kG5VacJ jnIFHovdRIWCQtBJwB1g8NEXLJXr9qXBkqPFwqcIYA1gBBCWeZ4WNOaptvolRTnI HmX5k/Wq8VLcmZg9pYYaDDUz+kulBAYVHDGA76oYa8J719rO+TMg1fW9ajMtgQT7 sFzUnKPiXB3jqUJ1XnvUd+85VLrJChgbEplJL4hL/VBi0XPnj3pDAgMBAAGjgZ0w gZowEwYJKwYBBAGCNxQCBAYeBABDAEEwCwYDVR0PBAQDAgGGMA8GA1UdEwEB/wQF MAMBAf8wHQYDVR0OBBYEFK9EBMJBfkiD2045AuzshHrmzsmkMDQGA1UdHwQtMCsw KaAnoCWGI2h0dHA6Ly9jcmwuc2VjdXJldHJ1c3QuY29tL1NHQ0EuY3JsMBAGCSsG AQQBgjcVAQQDAgEAMA0GCSqGSIb3DQEBBQUAA4IBAQBjGghAfaReUw132HquHw0L URYD7xh8yOOvaliTFGCRsoTciE6+OYo68+aCiV0BN7OrJKQVDpI1WkpEXk5X+nXO H0jOZvQ8QCaSmGwb7iRGDBezUqXbpZGRzzfTb+cnCDpOGR86p1hcF895P4vkp9Mm I50mD1hp/Ed+stCNi5O/KU9DaXR2Z0vPB4zmAve14bRDtUstFJ/53CYNv6ZHdAbY iNE6KTCEztI5gGIbqMdXSbxqVVFnFUq+NQfk1XWYN3kwFNspnWzFacxHVaIw98xc f8LDmBxrThaA63p4ZUWiABqvDA1VZDRIuJK58bRQKfJPIx/abKwfROHdI3hRW8cW -----END CERTIFICATE----- Note information on the "historical dangling" OIDS above in the extensions - 1.3.6.1.4.1.311.21.1 & 1.3.6.1.4.1.311.20.2 - which currently are of no importance or relevance, to us, can be found here: http://support.microsoft.com/kb/287547. Also, these extensions are NOT CRITICAL. Reproducible: Always
"XRamp Security Services, Inc.", successor to SecureTrust corporation, a wholly owned subsidiary of Trustwave Holdings, Inc. ("Trustwave")
Status: UNCONFIRMED → NEW
Ever confirmed: true
Status: NEW → ASSIGNED
Whiteboard: EV
This is basically a resubmittal of bug 367670 for just the Secure Global CA root, is it not? Is the information in this bug (audit, CPS, etc.) more up to date than in the other bug? If so I may close the other bug and focus on this one.
(In reply to comment #2) > Is the information in this bug (audit, CPS, etc.) more up to > date than in the other bug? The information is more up to date. Go ahead and close off https://bugzilla.mozilla.org/show_bug.cgi?id=367670
I've resolved bug 367670 as INVALID because it is superseded by this bug. I've renamed the SecureTrust entry in the pending request list to reference Trustwave instead, and have updated the entry to include the latest information as I understand it: http://www.mozilla.org/projects/security/certs/pending/#Trustwave Andrew, please review the information for Trustwave and the Secure Global CA and let me know if it's correct or needs correction.
I have confirmed with our auditor that the final release version (Effective 09/30/07) of the EV Audit specification was used.
In http://www.mozilla.org/projects/security/certs/pending/#Trustwave, for the Secure Global CA entry, "SecureTrust Corporation Certificate Practice Statement for S/MIME Certificates, Version 1.5.1" should read "SecureTrust Certification Practice Statement for S/MIME Certificates, version 1.6.0" and linked to: https://www.securetrust.com/legal/SecureTrust_SMIME_CPS_1_6_0.pdf The link for the S/MIME cps correctly links to this newer document from https://www.securetrust.com/legal/
Thanks for the additional information and for the corrected S/MIME CPS reference; I've updated the pending list to reflect this. Also, a heads-up: I noted that you offer CRLs but not OCSP. Although this won't affect your formal approval one way or the other (because the EV guidelines allow use of either), in practice you may get affected by bug 405139.
Independent of approval process, for technical testing purposes: Could you please supply an https:// URL to an example SSL server (customer or demo) that uses a server cert issued (directly or through intermediates) by this root? Should you request multiple roots to be enabled for EV, please provide one example URL for each root. Thank you.
I have now completed my review of Trustwave's application for adding the Secure Global CA root CA certificate and enabling it for EV use, per the official Mozilla CA certificate policy at: http://www.mozilla.org/projects/security/certs/policy/ I apologize for any delays on my part in doing the review. Here follows my final assessment. If anyone sees any factual errors, please point them out. Section 4 [Technical]. I'm not aware of any technical issues with certificates issued by Trustwave, or of instances where Trustwave has knowingly issued certificates for fraudulent use. If anyone knows of any such issues or instances, please note them in this bug report. Section 6 [Relevancy and Policy]. Trustwave appears to provide a service relevant to Mozilla users; it is a commercial CA operating in United States and serving customers worldwide; it incorporates the SecureTrust and XRamp CAs. Its policies are documented in its CPSs: https://www.securetrust.com/legal/evCPS.pdf https://www.securetrust.com/legal/securetrust%20cps%20for%20ov.pdf https://www.securetrust.com/legal/SecureTrust_SMIME_CPS_1_6_0.pdf https://www.securetrust.com/legal/SecureTrust_Code_Signing_CPS.pdf (These are for EV SSL certificates, OV SSL certificates, S/MIME email certificates, and code signing certificates respectively.) * Email: For S/MIME certificates issued to individuals, Trustwave verifies control of the email account associated with the email address referenced in the certificate. (See section III.B.2 in the S/MIME CPS.) * SSL: For OV SSL certificates Trustwave validates organizational identity and control of the domain referenced in the certificate. (See section III.B.3 in the OV CPS.) For EV SSL certificates Trustwave validates identity and domain ownership using procedures consistent with the EV guidelines. (See section III.B.3 in the EV CPS.) * Code: For code signing certificates Trustwave verifies the applicant's identity. (See section III.B.2 of the Trustwave code signing CPS.) Section 8-10 [Audit]. Trustwave has successfully completed an independent audit using the WebTrust for CAs criteria and the WebTrust EV criteria. The audit was done by Boysen & Miller PLLC. Attestation of the successful completion of the audit is in the form of a standard WebTrust/WebTrust EV report available at https://cert.webtrust.org/SealFile?seal=359&file=pdf Note that the WebTrust EV audit was done against the final 1.0 version of the EV guidelines. Audits are done annually. Section 13 [Certificate Hierarchy]. This particular request is for the Secure Global CA root. Trustwave also has two other root CAs; requests for those roots are being handled separately as bug 409837 and bug 409840. At this time there are no subordinate CAs for the Secure Global CA; instead end entity certificates are issued directly from the root, with different classes of certificates under different certificate policies. The Secure Global CA is not associated with a single CPS, rather end entity certs are associated with policies that link to the CPS that the certificate was issued under: an EV CPS, an OV CPS, etc. (Note that mixing certificates of different classes under a single CA is contrary to section 13 of the Mozilla CA certificate policy; however that section is a recommendation only, not a requirement.) Other: Trustwave issues CRLs at least every 10-14 days. (Note that this is an upper bound, per sections II.I and V.C of the EV CPS and other CPS documents. Trustwave may in fact issue CRLs more frequently, but this is not stated in the CPSs.) Trustwave does not currently have an OCSP responder. Based on the above information, I am minded to approve the inclusion of the Secure Global CA root in NSS (and thence in Firefox and other Mozilla-based products), with trust bits for SSL, email, and code signing set, and the root's enabling for EV with policy OID 2.16.840.1.114404.1.1.2.4.1. Before I issue my final approval, I'm opening up a period of public discussion of this request in the mozilla.dev.tech.crypto newsgroup [1]. [1] The mozilla.dev.tech.crypto newsgroup is accessible via NNTP-capable newsreaders at: news://news.mozilla.org/mozilla.dev.tech.crypto via email by subscribing to the associated mailing list: https://lists.mozilla.org/listinfo/dev-tech-crypto and via the web at: http://groups.google.com/group/mozilla.dev.tech.crypto/topics
(In reply to comment #8) > Independent of approval process, for technical testing purposes: Could you > please supply an https:// URL to an example SSL server (customer or demo) that > uses a server cert issued (directly or through intermediates) by this root? > Should you request multiple roots to be enabled for EV, please provide one > example URL for each root. Thank you. > https://xgcatest.trustwave.com/ -----BEGIN CERTIFICATE----- MIIEVDCCAzygAwIBAgIDAjRzMA0GCSqGSIb3DQEBBQUAMIGCMQswCQYDVQQGEwJV UzEeMBwGA1UECxMVd3d3LnhyYW1wc2VjdXJpdHkuY29tMSQwIgYDVQQKExtYUmFt cCBTZWN1cml0eSBTZXJ2aWNlcyBJbmMxLTArBgNVBAMTJFhSYW1wIEdsb2JhbCBD ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wODAxMjUxNTIwMjFaFw0wOTAxMjUx NTIwMjFaMIHVMRAwDgYDVQQFEwczOTM5NzM3MRMwEQYLKwYBBAGCNzwCAQMTAlVT MRkwFwYLKwYBBAGCNzwCAQITCERlbGF3YXJlMRswGQYDVQQPExJWMS4wLCBDbGF1 c2UgNS4oZCkxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhJbGxpbm9pczEQMA4GA1UE BxMHQ2hpY2FnbzEhMB8GA1UEChMYVHJ1c3R3YXZlIEhvbGRpbmdzLCBJbmMuMR8w HQYDVQQDExZ4Z2NhdGVzdC50cnVzdHdhdmUuY29tMIGfMA0GCSqGSIb3DQEBAQUA A4GNADCBiQKBgQCteC7dPuP2hftEMsnZyKVs4YuTZ+H1r+BicrN4M8V0zCbsHMk7 MSL4M0q43gghVioKoeiAsVb/fIuQQpO+NDbM9LYoKU0jK2ARLqY2CLBRephE0rhw +V3Gc2zGdqskjCW/iSE6pKkRMzmxUf/84ek1USbXTX2ly95aWQIZMNyC/wIDAQAB o4IBADCB/TAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFMZPoj0GY4QJnM5i5ASs jVy16bYbMB0GA1UdDgQWBBTsmytLBuGYjk1M263PmnA8IcP4HzALBgNVHQ8EBAMC BaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwNAYDVR0fBC0wKzApoCegJYYjaHR0cDov L2NybC5zZWN1cmV0cnVzdC5jb20vWEdDQS5jcmwwVQYDVR0gBE4wTDBKBgxghkgB hv1kAQECBAEwOjA4BggrBgEFBQcCARYsaHR0cDovL3d3dy5zZWN1cmV0cnVzdC5j b20vbGVnYWwvaXNzdWVyLmh0bWwwDQYJKoZIhvcNAQEFBQADggEBAEv3qBpZOxN5 MfZXk17FP/I3SFl3Czgg9Aa7NcGM1vp0/bngnWtkwoxg1u8RwPSEA5SBZfF2wczE jAmPIMZtGraqU6A0jsNTCbWoLh/c60N3i/gwlLsfj3K7zaegjviDERIfy8omzfzs OCzFFgE6HS4rGZHoAkU6tdTMXS/eFPI9tiSqYrmX97MGfGOhgx+BxYezBhDEfCg0 d0HkUZutOtXiBbCPRVO+4ZdjnBdmSGgN2OniL94RkpzIm2OuDvNQUshg4NaCl3UX 4ENjLNBzcvdeQCNWkGqzlTv39HJpUhyUZ3d/VGzJPlRj1NGGWrPYURvabHMg+BYj Vbh6otn6S5A= -----END CERTIFICATE-----
Correction, the certificate and testsite above is for bug 409840. The following is correct for this bug entry: https://sgcatest.trustwave.com -----BEGIN CERTIFICATE----- MIIEGzCCAwOgAwIBAgIDB2VnMA0GCSqGSIb3DQEBBQUAMEoxCzAJBgNVBAYTAlVT MSAwHgYDVQQKExdTZWN1cmVUcnVzdCBDb3Jwb3JhdGlvbjEZMBcGA1UEAxMQU2Vj dXJlIEdsb2JhbCBDQTAeFw0wODAxMjUxNTM0NTFaFw0wOTAxMjUxNTM0NTFaMIHV MRAwDgYDVQQFEwczOTM5NzM3MRMwEQYLKwYBBAGCNzwCAQMTAlVTMRkwFwYLKwYB BAGCNzwCAQITCERlbGF3YXJlMRswGQYDVQQPExJWMS4wLCBDbGF1c2UgNS4oZCkx CzAJBgNVBAYTAlVTMREwDwYDVQQIEwhJbGxpbm9pczEQMA4GA1UEBxMHQ2hpY2Fn bzEhMB8GA1UEChMYVHJ1c3R3YXZlIEhvbGRpbmdzLCBJbmMuMR8wHQYDVQQDExZz Z2NhdGVzdC50cnVzdHdhdmUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB gQCWAM+MFEzJiX3AJSlgUG60s1axCohAoxRYDEQYnfaHWEXPuNWmvUwvjhQ0YzX5 jpXRNAmah3katX2hmRjO0MMtC1mMqp2VOvMyov8yQ0NjmiPPOimZJ5Y9SdhxOP2t n67ac0cXz+ZUN0IXaukkV8CknumYuPd7DdaieU3HI/opBwIDAQABo4IBADCB/TAM BgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFK9EBMJBfkiD2045AuzshHrmzsmkMB0G A1UdDgQWBBRS0O3tacTgfNy3Xoo2BAakPaZpCjALBgNVHQ8EBAMCBaAwEwYDVR0l BAwwCgYIKwYBBQUHAwEwNAYDVR0fBC0wKzApoCegJYYjaHR0cDovL2NybC5zZWN1 cmV0cnVzdC5jb20vU0dDQS5jcmwwVQYDVR0gBE4wTDBKBgxghkgBhv1kAQECBAEw OjA4BggrBgEFBQcCARYsaHR0cDovL3d3dy5zZWN1cmV0cnVzdC5jb20vbGVnYWwv aXNzdWVyLmh0bWwwDQYJKoZIhvcNAQEFBQADggEBAJ2IYP/DW0z1OeI9Rm4D6mCs LPweKHZgWaL1UVogR0BN+Dd41iJO2dJSOtFj0cfmVdku0sOMvhAE2BmWHFPCgTVx uWqowA/0yvVL/DIpypu7w6PNIjQVhr9M/jxM6vBonVcnanxdjOu/HrHm0lbt1fMp d1HfXwFdRr7idWlD8xqrXi4yLfQR4sjhP3pjG3QIopOOMBzmNyqfE9XeqGXAT41R 9+Wun4zIE8BA1CxQByV1J5IrJorLhk9G1wiqLfPcEuNSvqCO27gKeYTTreQQlngr wOmOsPv959/odvz6CKc7Kl5jONe5nRxuAhQQrU2yjleh0Q38x62J9BmJ3S4492w= -----END CERTIFICATE-----
The comment period has ended and there are no outstanding issues or questions, so I'm formally approving this Trustwave request to add the "Secure Global CA" root and enable it for EV use. I'll proceed to file bugs against NSS and PSM for the actual changes.
Filed bug 418907 to add the root cert and 418910 to EV enable it. Marking this bug as dependent just on bug 418910, since bug 418910 already depends on bug 418907.
Depends on: 418910
shortening summary
Summary: Please add the Trustwave "Secure Global CA" root certificate and mark for EV → add Trustwave "Secure Global CA" EV root
Whiteboard: EV → EV - inclusion approved
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Publicly-disclosed intermediate certs - updated
Product: mozilla.org → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: