Closed Bug 409840 Opened 18 years ago Closed 17 years ago

Enable Trustwave "XGCA" root for EV

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: agray, Assigned: hecker)

References

Details

(Whiteboard: EV - inclusion approved)

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11 Build Identifier: Note: this certificate is already in the Mozilla certificate store under "XRamp Security Services, Inc.", successor to SecureTrust corporation, a wholly owned subsidiary of Trustwave Holdings, Inc. ("Trustwave") Name of the CA certificate in question: The Trustwave "XRamp Global CA" (XGCA) root certificate is located here: https://www.securetrust.com/legal/XGCA.txt) Published CP/CPS where we describe how we're operating in accordance with the EV guidelines: http://www.securetrust.com/legal/issuer.html includes: SecureTrust Extended Validation CPS Extended Validation SSL Relying Party Agreement Extended Validation Subcriber Agreement CRL for Secure Global CA CRL: http://crl.securetrust.com/XGCA.crl Published CPSs for other uses: https://www.securetrust.com/legal/ Current (1ssued November 2007) AICPA/CICA WebTrust for Certification Authorities Audit Report including EV audit can be found here: https://cert.webtrust.org/ViewSeal?id=359 EV OID(s) for the CA certificate in question: 2.16.840.1.114404.1.1.2.4.1 (http://www.securetrust.com/legal/issuer.html) This CA is currently/soon shall be used to issue certificates marked for: 1.3.6.1.5.5.7.3.1 - id_kp_serverAuth 1.3.6.1.5.5.7.3.2 - id_kp_clientAuth 1.3.6.1.5.5.7.3.3 - id_kp_codeSigning 1.3.6.1.5.5.7.3.4 - id_kp_emailProtection 1.3.6.1.5.5.7.3.8 - id_kp_timeStamping 1.3.6.1.5.5.7.3.9 - OCSPSigning We currently issue codesigning, SMIME, EV, and OV certificates off of this root. SHA1 thumbprint: b8 01 86 d1 eb 9c 86 a5 41 04 cf 30 54 f3 4c 52 b7 e5 58 c6 Certificate: Data: Version: 3 (0x2) Serial Number: 50:94:6c:ec:18:ea:d5:9c:4d:d5:97:ef:75:8f:a0:ad Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, OU=www.xrampsecurity.com, O=XRamp Security Services Inc, CN=XRamp Global Certification Authority Validity Not Before: Nov 1 17:14:04 2004 GMT Not After : Jan 1 05:37:19 2035 GMT Subject: C=US, OU=www.xrampsecurity.com, O=XRamp Security Services Inc, CN=XRamp Global Certification Authority Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:98:24:1e:bd:15:b4:ba:df:c7:8c:a5:27:b6:38: 0b:69:f3:b6:4e:a8:2c:2e:21:1d:5c:44:df:21:5d: 7e:23:74:fe:5e:7e:b4:4a:b7:a6:ad:1f:ae:e0:06: 16:e2:9b:5b:d9:67:74:6b:5d:80:8f:29:9d:86:1b: d9:9c:0d:98:6d:76:10:28:58:e4:65:b0:7f:4a:98: 79:9f:e0:c3:31:7e:80:2b:b5:8c:c0:40:3b:11:86: d0:cb:a2:86:36:60:a4:d5:30:82:6d:d9:6e:d0:0f: 12:04:33:97:5f:4f:61:5a:f0:e4:f9:91:ab:e7:1d: 3b:bc:e8:cf:f4:6b:2d:34:7c:e2:48:61:1c:8e:f3: 61:44:cc:6f:a0:4a:a9:94:b0:4d:da:e7:a9:34:7a: 72:38:a8:41:cc:3c:94:11:7d:eb:c8:a6:8c:b7:86: cb:ca:33:3b:d9:3d:37:8b:fb:7a:3e:86:2c:e7:73: d7:0a:57:ac:64:9b:19:eb:f4:0f:04:08:8a:ac:03: 17:19:64:f4:5a:25:22:8d:34:2c:b2:f6:68:1d:12: 6d:d3:8a:1e:14:da:c4:8f:a6:e2:23:85:d5:7a:0d: bd:6a:e0:e9:ec:ec:17:bb:42:1b:67:aa:25:ed:45: 83:21:fc:c1:c9:7c:d5:62:3e:fa:f2:c5:2d:d3:fd: d4:65 Exponent: 65537 (0x10001) X509v3 extensions: 1.3.6.1.4.1.311.20.2: ...C.A X509v3 Key Usage: Digital Signature, Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: C6:4F:A2:3D:06:63:84:09:9C:CE:62:E4:04:AC:8D:5C:B5:E9:B6:1B X509v3 CRL Distribution Points: URI:http://crl.xrampsecurity.com/XGCA.crl 1.3.6.1.4.1.311.21.1: ... Signature Algorithm: sha1WithRSAEncryption 91:15:39:03:01:1b:67:fb:4a:1c:f9:0a:60:5b:a1:da:4d:97: 62:f9:24:53:27:d7:82:64:4e:90:2e:c3:49:1b:2b:9a:dc:fc: a8:78:67:35:f1:1d:f0:11:bd:b7:48:e3:10:f6:0d:df:3f:d2: c9:b6:aa:55:a4:48:ba:02:db:de:59:2e:15:5b:3b:9d:16:7d: 47:d7:37:ea:5f:4d:76:12:36:bb:1f:d7:a1:81:04:46:20:a3: 2c:6d:a9:9e:01:7e:3f:29:ce:00:93:df:fd:c9:92:73:89:89: 64:9e:e7:2b:e4:1c:91:2c:d2:b9:ce:7d:ce:6f:31:99:d3:e6: be:d2:1e:90:f0:09:14:79:5c:23:ab:4d:d2:da:21:1f:4d:99: 79:9d:e1:cf:27:9f:10:9b:1c:88:0d:b0:8a:64:41:31:b8:0e: 6c:90:24:a4:9b:5c:71:8f:ba:bb:7e:1c:1b:db:6a:80:0f:21: bc:e9:db:a6:b7:40:f4:b2:8b:a9:b1:e4:ef:9a:1a:d0:3d:69: 99:ee:a8:28:a3:e1:3c:b3:f0:b2:11:9c:cf:7c:40:e6:dd:e7: 43:7d:a2:d8:3a:b5:a9:8d:f2:34:99:c4:d4:10:e1:06:fd:09: 84:10:3b:ee:c4:4c:f4:ec:27:7c:42:c2:74:7c:82:8a:09:c9: b4:03:25:bc -----BEGIN CERTIFICATE----- MIIEMDCCAxigAwIBAgIQUJRs7Bjq1ZxN1ZfvdY+grTANBgkqhkiG9w0BAQUFADCB gjELMAkGA1UEBhMCVVMxHjAcBgNVBAsTFXd3dy54cmFtcHNlY3VyaXR5LmNvbTEk MCIGA1UEChMbWFJhbXAgU2VjdXJpdHkgU2VydmljZXMgSW5jMS0wKwYDVQQDEyRY UmFtcCBHbG9iYWwgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDQxMTAxMTcx NDA0WhcNMzUwMTAxMDUzNzE5WjCBgjELMAkGA1UEBhMCVVMxHjAcBgNVBAsTFXd3 dy54cmFtcHNlY3VyaXR5LmNvbTEkMCIGA1UEChMbWFJhbXAgU2VjdXJpdHkgU2Vy dmljZXMgSW5jMS0wKwYDVQQDEyRYUmFtcCBHbG9iYWwgQ2VydGlmaWNhdGlvbiBB dXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCYJB69FbS6 38eMpSe2OAtp87ZOqCwuIR1cRN8hXX4jdP5efrRKt6atH67gBhbim1vZZ3RrXYCP KZ2GG9mcDZhtdhAoWORlsH9KmHmf4MMxfoArtYzAQDsRhtDLooY2YKTVMIJt2W7Q DxIEM5dfT2Fa8OT5kavnHTu86M/0ay00fOJIYRyO82FEzG+gSqmUsE3a56k0enI4 qEHMPJQRfevIpoy3hsvKMzvZPTeL+3o+hiznc9cKV6xkmxnr9A8ECIqsAxcZZPRa JSKNNCyy9mgdEm3Tih4U2sSPpuIjhdV6Db1q4Ons7Be7QhtnqiXtRYMh/MHJfNVi PvryxS3T/dRlAgMBAAGjgZ8wgZwwEwYJKwYBBAGCNxQCBAYeBABDAEEwCwYDVR0P BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFMZPoj0GY4QJnM5i5ASs jVy16bYbMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwueHJhbXBzZWN1cml0 eS5jb20vWEdDQS5jcmwwEAYJKwYBBAGCNxUBBAMCAQEwDQYJKoZIhvcNAQEFBQAD ggEBAJEVOQMBG2f7Shz5CmBbodpNl2L5JFMn14JkTpAuw0kbK5rc/Kh4ZzXxHfAR vbdI4xD2Dd8/0sm2qlWkSLoC295ZLhVbO50WfUfXN+pfTXYSNrsf16GBBEYgoyxt qZ4Bfj8pzgCT3/3JknOJiWSe5yvkHJEs0rnOfc5vMZnT5r7SHpDwCRR5XCOrTdLa IR9NmXmd4c8nnxCbHIgNsIpkQTG4DmyQJKSbXHGPurt+HBvbaoAPIbzp26a3QPSy i6mx5O+aGtA9aZnuqCij4Tyz8LIRnM98QObd50N9otg6tamN8jSZxNQQ4Qb9CYQQ O+7ETPTsJ3xCwnR8gooJybQDJbw= -----END CERTIFICATE----- Note information on the "historical dangling" OIDS above in the extensions - 1.3.6.1.4.1.311.21.1 & 1.3.6.1.4.1.311.20.2 - which currently are of no importance or relevance, to us, can be found here: http://support.microsoft.com/kb/287547. Also, these extensions are NOT CRITICAL. Reproducible: Always Steps to Reproduce: 1. 2. 3.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Status: NEW → ASSIGNED
Whiteboard: EV
A quick question: Was the WebTrust EV audit under the final WebTrust EV criteria (which reference the final 1.0 EV guidelines), or the draft WebTrust EV criteria (which reference the draft 11 EV guidelines)? This wasn't clear from my quick read-through.
I've added information on the XRamp Global CA to the Trustwave entry in the pending request list: http://www.mozilla.org/projects/security/certs/pending/#Trustwave Andrew, please review the information for Trustwave and the XRamp Global CA and let me know if it's correct or needs correction.
I have confirmed with our auditor that the final release version (Effective 09/30/07) of the EV Audit specification was used.
In http://www.mozilla.org/projects/security/certs/pending/#Trustwave, for the XRamp Global CA (XGCA), "SecureTrust Corporation Certificate Practice Statement for S/MIME Certificates, Version 1.5.1" should read "SecureTrust Certification Practice Statement for S/MIME Certificates, version 1.6.0" and linked to: https://www.securetrust.com/legal/SecureTrust_SMIME_CPS_1_6_0.pdf The link for the S/MIME cps correctly links to this newer document from https://www.securetrust.com/legal/
Independent of approval process, for technical testing purposes: Could you please supply an https:// URL to an example SSL server (customer or demo) that uses a server cert issued (directly or through intermediates) by this root? Should you request multiple roots to be enabled for EV, please provide one example URL for each root. Thank you.
I have now completed my review of Trustwave's application for upgrading existing the XRamp Global CA to support EV use, per the official Mozilla CA certificate policy at: http://www.mozilla.org/projects/security/certs/policy/ I apologize for any delays on my part in doing the review. Here follows my final assessment. If anyone sees any factual errors, please point them out. Note that this root is already in Mozilla (approved per bug 273189), but in the interests of thoroughness I'm going to write this as if it were a new root. Section 4 [Technical]. I'm not aware of any technical issues with certificates issued by Trustwave, or of instances where Trustwave has knowingly issued certificates for fraudulent use. If anyone knows of any such issues or instances, please note them in this bug report. Section 6 [Relevancy and Policy]. Trustwave appears to provide a service relevant to Mozilla users; it is a commercial CA operating in United States and serving customers worldwide; it incorporates the SecureTrust and XRamp CAs. Its policies are documented in its CPSs: https://www.securetrust.com/legal/evCPS.pdf https://www.securetrust.com/legal/securetrust%20cps%20for%20ov.pdf https://www.securetrust.com/legal/SecureTrust_SMIME_CPS_1_6_0.pdf https://www.securetrust.com/legal/SecureTrust_Code_Signing_CPS.pdf (These are for EV SSL certificates, OV SSL certificates, S/MIME email certificates, and code signing certificates respectively.) * Email: For certificates issued to individuals, Trustwave verifies control of the email account associated with the email address referenced in the certificate. (See section III.B.2 in the S/MIME CPS.) * SSL: For OV SSL certificates Trustwave validates organizational identity and control of the domain referenced in the certificate. (See section III.B.3 in the OV CPS.) For EV SSL certificates Trustwave validates identity and domain ownership using procedures consistent with the EV guidelines. (See section III.B.3 in the EV CPS.) * Code: For code signing certificates Trustwave verifies the applicant's identity. (See section III.B.2 of the Trustwave code signing CPS.) Section 8-10 [Audit]. Trustwave has successfully completed an independent audit using the WebTrust for CAs criteria and the WebTrust EV criteria. The audit was done by Boysen & Miller PLLC. Attestation of the successful completion of the audit is in the form of a standard WebTrust/WebTrust EV report available at https://cert.webtrust.org/SealFile?seal=359&file=pdf Note that the WebTrust EV audit was done against the final 1.0 version of the EV guidelines. Audits are done annually. Section 13 [Certificate Hierarchy]. This particular request is for the XRamp Global CA root. Trustwave also has two other root CAs; requests for those roots are being handled separately as bug 409837 and bug 409838. At this time there are no subordinate CAs for the XRamp Global CA; instead end entity certificates are issued directly from the root, with different classes of certificates under different certificate policies. The XRamp Global CA is not associated with a single CPS, rather end entity certs are associated with policies that link to the CPS that the certificate was issued under: an EV CPS, an OV CPS, etc. (Note that mixing certificates of different classes under a single CA is contrary to section 13 of the Mozilla CA certificate policy; however that section is a recommendation only, not a requirement.) Other: Trustwave issues CRLs at least every 10-14 days. (Note that this is an upper bound, per sections II.I and V.C of the EV CPS and other CPS documents. Trustwave may in fact issue CRLs more frequently, but this is not stated in the CPSs.) Trustwave does not currently have an OCSP responder. Based on the above information, I am minded to approve the enabling of the existing XRamp Global CA root for EV use in NSS and thence in Firefox and other Mozilla-based products. Before I do, I'm opening up a period of public discussion of this request in the mozilla.dev.tech.crypto newsgroup [1]. [1] The mozilla.dev.tech.crypto newsgroup is accessible via NNTP-capable newsreaders at: news://news.mozilla.org/mozilla.dev.tech.crypto via email by subscribing to the associated mailing list: https://lists.mozilla.org/listinfo/dev-tech-crypto and via the web at: http://groups.google.com/group/mozilla.dev.tech.crypto/topics
(In reply to comment #5) > Independent of approval process, for technical testing purposes: Could you > please supply an https:// URL to an example SSL server (customer or demo) that > uses a server cert issued (directly or through intermediates) by this root? > Should you request multiple roots to be enabled for EV, please provide one > example URL for each root. Thank you. > https://xgcatest.trustwave.com/ -----BEGIN CERTIFICATE----- MIIEVDCCAzygAwIBAgIDAjRzMA0GCSqGSIb3DQEBBQUAMIGCMQswCQYDVQQGEwJV UzEeMBwGA1UECxMVd3d3LnhyYW1wc2VjdXJpdHkuY29tMSQwIgYDVQQKExtYUmFt cCBTZWN1cml0eSBTZXJ2aWNlcyBJbmMxLTArBgNVBAMTJFhSYW1wIEdsb2JhbCBD ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wODAxMjUxNTIwMjFaFw0wOTAxMjUx NTIwMjFaMIHVMRAwDgYDVQQFEwczOTM5NzM3MRMwEQYLKwYBBAGCNzwCAQMTAlVT MRkwFwYLKwYBBAGCNzwCAQITCERlbGF3YXJlMRswGQYDVQQPExJWMS4wLCBDbGF1 c2UgNS4oZCkxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhJbGxpbm9pczEQMA4GA1UE BxMHQ2hpY2FnbzEhMB8GA1UEChMYVHJ1c3R3YXZlIEhvbGRpbmdzLCBJbmMuMR8w HQYDVQQDExZ4Z2NhdGVzdC50cnVzdHdhdmUuY29tMIGfMA0GCSqGSIb3DQEBAQUA A4GNADCBiQKBgQCteC7dPuP2hftEMsnZyKVs4YuTZ+H1r+BicrN4M8V0zCbsHMk7 MSL4M0q43gghVioKoeiAsVb/fIuQQpO+NDbM9LYoKU0jK2ARLqY2CLBRephE0rhw +V3Gc2zGdqskjCW/iSE6pKkRMzmxUf/84ek1USbXTX2ly95aWQIZMNyC/wIDAQAB o4IBADCB/TAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFMZPoj0GY4QJnM5i5ASs jVy16bYbMB0GA1UdDgQWBBTsmytLBuGYjk1M263PmnA8IcP4HzALBgNVHQ8EBAMC BaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwNAYDVR0fBC0wKzApoCegJYYjaHR0cDov L2NybC5zZWN1cmV0cnVzdC5jb20vWEdDQS5jcmwwVQYDVR0gBE4wTDBKBgxghkgB hv1kAQECBAEwOjA4BggrBgEFBQcCARYsaHR0cDovL3d3dy5zZWN1cmV0cnVzdC5j b20vbGVnYWwvaXNzdWVyLmh0bWwwDQYJKoZIhvcNAQEFBQADggEBAEv3qBpZOxN5 MfZXk17FP/I3SFl3Czgg9Aa7NcGM1vp0/bngnWtkwoxg1u8RwPSEA5SBZfF2wczE jAmPIMZtGraqU6A0jsNTCbWoLh/c60N3i/gwlLsfj3K7zaegjviDERIfy8omzfzs OCzFFgE6HS4rGZHoAkU6tdTMXS/eFPI9tiSqYrmX97MGfGOhgx+BxYezBhDEfCg0 d0HkUZutOtXiBbCPRVO+4ZdjnBdmSGgN2OniL94RkpzIm2OuDvNQUshg4NaCl3UX 4ENjLNBzcvdeQCNWkGqzlTv39HJpUhyUZ3d/VGzJPlRj1NGGWrPYURvabHMg+BYj Vbh6otn6S5A= -----END CERTIFICATE-----
The comment period has ended and there are no outstanding issues or questions, so I'm formally approving this Trustwave request to EV-enable its existing "XRamp Global CA" root. I'll proceed to file a bug against PSM for the actual change.
Filed bug 418902 against PSM for this change; marking this bug as dependent on that one.
Depends on: 418902
Making EV root cert requests have uniform summaries.
Summary: Please mark the Trustwave "XGCA" root certificate for EV → Enable Trustwave "XGCA" root for EV
Whiteboard: EV → EV - inclusion approved
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Product: mozilla.org → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.