Closed Bug 409840 Opened 12 years ago Closed 12 years ago

Enable Trustwave "XGCA" root for EV

Categories

(NSS :: CA Certificate Root Program, task)

task
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: agray, Assigned: hecker)

References

Details

(Whiteboard: EV - inclusion approved)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
Build Identifier: 


Note: this certificate is already in the Mozilla certificate store under "XRamp Security Services, Inc.", successor to SecureTrust corporation, a wholly owned subsidiary of Trustwave Holdings, Inc. ("Trustwave") 

Name of the CA certificate in question:
The Trustwave "XRamp Global CA" (XGCA) root certificate is located here:
https://www.securetrust.com/legal/XGCA.txt)

Published CP/CPS where we describe how we're operating in accordance with the
EV guidelines:
http://www.securetrust.com/legal/issuer.html includes:
SecureTrust Extended Validation CPS
Extended Validation SSL Relying Party Agreement
Extended Validation Subcriber Agreement

CRL for Secure Global CA CRL:
http://crl.securetrust.com/XGCA.crl

Published CPSs for other uses:
https://www.securetrust.com/legal/

Current (1ssued November 2007) AICPA/CICA WebTrust for Certification
Authorities Audit Report including EV audit can be found here:
https://cert.webtrust.org/ViewSeal?id=359

EV OID(s) for the CA certificate in question:
2.16.840.1.114404.1.1.2.4.1
(http://www.securetrust.com/legal/issuer.html)


This CA is currently/soon shall be used to issue certificates marked for:
1.3.6.1.5.5.7.3.1 - id_kp_serverAuth
1.3.6.1.5.5.7.3.2 - id_kp_clientAuth
1.3.6.1.5.5.7.3.3 - id_kp_codeSigning
1.3.6.1.5.5.7.3.4 - id_kp_emailProtection
1.3.6.1.5.5.7.3.8 - id_kp_timeStamping
1.3.6.1.5.5.7.3.9 - OCSPSigning  

We currently issue codesigning, SMIME, EV, and OV certificates off of this root.

SHA1 thumbprint: b8 01 86 d1 eb 9c 86 a5 41 04 cf 30 54 f3 4c 52 b7 e5 58 c6
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            50:94:6c:ec:18:ea:d5:9c:4d:d5:97:ef:75:8f:a0:ad
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, OU=www.xrampsecurity.com, O=XRamp Security Services Inc, CN=XRamp Global Certification Authority
        Validity
            Not Before: Nov  1 17:14:04 2004 GMT
            Not After : Jan  1 05:37:19 2035 GMT
        Subject: C=US, OU=www.xrampsecurity.com, O=XRamp Security Services Inc, CN=XRamp Global Certification Authority
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:98:24:1e:bd:15:b4:ba:df:c7:8c:a5:27:b6:38:
                    0b:69:f3:b6:4e:a8:2c:2e:21:1d:5c:44:df:21:5d:
                    7e:23:74:fe:5e:7e:b4:4a:b7:a6:ad:1f:ae:e0:06:
                    16:e2:9b:5b:d9:67:74:6b:5d:80:8f:29:9d:86:1b:
                    d9:9c:0d:98:6d:76:10:28:58:e4:65:b0:7f:4a:98:
                    79:9f:e0:c3:31:7e:80:2b:b5:8c:c0:40:3b:11:86:
                    d0:cb:a2:86:36:60:a4:d5:30:82:6d:d9:6e:d0:0f:
                    12:04:33:97:5f:4f:61:5a:f0:e4:f9:91:ab:e7:1d:
                    3b:bc:e8:cf:f4:6b:2d:34:7c:e2:48:61:1c:8e:f3:
                    61:44:cc:6f:a0:4a:a9:94:b0:4d:da:e7:a9:34:7a:
                    72:38:a8:41:cc:3c:94:11:7d:eb:c8:a6:8c:b7:86:
                    cb:ca:33:3b:d9:3d:37:8b:fb:7a:3e:86:2c:e7:73:
                    d7:0a:57:ac:64:9b:19:eb:f4:0f:04:08:8a:ac:03:
                    17:19:64:f4:5a:25:22:8d:34:2c:b2:f6:68:1d:12:
                    6d:d3:8a:1e:14:da:c4:8f:a6:e2:23:85:d5:7a:0d:
                    bd:6a:e0:e9:ec:ec:17:bb:42:1b:67:aa:25:ed:45:
                    83:21:fc:c1:c9:7c:d5:62:3e:fa:f2:c5:2d:d3:fd:
                    d4:65
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            1.3.6.1.4.1.311.20.2: 
                ...C.A
            X509v3 Key Usage: 
            Digital Signature, Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
            CA:TRUE
            X509v3 Subject Key Identifier: 
            C6:4F:A2:3D:06:63:84:09:9C:CE:62:E4:04:AC:8D:5C:B5:E9:B6:1B
            X509v3 CRL Distribution Points: 
            URI:http://crl.xrampsecurity.com/XGCA.crl

            1.3.6.1.4.1.311.21.1: 
                ...
    Signature Algorithm: sha1WithRSAEncryption
        91:15:39:03:01:1b:67:fb:4a:1c:f9:0a:60:5b:a1:da:4d:97:
        62:f9:24:53:27:d7:82:64:4e:90:2e:c3:49:1b:2b:9a:dc:fc:
        a8:78:67:35:f1:1d:f0:11:bd:b7:48:e3:10:f6:0d:df:3f:d2:
        c9:b6:aa:55:a4:48:ba:02:db:de:59:2e:15:5b:3b:9d:16:7d:
        47:d7:37:ea:5f:4d:76:12:36:bb:1f:d7:a1:81:04:46:20:a3:
        2c:6d:a9:9e:01:7e:3f:29:ce:00:93:df:fd:c9:92:73:89:89:
        64:9e:e7:2b:e4:1c:91:2c:d2:b9:ce:7d:ce:6f:31:99:d3:e6:
        be:d2:1e:90:f0:09:14:79:5c:23:ab:4d:d2:da:21:1f:4d:99:
        79:9d:e1:cf:27:9f:10:9b:1c:88:0d:b0:8a:64:41:31:b8:0e:
        6c:90:24:a4:9b:5c:71:8f:ba:bb:7e:1c:1b:db:6a:80:0f:21:
        bc:e9:db:a6:b7:40:f4:b2:8b:a9:b1:e4:ef:9a:1a:d0:3d:69:
        99:ee:a8:28:a3:e1:3c:b3:f0:b2:11:9c:cf:7c:40:e6:dd:e7:
        43:7d:a2:d8:3a:b5:a9:8d:f2:34:99:c4:d4:10:e1:06:fd:09:
        84:10:3b:ee:c4:4c:f4:ec:27:7c:42:c2:74:7c:82:8a:09:c9:
        b4:03:25:bc
-----BEGIN CERTIFICATE-----
MIIEMDCCAxigAwIBAgIQUJRs7Bjq1ZxN1ZfvdY+grTANBgkqhkiG9w0BAQUFADCB
gjELMAkGA1UEBhMCVVMxHjAcBgNVBAsTFXd3dy54cmFtcHNlY3VyaXR5LmNvbTEk
MCIGA1UEChMbWFJhbXAgU2VjdXJpdHkgU2VydmljZXMgSW5jMS0wKwYDVQQDEyRY
UmFtcCBHbG9iYWwgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDQxMTAxMTcx
NDA0WhcNMzUwMTAxMDUzNzE5WjCBgjELMAkGA1UEBhMCVVMxHjAcBgNVBAsTFXd3
dy54cmFtcHNlY3VyaXR5LmNvbTEkMCIGA1UEChMbWFJhbXAgU2VjdXJpdHkgU2Vy
dmljZXMgSW5jMS0wKwYDVQQDEyRYUmFtcCBHbG9iYWwgQ2VydGlmaWNhdGlvbiBB
dXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCYJB69FbS6
38eMpSe2OAtp87ZOqCwuIR1cRN8hXX4jdP5efrRKt6atH67gBhbim1vZZ3RrXYCP
KZ2GG9mcDZhtdhAoWORlsH9KmHmf4MMxfoArtYzAQDsRhtDLooY2YKTVMIJt2W7Q
DxIEM5dfT2Fa8OT5kavnHTu86M/0ay00fOJIYRyO82FEzG+gSqmUsE3a56k0enI4
qEHMPJQRfevIpoy3hsvKMzvZPTeL+3o+hiznc9cKV6xkmxnr9A8ECIqsAxcZZPRa
JSKNNCyy9mgdEm3Tih4U2sSPpuIjhdV6Db1q4Ons7Be7QhtnqiXtRYMh/MHJfNVi
PvryxS3T/dRlAgMBAAGjgZ8wgZwwEwYJKwYBBAGCNxQCBAYeBABDAEEwCwYDVR0P
BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFMZPoj0GY4QJnM5i5ASs
jVy16bYbMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwueHJhbXBzZWN1cml0
eS5jb20vWEdDQS5jcmwwEAYJKwYBBAGCNxUBBAMCAQEwDQYJKoZIhvcNAQEFBQAD
ggEBAJEVOQMBG2f7Shz5CmBbodpNl2L5JFMn14JkTpAuw0kbK5rc/Kh4ZzXxHfAR
vbdI4xD2Dd8/0sm2qlWkSLoC295ZLhVbO50WfUfXN+pfTXYSNrsf16GBBEYgoyxt
qZ4Bfj8pzgCT3/3JknOJiWSe5yvkHJEs0rnOfc5vMZnT5r7SHpDwCRR5XCOrTdLa
IR9NmXmd4c8nnxCbHIgNsIpkQTG4DmyQJKSbXHGPurt+HBvbaoAPIbzp26a3QPSy
i6mx5O+aGtA9aZnuqCij4Tyz8LIRnM98QObd50N9otg6tamN8jSZxNQQ4Qb9CYQQ
O+7ETPTsJ3xCwnR8gooJybQDJbw=
-----END CERTIFICATE-----
Note information on the "historical dangling" OIDS above in the extensions -
1.3.6.1.4.1.311.21.1 & 1.3.6.1.4.1.311.20.2 - which currently are of no
importance or relevance, to us, can be found here:
http://support.microsoft.com/kb/287547.  Also, these extensions are NOT
CRITICAL.

Reproducible: Always

Steps to Reproduce:
1.
2.
3.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Status: NEW → ASSIGNED
Whiteboard: EV
A quick question: Was the WebTrust EV audit under the final WebTrust EV criteria (which reference the final 1.0 EV guidelines), or the draft WebTrust EV criteria (which reference the draft 11 EV guidelines)? This wasn't clear from my quick read-through.
I've added information on the XRamp Global CA to the Trustwave entry in the pending request list:

http://www.mozilla.org/projects/security/certs/pending/#Trustwave

Andrew, please review the information for Trustwave and the XRamp Global CA and let me know if it's correct or needs correction.
I have confirmed with our auditor that the final release version (Effective 09/30/07) of the EV Audit specification was used.
In http://www.mozilla.org/projects/security/certs/pending/#Trustwave, for the XRamp Global CA (XGCA),

"SecureTrust Corporation Certificate Practice Statement for S/MIME Certificates, Version 1.5.1" 

should read

"SecureTrust Certification Practice Statement for S/MIME Certificates, version 1.6.0"  and linked to:

https://www.securetrust.com/legal/SecureTrust_SMIME_CPS_1_6_0.pdf

The link for the S/MIME cps correctly links to this newer document from https://www.securetrust.com/legal/
Independent of approval process, for technical testing purposes: Could you please supply an https:// URL to an example SSL server (customer or demo) that uses a server cert issued (directly or through intermediates) by this root? Should you request multiple roots to be enabled for EV, please provide one example URL for each root. Thank you.
I have now completed my review of Trustwave's application for upgrading existing the XRamp Global CA to support EV use, per the official Mozilla CA certificate policy at:

http://www.mozilla.org/projects/security/certs/policy/

I apologize for any delays on my part in doing the review.

Here follows my final assessment. If anyone sees any factual errors, please
point them out. Note that this root is already in Mozilla (approved per bug 273189), but in the interests of thoroughness I'm going to write this as if it were a new root.

Section 4 [Technical]. I'm not aware of any technical issues with certificates issued by Trustwave, or of instances where Trustwave has knowingly issued certificates for fraudulent use. If anyone knows of any such issues or instances, please note them in this bug report.

Section 6 [Relevancy and Policy]. Trustwave appears to provide a service
relevant to Mozilla users; it is a commercial CA operating in United States and serving customers worldwide; it incorporates the SecureTrust and XRamp CAs. Its policies are documented in its CPSs:

  https://www.securetrust.com/legal/evCPS.pdf
  https://www.securetrust.com/legal/securetrust%20cps%20for%20ov.pdf
  https://www.securetrust.com/legal/SecureTrust_SMIME_CPS_1_6_0.pdf
  https://www.securetrust.com/legal/SecureTrust_Code_Signing_CPS.pdf

(These are for EV SSL certificates, OV SSL certificates, S/MIME email certificates, and code signing certificates respectively.)

* Email: For certificates issued to individuals, Trustwave verifies control of the email account associated with the email address referenced in the certificate. (See section III.B.2 in the S/MIME CPS.)

* SSL: For OV SSL certificates Trustwave validates organizational identity and control of the domain referenced in the certificate. (See section III.B.3 in the OV CPS.) For EV SSL certificates Trustwave validates identity and domain ownership using procedures consistent with the EV guidelines. (See section III.B.3 in the EV CPS.) 

* Code: For code signing certificates Trustwave verifies the applicant's identity. (See section III.B.2 of the Trustwave code signing CPS.)

Section 8-10 [Audit]. Trustwave has successfully completed an independent
audit using the WebTrust for CAs criteria and the WebTrust EV criteria. The audit was done by Boysen & Miller PLLC. Attestation of the successful completion of the audit is in the form of a standard WebTrust/WebTrust EV report available at

https://cert.webtrust.org/SealFile?seal=359&file=pdf

Note that the WebTrust EV audit was done against the final 1.0 version of the EV guidelines. Audits are done annually.

Section 13 [Certificate Hierarchy]. This particular request is for the XRamp Global CA root. Trustwave also has two other root CAs; requests for those roots are being handled separately as bug 409837 and bug 409838. At this time there are no subordinate CAs for the XRamp Global CA; instead end entity certificates are issued directly from the root, with different classes of certificates under different certificate policies. The XRamp Global CA is not associated with a single CPS, rather end entity certs are associated with policies that link to the CPS that the certificate was issued under: an EV CPS, an OV CPS, etc.

(Note that mixing certificates of different classes under a single CA is contrary to section 13 of the Mozilla CA certificate policy; however that section is a recommendation only, not a requirement.)

Other: Trustwave issues CRLs at least every 10-14 days. (Note that this is an upper bound, per sections II.I and V.C of the EV CPS and other CPS documents. Trustwave may in fact issue CRLs more frequently, but this is not stated in the CPSs.) Trustwave does not currently have an OCSP responder.

Based on the above information, I am minded to approve the enabling of the existing XRamp Global CA root for EV use in NSS and thence in Firefox and other Mozilla-based products. Before I do, I'm opening up a period of public discussion of this request in the mozilla.dev.tech.crypto newsgroup [1].

[1] The mozilla.dev.tech.crypto newsgroup is accessible via NNTP-capable
newsreaders at:

  news://news.mozilla.org/mozilla.dev.tech.crypto

via email by subscribing to the associated mailing list:

  https://lists.mozilla.org/listinfo/dev-tech-crypto

and via the web at:

  http://groups.google.com/group/mozilla.dev.tech.crypto/topics
(In reply to comment #5)
> Independent of approval process, for technical testing purposes: Could you
> please supply an https:// URL to an example SSL server (customer or demo) that
> uses a server cert issued (directly or through intermediates) by this root?
> Should you request multiple roots to be enabled for EV, please provide one
> example URL for each root. Thank you.
> 

https://xgcatest.trustwave.com/

-----BEGIN CERTIFICATE-----
MIIEVDCCAzygAwIBAgIDAjRzMA0GCSqGSIb3DQEBBQUAMIGCMQswCQYDVQQGEwJV
UzEeMBwGA1UECxMVd3d3LnhyYW1wc2VjdXJpdHkuY29tMSQwIgYDVQQKExtYUmFt
cCBTZWN1cml0eSBTZXJ2aWNlcyBJbmMxLTArBgNVBAMTJFhSYW1wIEdsb2JhbCBD
ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wODAxMjUxNTIwMjFaFw0wOTAxMjUx
NTIwMjFaMIHVMRAwDgYDVQQFEwczOTM5NzM3MRMwEQYLKwYBBAGCNzwCAQMTAlVT
MRkwFwYLKwYBBAGCNzwCAQITCERlbGF3YXJlMRswGQYDVQQPExJWMS4wLCBDbGF1
c2UgNS4oZCkxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhJbGxpbm9pczEQMA4GA1UE
BxMHQ2hpY2FnbzEhMB8GA1UEChMYVHJ1c3R3YXZlIEhvbGRpbmdzLCBJbmMuMR8w
HQYDVQQDExZ4Z2NhdGVzdC50cnVzdHdhdmUuY29tMIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQCteC7dPuP2hftEMsnZyKVs4YuTZ+H1r+BicrN4M8V0zCbsHMk7
MSL4M0q43gghVioKoeiAsVb/fIuQQpO+NDbM9LYoKU0jK2ARLqY2CLBRephE0rhw
+V3Gc2zGdqskjCW/iSE6pKkRMzmxUf/84ek1USbXTX2ly95aWQIZMNyC/wIDAQAB
o4IBADCB/TAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFMZPoj0GY4QJnM5i5ASs
jVy16bYbMB0GA1UdDgQWBBTsmytLBuGYjk1M263PmnA8IcP4HzALBgNVHQ8EBAMC
BaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwNAYDVR0fBC0wKzApoCegJYYjaHR0cDov
L2NybC5zZWN1cmV0cnVzdC5jb20vWEdDQS5jcmwwVQYDVR0gBE4wTDBKBgxghkgB
hv1kAQECBAEwOjA4BggrBgEFBQcCARYsaHR0cDovL3d3dy5zZWN1cmV0cnVzdC5j
b20vbGVnYWwvaXNzdWVyLmh0bWwwDQYJKoZIhvcNAQEFBQADggEBAEv3qBpZOxN5
MfZXk17FP/I3SFl3Czgg9Aa7NcGM1vp0/bngnWtkwoxg1u8RwPSEA5SBZfF2wczE
jAmPIMZtGraqU6A0jsNTCbWoLh/c60N3i/gwlLsfj3K7zaegjviDERIfy8omzfzs
OCzFFgE6HS4rGZHoAkU6tdTMXS/eFPI9tiSqYrmX97MGfGOhgx+BxYezBhDEfCg0
d0HkUZutOtXiBbCPRVO+4ZdjnBdmSGgN2OniL94RkpzIm2OuDvNQUshg4NaCl3UX
4ENjLNBzcvdeQCNWkGqzlTv39HJpUhyUZ3d/VGzJPlRj1NGGWrPYURvabHMg+BYj
Vbh6otn6S5A=
-----END CERTIFICATE-----
The comment period has ended and there are no outstanding issues or questions, so I'm formally approving this Trustwave request to EV-enable its existing "XRamp Global CA" root. I'll proceed to file a bug against PSM for the actual change.
Filed bug 418902 against PSM for this change; marking this bug as dependent on that one.
Depends on: 418902
Making EV root cert requests have uniform summaries.
Summary: Please mark the Trustwave "XGCA" root certificate for EV → Enable Trustwave "XGCA" root for EV
Whiteboard: EV → EV - inclusion approved
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Product: mozilla.org → NSS
You need to log in before you can comment on or make changes to this bug.