Closed Bug 418958 Opened 13 years ago Closed 12 years ago

Enable Go Daddy root CA certificates for EV use

Categories

(Core :: Security: PSM, enhancement)

enhancement
Not set
normal

Tracking

()

RESOLVED FIXED

People

(Reporter: hecker, Assigned: KaiE)

References

Details

Attachments

(1 file)

Per bug 403437 I've approved enabling Go Daddy's existing root CA certificates
for Extended Validation use, with EV policy OIDs as follows:

Valicert Class 2 Policy Validation Authority
2.16.840.1.114413.1.7.23.3 *and* 2.16.840.1.114414.1.7.23.3

Go Daddy Class 2 CA
2.16.840.1.114413.1.7.23.3

Starfield Class 2 CA
2.16.840.1.114414.1.7.23.3

Thanks in advance for your help getting this change made to PSM!
Blocks: 403437
Attached patch Patch v1Splinter Review
I ran some tests.

Test 1:
I removed both "Go Daddy Class 2 CA" and "Starfield Class 2 CA" from the NSS root store. Then I attempted to connect to the example sites listed in bug 403437, leaving only the "ValiCert Class 2 VA" active.
Results:
  All 4 example hosts can be validated as EV


Test 2:
I removed both "ValiCert Class 2 VA" and "Starfield Class 2 CA",
keeping "Go Daddy Class 2 CA".
Results:
  https://seal.starfieldtech.com/ invalid
  https://www.godaddy.com EV
  https://www.sffutureroot.com/ invalid
  https://www.gdfutureroot.com  EV


Test 3:
I removed both "Go Daddy Class 2 CA" and "ValiCert Class 2 VA",
keeping "Starfield Class 2 CA".
Results:
  https://seal.starfieldtech.com/  EV
  https://www.godaddy.com  invalid
  https://www.gdfutureroot.com  invalid
  https://www.sffutureroot.com  invalid


Are these results correct?

Well, at least for the very last result, I'm quite sure our code has a problem, see new bug 419678.
Depends on: 419678
Your results appear correct, except for the very last test as you noted.  I would expect that with the "Starfield Class 2 CA" present as a trusted root, you should at a minimum get a successful SSL handshake with https://www.sffutureroot.com/, and if that root is EV enabled in the NSS store you should get an EV status.

Note that the www.(sf|gd)futureroot.com test sites do NOT present cross-cert chains in the handshake.  They present server cert -> issuing CA -> (GD|SF) root CA.

The www.godaddy.com and seal.starfieldtech.com sites DO present a cross-cert chain during the handshake (server cert -> issuing CA cert -> cross cert -> Valicert root cert).

However, based on the successful EV status of www.godaddy.com in your Test 2 above, it would seem that distinction is irrelevant, and the bug is somehow related specifically to the Starfield Root CA.
I think the confusion was caused by a mistake I made during local testing.
I used patches to remove/add back the certs.
Eventually I noticed this procedure added multiple copies of some of the certs to the cert store (only locally on my system).

I will repeat the tests.
Test 1:
I removed both "Go Daddy Class 2 CA" and "Starfield Class 2 CA" from the NSS
root store. Then I attempted to connect to the example sites listed in bug
403437, leaving only the "ValiCert Class 2 VA" active.
Results:
  https://seal.starfieldtech.com/  EV
  https://www.godaddy.com  EV
  https://www.gdfutureroot.com  untrusted issuer
  https://www.sffutureroot.com  untrusted issuer


Test 2:
I removed both "ValiCert Class 2 VA" and "Starfield Class 2 CA",
keeping "Go Daddy Class 2 CA".
Results:
  https://seal.starfieldtech.com/  ca cert invalid
  https://www.godaddy.com  EV (but complains about imagesak.godaddy.com as invalid)
  https://www.gdfutureroot.com  EV
  https://www.sffutureroot.com  untrusted issuer


Test 3:
I removed both "Go Daddy Class 2 CA" and "ValiCert Class 2 VA",
keeping "Starfield Class 2 CA".
Results:
  https://seal.starfieldtech.com/  EV
  https://www.godaddy.com  unknown issuer
  https://www.gdfutureroot.com  untrusted issuer
  https://www.sffutureroot.com  EV
The results from comment 5 make sense to me.
And finally I was able to perform the test I was *really* interested in.

With all roots contained in the roots module, I enabled the valicert root for oid ...114413... only.
  https://seal.starfieldtech.com/  DV
  https://www.godaddy.com  EV

With all roots contained in the roots module, I enabled the valicert root for oid ...114414... only.
  https://seal.starfieldtech.com/  EV
  https://www.godaddy.com  DV

I think this matches the expected results and gives me confidence the code works for duplicate roots/OIDs.

Of course, with all roots checked in and all roots enabled for EV, I get EV on all 4 test sites.
Attachment #305814 - Flags: review?(rrelyea)
Any chance we can get this landed as part of b4?  It would mean a quick review from rrelyea, but I think we can get it approved, and it would effectively double the number of recognized issuers in beta 4.
Comment on attachment 305814 [details] [diff] [review]
Patch v1

r+ rrelyea
Attachment #305814 - Flags: review?(rrelyea) → review+
Comment on attachment 305814 [details] [diff] [review]
Patch v1

As mentioned above, landing this would double the number of EV issuers we recognize in b4.
Attachment #305814 - Flags: approval1.9b4?
Comment on attachment 305814 [details] [diff] [review]
Patch v1

a1.9b4=beltzner
Attachment #305814 - Flags: approval1.9b4? → approval1.9b4+
fixed
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.