Enable Go Daddy root CA certificates for EV use

RESOLVED FIXED

Status

()

enhancement
RESOLVED FIXED
11 years ago
11 years ago

People

(Reporter: hecker, Assigned: kaie)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

11 years ago
Per bug 403437 I've approved enabling Go Daddy's existing root CA certificates
for Extended Validation use, with EV policy OIDs as follows:

Valicert Class 2 Policy Validation Authority
2.16.840.1.114413.1.7.23.3 *and* 2.16.840.1.114414.1.7.23.3

Go Daddy Class 2 CA
2.16.840.1.114413.1.7.23.3

Starfield Class 2 CA
2.16.840.1.114414.1.7.23.3

Thanks in advance for your help getting this change made to PSM!
(Reporter)

Updated

11 years ago
Blocks: 403437
(Assignee)

Comment 1

11 years ago
Posted patch Patch v1Splinter Review
(Assignee)

Comment 2

11 years ago
I ran some tests.

Test 1:
I removed both "Go Daddy Class 2 CA" and "Starfield Class 2 CA" from the NSS root store. Then I attempted to connect to the example sites listed in bug 403437, leaving only the "ValiCert Class 2 VA" active.
Results:
  All 4 example hosts can be validated as EV


Test 2:
I removed both "ValiCert Class 2 VA" and "Starfield Class 2 CA",
keeping "Go Daddy Class 2 CA".
Results:
  https://seal.starfieldtech.com/ invalid
  https://www.godaddy.com EV
  https://www.sffutureroot.com/ invalid
  https://www.gdfutureroot.com  EV


Test 3:
I removed both "Go Daddy Class 2 CA" and "ValiCert Class 2 VA",
keeping "Starfield Class 2 CA".
Results:
  https://seal.starfieldtech.com/  EV
  https://www.godaddy.com  invalid
  https://www.gdfutureroot.com  invalid
  https://www.sffutureroot.com  invalid


Are these results correct?

Well, at least for the very last result, I'm quite sure our code has a problem, see new bug 419678.
Depends on: 419678

Comment 3

11 years ago
Your results appear correct, except for the very last test as you noted.  I would expect that with the "Starfield Class 2 CA" present as a trusted root, you should at a minimum get a successful SSL handshake with https://www.sffutureroot.com/, and if that root is EV enabled in the NSS store you should get an EV status.

Note that the www.(sf|gd)futureroot.com test sites do NOT present cross-cert chains in the handshake.  They present server cert -> issuing CA -> (GD|SF) root CA.

The www.godaddy.com and seal.starfieldtech.com sites DO present a cross-cert chain during the handshake (server cert -> issuing CA cert -> cross cert -> Valicert root cert).

However, based on the successful EV status of www.godaddy.com in your Test 2 above, it would seem that distinction is irrelevant, and the bug is somehow related specifically to the Starfield Root CA.
(Assignee)

Comment 4

11 years ago
I think the confusion was caused by a mistake I made during local testing.
I used patches to remove/add back the certs.
Eventually I noticed this procedure added multiple copies of some of the certs to the cert store (only locally on my system).

I will repeat the tests.
(Assignee)

Comment 5

11 years ago
Test 1:
I removed both "Go Daddy Class 2 CA" and "Starfield Class 2 CA" from the NSS
root store. Then I attempted to connect to the example sites listed in bug
403437, leaving only the "ValiCert Class 2 VA" active.
Results:
  https://seal.starfieldtech.com/  EV
  https://www.godaddy.com  EV
  https://www.gdfutureroot.com  untrusted issuer
  https://www.sffutureroot.com  untrusted issuer


Test 2:
I removed both "ValiCert Class 2 VA" and "Starfield Class 2 CA",
keeping "Go Daddy Class 2 CA".
Results:
  https://seal.starfieldtech.com/  ca cert invalid
  https://www.godaddy.com  EV (but complains about imagesak.godaddy.com as invalid)
  https://www.gdfutureroot.com  EV
  https://www.sffutureroot.com  untrusted issuer


Test 3:
I removed both "Go Daddy Class 2 CA" and "ValiCert Class 2 VA",
keeping "Starfield Class 2 CA".
Results:
  https://seal.starfieldtech.com/  EV
  https://www.godaddy.com  unknown issuer
  https://www.gdfutureroot.com  untrusted issuer
  https://www.sffutureroot.com  EV
(Assignee)

Comment 6

11 years ago
The results from comment 5 make sense to me.
And finally I was able to perform the test I was *really* interested in.

With all roots contained in the roots module, I enabled the valicert root for oid ...114413... only.
  https://seal.starfieldtech.com/  DV
  https://www.godaddy.com  EV

With all roots contained in the roots module, I enabled the valicert root for oid ...114414... only.
  https://seal.starfieldtech.com/  EV
  https://www.godaddy.com  DV

I think this matches the expected results and gives me confidence the code works for duplicate roots/OIDs.

Of course, with all roots checked in and all roots enabled for EV, I get EV on all 4 test sites.
(Assignee)

Updated

11 years ago
Attachment #305814 - Flags: review?(rrelyea)
Any chance we can get this landed as part of b4?  It would mean a quick review from rrelyea, but I think we can get it approved, and it would effectively double the number of recognized issuers in beta 4.

Comment 8

11 years ago
Comment on attachment 305814 [details] [diff] [review]
Patch v1

r+ rrelyea
Attachment #305814 - Flags: review?(rrelyea) → review+
Comment on attachment 305814 [details] [diff] [review]
Patch v1

As mentioned above, landing this would double the number of EV issuers we recognize in b4.
Attachment #305814 - Flags: approval1.9b4?
Comment on attachment 305814 [details] [diff] [review]
Patch v1

a1.9b4=beltzner
Attachment #305814 - Flags: approval1.9b4? → approval1.9b4+
(Assignee)

Comment 11

11 years ago
fixed
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.