428390 - EV SSL: Request addition of the WellsSecure Public Root Certificate Authority

Status: RESOLVED FIXED

(CA Program :: CA Certificate Root Program, task)

Description

[Gordon Young]

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.13) Gecko/20080325 Fedora/2.0.0.13-1.fc8 Firefox/2.0.0.13
Build Identifier: N/A

I would like to request the addition of the new Wells Fargo "WellsSecure"

Root CA with Common Name:

"WellsSecure Public Root Certificate Authority"

Certificate's SHA1 fingerprint:

e7:b4:f6:9d:61:ec:90:69:db:7e:90:a7:40:1a:3c:f4:7d:4f:e8:ee

Please accept this root certificate for inclusion in Firefox/NSS:

-----BEGIN CERTIFICATE-----
MIIEvTCCA6WgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBhTELMAkGA1UEBhMCVVMx
IDAeBgNVBAoMF1dlbGxzIEZhcmdvIFdlbGxzU2VjdXJlMRwwGgYDVQQLDBNXZWxs
cyBGYXJnbyBCYW5rIE5BMTYwNAYDVQQDDC1XZWxsc1NlY3VyZSBQdWJsaWMgUm9v
dCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDcxMjEzMTcwNzU0WhcNMjIxMjE0
MDAwNzU0WjCBhTELMAkGA1UEBhMCVVMxIDAeBgNVBAoMF1dlbGxzIEZhcmdvIFdl
bGxzU2VjdXJlMRwwGgYDVQQLDBNXZWxscyBGYXJnbyBCYW5rIE5BMTYwNAYDVQQD
DC1XZWxsc1NlY3VyZSBQdWJsaWMgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDub7S9eeKPCCGeOARBJe+r
WxxTkqxtnt3CxC5FlAM1iGd0V+PfjLindo8796jE2yljDpFoNoqXjopxaAkH5OjU
Dk/41itMpBb570OYj7OeUt9tkTmPOL13i0Nj67eT/DBMHAGTthP796EfvyXhdDcs
HqRePGj4S78NuR4uNuip5Kf4D8uCdXw1LSLWwr8L87T8bJVhHlfXBIEyg1J55oNj
z7fLY4sR4r1e6/aN7ZVyKLSsEmLpSjPmgzKuBXWVvYSV2ypcm44uDLiBK0HmOFaf
SZtsdvqKXfcBeYF8wYNABf5x/Qw/zE5gCQ5lRxAvAcAFP4/4s0HvWkJ+We/Slwxl
AgMBAAGjggE0MIIBMDAPBgNVHRMBAf8EBTADAQH/MDkGA1UdHwQyMDAwLqAsoCqG
KGh0dHA6Ly9jcmwucGtpLndlbGxzZmFyZ28uY29tL3dzcHJjYS5jcmwwDgYDVR0P
AQH/BAQDAgHGMB0GA1UdDgQWBBQmlRkQ2eihl5H/3BnZtQQ+0nMKajCBsgYDVR0j
BIGqMIGngBQmlRkQ2eihl5H/3BnZtQQ+0nMKaqGBi6SBiDCBhTELMAkGA1UEBhMC
VVMxIDAeBgNVBAoMF1dlbGxzIEZhcmdvIFdlbGxzU2VjdXJlMRwwGgYDVQQLDBNX
ZWxscyBGYXJnbyBCYW5rIE5BMTYwNAYDVQQDDC1XZWxsc1NlY3VyZSBQdWJsaWMg
Um9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHmCAQEwDQYJKoZIhvcNAQEFBQADggEB
ALkVsUSRzCPIK0134/iaeycNzXK7mQDKfGYZUMbVmO2rvwNa5U3lHshPcZeG1eMd
/ZDJPHV3V3p9+N701NX3leZ0bh08rnyd2wIDBSxxSyU+B+NemvVmFymIGjifz6pB
A4SXa5M4esowRBskRDPQ5NHcKDj0E0M1NSljqHyita04pO2t/caaH/+Xc/77szWn
k4bGdpEA5qxRFsQnMlzbc9qlk1eOPm01JghZ1edE13YgY+esE2fDbbFwRnzVlhE9
iW9dqKHrjQrawx0zbKPqZxmamX9LPYNRKh3KL4YMon4QLSvUFpULB6ouFJJJtylv
2G0xffX8oRAHh84vWdw+WNs=
-----END CERTIFICATE-----

The CA is an offline root used to create new issuing authorities within the
Wells Fargo "WellsSecure" PKI. This offline CA
Was created for the purpose of creating an (online/intermediate) EV SSL
issuing authority.  
Future uses will be described in the Wells Fargo CP.

The Wells Fargo Certificate Policy (CP) is published at

http://www.wellsfargo.com/cps

Verification and attestation of our conformance with the stated requirements
have performed and produced by Webtrust for CAs Audit. The Audit report and
management assertions can be viewed on the Third party WebTrust website by
clinking the "WebTrust" seal and then follow the links to the WebTrust web
site. 

The seal/link found here: http://www.wellsfargo.com/cps 
(Click on the "Certification Authorities WebTrust powered by KPMG" Seal

image to follow the links to the report.)

 

Thank you,

Gordon Young
Wells Fargo Bank, NA
Public Key Infrastructure Team


Reproducible: Didn't try

Steps to Reproduce:
N/A
Actual Results:  
N/A

Expected Results:  
N/A

-----BEGIN CERTIFICATE-----
MIIEvTCCA6WgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBhTELMAkGA1UEBhMCVVMx
IDAeBgNVBAoMF1dlbGxzIEZhcmdvIFdlbGxzU2VjdXJlMRwwGgYDVQQLDBNXZWxs
cyBGYXJnbyBCYW5rIE5BMTYwNAYDVQQDDC1XZWxsc1NlY3VyZSBQdWJsaWMgUm9v
dCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDcxMjEzMTcwNzU0WhcNMjIxMjE0
MDAwNzU0WjCBhTELMAkGA1UEBhMCVVMxIDAeBgNVBAoMF1dlbGxzIEZhcmdvIFdl
bGxzU2VjdXJlMRwwGgYDVQQLDBNXZWxscyBGYXJnbyBCYW5rIE5BMTYwNAYDVQQD
DC1XZWxsc1NlY3VyZSBQdWJsaWMgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDub7S9eeKPCCGeOARBJe+r
WxxTkqxtnt3CxC5FlAM1iGd0V+PfjLindo8796jE2yljDpFoNoqXjopxaAkH5OjU
Dk/41itMpBb570OYj7OeUt9tkTmPOL13i0Nj67eT/DBMHAGTthP796EfvyXhdDcs
HqRePGj4S78NuR4uNuip5Kf4D8uCdXw1LSLWwr8L87T8bJVhHlfXBIEyg1J55oNj
z7fLY4sR4r1e6/aN7ZVyKLSsEmLpSjPmgzKuBXWVvYSV2ypcm44uDLiBK0HmOFaf
SZtsdvqKXfcBeYF8wYNABf5x/Qw/zE5gCQ5lRxAvAcAFP4/4s0HvWkJ+We/Slwxl
AgMBAAGjggE0MIIBMDAPBgNVHRMBAf8EBTADAQH/MDkGA1UdHwQyMDAwLqAsoCqG
KGh0dHA6Ly9jcmwucGtpLndlbGxzZmFyZ28uY29tL3dzcHJjYS5jcmwwDgYDVR0P
AQH/BAQDAgHGMB0GA1UdDgQWBBQmlRkQ2eihl5H/3BnZtQQ+0nMKajCBsgYDVR0j
BIGqMIGngBQmlRkQ2eihl5H/3BnZtQQ+0nMKaqGBi6SBiDCBhTELMAkGA1UEBhMC
VVMxIDAeBgNVBAoMF1dlbGxzIEZhcmdvIFdlbGxzU2VjdXJlMRwwGgYDVQQLDBNX
ZWxscyBGYXJnbyBCYW5rIE5BMTYwNAYDVQQDDC1XZWxsc1NlY3VyZSBQdWJsaWMg
Um9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHmCAQEwDQYJKoZIhvcNAQEFBQADggEB
ALkVsUSRzCPIK0134/iaeycNzXK7mQDKfGYZUMbVmO2rvwNa5U3lHshPcZeG1eMd
/ZDJPHV3V3p9+N701NX3leZ0bh08rnyd2wIDBSxxSyU+B+NemvVmFymIGjifz6pB
A4SXa5M4esowRBskRDPQ5NHcKDj0E0M1NSljqHyita04pO2t/caaH/+Xc/77szWn
k4bGdpEA5qxRFsQnMlzbc9qlk1eOPm01JghZ1edE13YgY+esE2fDbbFwRnzVlhE9
iW9dqKHrjQrawx0zbKPqZxmamX9LPYNRKh3KL4YMon4QLSvUFpULB6ouFJJJtylv
2G0xffX8oRAHh84vWdw+WNs=
-----END CERTIFICATE-----

Comment 1

[Gordon Young]

per Mozilla CA Certificate Policy (Version 1.2) requests for preloading of roots that include issuing CA's below them in the hierarchy that issue EV SSL certificates it is required that the requester identify the EV SSL OID.

the EV SSL OID for wells fargo WellsSecure is defined in the Wells Fargo CP at www.welllsfargo.com/cps

Company EV Assurance = 2.16.840.1.114171.500.9

Comment 2

[Gordon Young]

EV SSL: Request addition of the WellsSecure Public Root Certificate Authority an offline root used to bring up a subordinate issuing CA that signs EV SSL certificates

Comment 3

[Gordon Young]

**************************************************************************

Wells Fargo's responses to the requests for information in the "Mozilla CA Certificate Policy" when requesting CA inclusion in the Mozilla default CA set

This is a request for inclusion into
1. NSS.
2. EV_SSL root program (metadata etc) Firefox v3 and future.
3. any other appropriate distribution of roots by Mozilla.

the certificate data (or links to the data) for the CA certificate(s) requested for inclusion; 
	see earlier in this bug report, as well at:
	http://crl.pki.wellsfargo.com/wsprca.crt

for each CA certificate requested for inclusion, whether or not the CA issues certificates for each of the following purposes within the CA hierarchy associated with the CA certificate: 
SSL-enabled servers, 
Yes this root will be a parent of an issuing CA, the “Wells Fargo Public Primary CA” which the sole purpose is to issue EV_SSL enabled certificates to Wells Fargo Bank NA business partners.

The EV SSL CA is described in the Wells Fargo CP V.11 at http://www.wellsfargo.com/cps in section 1.3.1.3 “WellsSecure EV SSL CA”

digitally-signed and/or encrypted email, or
Future use of this root will be to stand up an issuing CA that identifies individual subjects and traditional ssl certificates (not ev enabled) This project is not complete.
 
digitally-signed executable code objects; 
Wells Fargo does not offer code signing certificates

for each CA certificate requested for inclusion, whether the CA issues Extended Validation certificates within the CA hierarchy associated with the CA certificate and, if so, the EV policy OID associated with the CA certificate; 

Wells Fargo CP V11 documents and EV_SSL assurance level known as: 
Company EV Assurance with an OID of 2.16.840.1.114171.500.9

a Certificate Policy and Certification Practice Statement (or links to a CP and CPS) or equivalent disclosure document(s) for the CA or CAs in question; and
http://www.wellsfargo.com/cps 

information as to how the CA has fulfilled the requirements stated above regarding its verification of certificate signing requests and its conformance to a set of acceptable operational criteria.

Compliance audit and review is performed by Wells Fargo internal audit, as well third party audit is performed yearly.  Wells Fargo completes a yearly Webtrust for CA's audit. A Webtrust for CA's audit Performed by third party KPMG, “Independent Accountant's Report” is available online publicly here:

https://cert.webtrust.org/SealFile?seal=528&file=pdf

as well the  Assertion of Wells Fargo's Management as to the 
 Disclosure of its Business Practices and its Controls Over its Certification Authority Operations during the period from November 1, 2006 through October 31, 2007 is available on page 2 of the above document

************************************************************************

Comment 4

[Gordon Young]

Additional Info:

an issuing ca has been created under the new root it is present here:

Wells Fargo Public Primary CA:
http://crl.pki.wellsfargo.com/wf_ev_00.crt

the "WellsSecure Public Root CA" is a root only. It was indented to help us bring up an EV_SSL chain. It may be used in the future to bring up additional issuing CA's

Certification types:

issuing CA:

The "CN=Wells Fargo Public Primary CA" issues under only a single "EV_SSL" end entity ssl certificate profile 

subscriber verification is covered in section 3.2 of Wells Fargo CP v11

All Subordinate CA's are covered in CP v11 section 1.3.1, the root requested for inclusion is not the parent of all of Wells Fargo CA's. The "Wells Fargo Root CA" is the parent of the majority of CA's

Cross certification agreements are Covered in CP v11
1.2.4.5 Cross-Certification Agreements

a sample EV ssl certificate under the hierachy "WellsSecure Public Root Certificate Authority>Wells Fargo Public Primary certificate authority>EV End Entity" 

the first EV_SSL certificate was issued to our beaconing server:
https://nerys.wellsfargo.com/test.html

OCSP for issuing CA's is provided via:
http://validator.wellsfargo.com

CRL:
http://crl.pki.wellsfargo.com/wsprca.crl
http://crl.pki.wellsfargo.com/ev.crl

Comment 5

[Frank Hecker]

I'm assigning this bug to Kathleen Wilson, who'll be gathering information relating to this and other requests.

Comment 6

[Kathleen Wilson]

Hi Gordon,

As per Frank’s note, I have been asked to gather and verify information for
this request.  As such, I have the following questions.

1) What is the maximum time until OCSP responders are updated to reflect end-entity revocation? I see that normally its within 4 minutes.  I’m wondering what the max time is when something doesn’t go as planned, as per a service-level-agreement.  I ask this in regards to  EV Guidelines section 26(a): “OCSP responses from this service MUST have a maximum expiration time of ten days.”

2) I think I need to see the document called “EV SSL Authentication Policy”, in order to find the statement about verification of the ownership of the domain name.  Would you please provide the url to this, or point me to the text in the CP or CPS that states that this verification is done?

3) The audit you provided appears to be a WebTrust CA audit.  Have you done a WebTrust EV audit for this root? Or is such an audit scheduled?

4) I have added this request to the pending list.  Please review and let me know if I need to fix/update any of the info
http://www.mozilla.org/projects/security/certs/pending/#Wells%20Fargo


Thanks,
Kathleen

Comment 7

[Jason Kubicki]

Hi Kathleen,

My name is Jason Kubicki and I believe Gordon mentioned that I will be working on this project with you.  I have jumped into this project early June and I am working on finding the answers to your above questions.

Question 1:  No update yet.

Question 2:  There is no separate “EV SSL Auth policy” (although some of the language does seem to make it sound like there is.)  For now, at least, the Auth policy is established by following the entire issuance procedure.  That is, all forms must be correctly and completely filled out, verified and reviewed.  Correct completion, will result in following the rules and therefore, fulfilling the underlying authentication “policy”

We can provide you with the forms that would together constitute the policy if you would like.

Question 3:  Since this root isn’t being used yet, we can’t have a real webtrust audit on it.  (it will happen this year.) there was a “pre-Audit” performed for EVSSL.  (Audits happen after the fact, this was performed to ensure that the procedures are in place.)

We can provide you with a copy of letter from the preaudit if you would like.

Thanks,
Jason

Comment 8

[Jason Kubicki]

Kathleen,

I believe we have an answer to question #1.

section 4.9.9 of the wellsfargo CP (http://www.wellsfargo.com/cps) states
<text deleted>
This information will be cached for a maximum of four (4) minutes.
(What this means technology wise is that the OCSP responder re-downloads the CRL before 4 minutes. The OCSP respondor product we are using marks the lifespan for these precomputed responses to have a lifespan of only 4 minutes in memory after which time it recomputes the responses for the next four minutes.)

Additionally with our CRL lifespans being only 6 hours at the longest, and as an OCSP responder would not base it's responses on a CRL that has expired, the 4 minute caching paired with 6 hour CRL's would prevent a response from ever having a lifespan anywhere near 10 days.

I hope this addresses your inquiry.  Let me know if you would like some additional information.

Jason

Comment 9

[Kathleen Wilson]

Attachment: WebTrust EV pre-Audit Report

Attaching the WebTrust EV pre-audit that was performed by KPMG LLP, as per Comment #7: “Since this root isn’t being used yet, we can’t have a real webtrust audit on it.  (it will happen this year.) there was a “pre-Audit” performed for EVSSL.  (Audits happen after the fact, this was performed to ensure that the procedures are in place.)”

I have verified the authenticity of this audit report.

Comment 10

[Kathleen Wilson]

Attachment: Summary of Info Gathered and Verified

As per the attached document, the info-gathering phase of this request is complete. There was a WT/EV pre-audit performed, which we'll use for now until the post-live WT/EV audit is performed later this year.

Comment 11

[Kathleen Wilson]

Assigning back to Frank, so this request can proceed to the discussion phase.

Comment 12

[Frank Hecker]

I have now opened a one-week period of public discussion of this request, as mentioned in my post to the mozilla.dev.tech.crypto forum:

http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thread/3f2d3b1fdcf88d30#

This public discussion period will provide people in the Mozilla community with an opportunity to comment on the request, raise concerns, ask additional questions, etc. After the discussion period ends I will make a preliminary decision about whether or not to approve this request, and if I decide to move forward with approval then we will have a further one-week discussion period to address any remaining questions or issues.

Note that the mozilla.dev.tech.crypto forum is also accessible via email; see

https://lists.mozilla.org/listinfo/dev-tech-crypto

for information on how to subscribe and post to the mailing list.

Comment 13

[Frank Hecker]

The first public comment period for this request is now over. I have evaluated
this request, as per sections 1, 5 and 15 of the official CA policy at

  http://www.mozilla.org/projects/security/certs/policy/

On behalf of the Mozilla project, I apologise for any delay.

Here follows my assessment. If anyone sees any factual errors, please point
them out.

To summarize, this assessment is for the request to add a new root CA certificate for WellsSecure Public Root Certificate Authority, and then to enable that root for EV use.

Section 4 [Technical]. I'm not aware of any technical issues with certificates issued by Wells Fargo, or of instances where they have knowingly issued certificates for fraudulent use. If anyone knows of any such issues or instances, please note them in this bug report.

Section 6 [Relevancy and Policy]. Wells Fargo appears to provide a service relevant to Mozilla users: It's a commercial CA offering certificates to customers worldwide, primarily to businesses. Policies are documented in the documents published on their website and listed in the entry on the pending applications list; the main document of interest is the WellsSecure PKI Certificate Policy:

https://www.wellsfargo.com/downloads/pdf/com/cp/cp.pdf

Section 7 [Validation]. Wells Fargo appears to meet the minimum requirements for
subscriber verification, as follows:

* Email: Not applicable. Wells Fargo does not issue certificates for email use through this hierarchy at present. It may do so in future, at which point it can apply to have the email trust bit enabled for this root.

* SSL: Verification of subscriber identity, including verification of domain ownership, is done per the EV guidelines, as referenced by the CP and the corresponding customer agreement entered into by the subscriber. See (among others) sections 1.3.3, 1.4.1.11, and 3.2.2 of the CP.

The EV policy OID is 2.16.840.1.114171.500.9.

* Code signing: Not applicable. Wells Fargo does not issue certificates for code signing use, and has no plans to do so at this time.

Section 8-10 [Audit]. Wells Fargo has successfully completed an audit using the
WebTrust for CAs criteria. The auditors were KPMG. The audit is
current (covering the period up to October 31, 2007).

Wells Fargo also successfully completed a WebTrust EV pre-audit earlier in 2008. The auditors were KPMG. The audit report was provided by Wells Fargo and its authenticity verified directly with KPMG.

Section 13 [Certificate Hierarchy]. The WellsSecure Root Certificate Authority has a single subordinate CA, the Wells Fargo Public Primary CA, the issuing CA for EV SSL certificates.

Other: Wells Fargo issues CRLs (on a 6-hour schedule) and also operates an OCSP responder.

Potentially problematic practices: There are no known potentially problematic practices associated with the WellsSecure Public Root Certificate Authority and its associated CA hierarchy.

Based on the information available to me I am minded to approve this request to
add the WellsSecure Public Root Certificate Authority certificate and enable it for EV use. Before I issue my final decision, I'm opening up a second one-week period of public discussion of this request in the mozilla.dev.tech.crypto newsgroup [1].

[1] The mozilla.dev.tech.crypto newsgroup is accessible via NNTP-capable
newsreaders at:

  news://news.mozilla.org/mozilla.dev.tech.crypto

via email by subscribing to the associated mailing list:

  https://lists.mozilla.org/listinfo/dev-tech-crypto

and via the web at:

  http://groups.google.com/group/mozilla.dev.tech.crypto/topics

Comment 14

[Frank Hecker]

The second comment period is now over. Based on my evaluation and the comments received thus far, I am officially approving this request to add the WellsSecure Public Root Certificate Authority root certificate to NSS and to enable it in PSM for EV use.

I have filed bug 449393 against NSS and bug 449394 against PSM for the actual changes.

Comment 15

[Frank Hecker]

Changing whiteboard status to approved.

Comment 16

[Nelson Bolyard (seldom reads bugmail)]

I believe this bug was fixed by the checkin for 
Bug 493709 -  Combined EV enablement 
so I am resolving this bug as fixed.  
Please reopen it if it is not fixed.
I hope Kathleen doesn't mind me resolving these bugs.

Comment 17

[Jason Kubicki]

When can we expect to see our EV enabled root in a production build?  I am not too familiar with the Mozilla process.  Do you just enable it and one day it is there or will we receive a notice that it is now available to the public?

Comment 18

[Eddy Nigg (StartCom)]

More or less :-)

The first release to hit the street soon is probably the next 3.5 release. Maybe 3.0 will be updated too at some point. You'll realize that when nobody is complaining anymore...

Comment 19

[Nelson Bolyard (seldom reads bugmail)]

(In reply to comment #17)
> When can we expect to see our EV enabled root in a production build? 

Try one of these "nightly" FF 3.5 preview builds
ftp://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-mozilla-1.9.1/

Comment 20

[Jason Kubicki]

Thank you for the link Nelson, We tested our system with a nightly build that Kai put together for us and were happy to see it work.  My question was more about trying to determine when we could expect it to become available to the public.  Can we expect it in a few das, weeks, or months?  Will it require version 3.5 to be released or are we likely to be added to 3.0.XX?

Comment 21

[Nelson Bolyard (seldom reads bugmail)]

Jason,  I am sure your cert will be in FF 3.5.  I think there is a good chance
that it will also be added to some forthcoming FF 3.0.x release.  But I cannot
predict how soon any of those things will happen.  Personally, I am pessimistic that this will happen before the end of this month, but I expect it will happen within the next 3 months.  But those are merely my own guesses.

Comment 22

[Kathleen Wilson]

Attachment: 2015 Wells Fargo PKI WTBR Report.pdf

Comment 23

[Kathleen Wilson]

Attachment: 2015 Wells Fargo PKI WTCA Report.pdf

Comment 24

[Kathleen Wilson]

(In reply to Kathleen Wilson from comment #22)
> Created attachment 8710092 [details]
> 2015 Wells Fargo PKI WTBR Report.pdf
(In reply to Kathleen Wilson from comment #23)
> Created attachment 8710093 [details]
> 2015 Wells Fargo PKI WTCA Report.pdf

I have exchanged email with the auditor to confirm the authenticity of these audit statements.

Comment 25

[Kathleen Wilson]

Attachment: WellsFargo-WTBR-2016.pdf