If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Add Cybertrust Global Root, plus enable EV SSL support

RESOLVED FIXED

Status

NSS
CA Certificate Root Program
--
enhancement
RESOLVED FIXED
10 years ago
5 months ago

People

(Reporter: Steven Medin, Assigned: Kathleen Wilson)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: Approved)

Attachments

(2 attachments, 2 obsolete attachments)

(Reporter)

Description

10 years ago
User-Agent:       Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; MCI Windows Corporate Image; .NET CLR 1.1.4322; .NET CLR 2.0.50727; MCI Windows Corporate Image; MCI Windows Corporate Image)
Build Identifier: 

The following report uses a format requested by Gerv Markham in the CA/Browser Forum.  In this report, we request that a new root becomes embedded in the trusted root store and that the root is enabled for EV SSL support.

CA Details
----------

CA Name: Verizon Business, a division of Verizon Communications.  (Formerly known as Cybertrust, Betrusted, Baltimore Technologies and GTE CyberTrust)
Website: http://www.verizonbusiness.com/us/security/identity, http://cybertrust.omniroot.com/repository 
One Paragraph Summary of CA:
Verizon Business Security Solutions Powered by Cybertrust operates a commercial certificate authority service for businesses and governments internationally.  Our CA services represent the experience of an organization which has been issuing trusted certificates since 1996.  In addition to our public trust services, we operate rigorously audited national identity card programs and government agency programs that dwarf the total annual issuance of SSL certificates by orders of magnitude.
Audit Type (WebTrust, ETSI etc.): WebTrust
Auditor: Ernst and Young
Auditor Website: www.ey.com/be
Audit Document URL(s): https://cert.webtrust.org/SealFile?seal=676&file=pdf 
URL of certificate hierarchy diagram:  Not published.  Under the Cybertrust Global Root, we operate only the Cybertrust SureServer EV CA.  

Certificate Details
-------------------

Certificate Name:  Cybertrust Global Root
Summary Paragraph, including the following:
  - End entity certificate issuance policy,
    i.e. what you plan to do with the root Certificate HTTP URL (on CA website):
This root was created to provide a service to customers desiring a root based outside the United States.  It was created in December 2006 to immediately fix a limitation in Windows XP and IE 7 where existing roots could not be marked with EV ability.  Relying on the GTE CyberTrust Global Root for ubiquity through cross-certification, this is our main root for issuance of EV SSL certificates.
Version: 3
SHA1 Fingerprint: 5f 43 e5 b1 bf f8 78 8c ac 1c c7 ca 4a 9a c6 22 2b cc 34 c6
Modulus Length (a.k.a. "key length"): 2048
Valid From (YYYY-MM-DD): 2006-12-15
Valid To (YYYY-MM-DD): 2021-12-15
CRL HTTP URL: http://www2.public-trust.com/crl/ct/ctroot.crl
CRL issuing frequency for end-entity certificates: every three hours with four day grace period for DR/BCP
OCSP URL: not applicable, we presently use CRL DP status checking but we operate a redundant CoreStreet environment and we are in early planning stages to leverage that environment.
Class (domain-validated, identity/organisationally-validated or EV): This root issues EV SSL Server certificates only at this time.  It is operated under a blanket CP and CPS that allows for issuance of organizationally validated SSL server certificates, personal identity certificates, and code signing certificates.  It will not be operated as solely an EV root.  However, its subordinate, the Cybertrust SureServer EV CA, will only issue EV SSL server certificates.
Certificate Policy URL:  http://cybertrust.omniroot.com/repository
CPS URL: http://cybertrust.omniroot.com/repository
Requested Trust Indicators (email and/or SSL and/or code): email, SSL and code.
URL of website using certificate chained to this root (if applying for SSL): https://i.am.staging.akamai.com 
EV CPS OID: 1.3.6.1.4.1.6334.1.100.1
Root Download URL:  we will provide a copy of the root directly, we do not presently host the root since its only current use is through cross-certification to more ubiquitous roots.



Reproducible: Always

Updated

10 years ago
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true

Comment 1

10 years ago
I'm assigning this bug to Kathleen Wilson, who'll be gathering information relating to this and other requests.
Assignee: hecker → kathleen95014
Status: ASSIGNED → NEW

Updated

10 years ago
Status: NEW → ASSIGNED
(Assignee)

Comment 2

9 years ago
Hi Steve,

As per Frank’s note, I have been asked to gather and verify information for this request.  As such, I have the following questions.

1) Would you please provide a copy of the root? Normally we require a URL to the root CA certificate, but perhaps we can download a copy of it here.

2) I tried http://www2.public-trust.com/crl/ct/ctroot.crl
But got the messages “next update on 4/15/2008”, and “not enabled”.

3)  Are you planning to enable OCSP for this root? Or are you waiting for
https://bugzilla.mozilla.org/show_bug.cgi?id=413997
to be fixed so this root can be EV-enabled without having OCSP?

4) Please confirm or correct: This root has only one subordinate CA, Cybertrust SureServer EV CA, which is internally operated and covered by the CPS and audit.

5) In the future can this root have other internally operated subordinated CAs? 
In the future can this root have 3rd-party operated sub-CAs?
In the future can any other root CAs issue cross-signing certs for this root CA?

6) Do you want all 3 trust bits (ssl, email, code) enabled for this root even though its intended use appears to be for ssl?

7)  When do you expect to have the WebTrust EV audit done for this root?
If needed, we can probably move forward with the inclusion based on the WT/CA audit, and do the EV enablement request later.  

Thanks,
Kathleen
(Assignee)

Comment 3

9 years ago
Created attachment 349019 [details]
Completed Information Gathering Document
(Assignee)

Comment 4

9 years ago
Assigning this bug back to Frank.

“This is a new root to be added to the Mozilla NSS database, and to be EV-enabled. This root was created to provide a service to customers desiring a root based outside the United States.  
It was created in December 2006 to immediately fix a limitation in Windows XP and IE 7 where existing roots could not be marked with EV ability.  Relying on the GTE CyberTrust Global Root for ubiquity through cross-certification, this is our main root for issuance of EV SSL certificates."

“This root is cross-certified by the GTE CyberTrust Global Root.  It has issued one subordinate CA for internal use, the Cybertrust SureServer EV CA.
In response to a completed WebTrust EV point in time readiness check, it has issued one subordinate CA for reseller use.”

Details about reseller requirements (CPS/agreement/audit) are provided in the Completed Information Gathering Document.
Assignee: kathleen95014 → hecker
Whiteboard: EV - information confirmed complete
(Assignee)

Comment 5

9 years ago
Created attachment 369360 [details]
Completed Information Gathering Document

The attached document summarizes the information gathered and verified for the following 3 CA inclusion requests.

Bugzilla ID: 430694
Bugzilla Summary: Enable GTE CyberTrust Global Root for EV Extended Validation SSL

Bugzilla ID: 430698
Bugzilla Summary: Enable Baltimore CyberTrust Root for EV Extended Validation SSL

Bugzilla ID: 430700
Bugzilla Summary: Add Cybertrust Global Root, plus enable EV SSL support

All three of these requests will be combined into one public discussion.
Attachment #349019 - Attachment is obsolete: true
(Assignee)

Comment 6

9 years ago
Created attachment 371269 [details]
Completed Information Gathering Document
Attachment #369360 - Attachment is obsolete: true
(Assignee)

Comment 7

9 years ago
I am now opening the first public discussion period for this request from Verizon to add the Cybertrust Global Root certificate to NSS and enable it for EV.

I have started one discussion for all three of Verizon’s current requests: #430694, #430698, and #430700. 
It is called: “Verizon Root Inclusion and EV-enablement Request”

Public discussion will be in the mozilla.dev.security.policy newsgroup and the corresponding dev-security-policy@lists.mozilla.org mailing list.

http://www.mozilla.org/community/developer-forums.html
https://lists.mozilla.org/listinfo/dev-security-policy
news://news.mozilla.org/mozilla.dev.security.policy

Please actively review, respond, and contribute to the discussion.
Assignee: hecker → kathleen95014
Whiteboard: EV - information confirmed complete → EV - In public discussion
(Assignee)

Comment 8

9 years ago
The public comment period for this request is now over. 

This request has been evaluated as per sections 1, 5 and 15 of the official CA policy at

 http://www.mozilla.org/projects/security/certs/policy/

Here follows a summary of the assessment. If anyone sees any factual errors, please point them out.

To summarize, this assessment is for Verizon’s request to add the Cybertrust Global Root certificate to NSS and enable it for EV. Only the Websites trust bit is requested for this root.

Section 4 [Technical]. I am not aware of any technical issues with certificates issued by Verizon, or of instances where they have knowingly issued certificates for fraudulent use. If anyone knows of any such issues or instances, please note them in this bug report.

Section 6 [Relevancy and Policy]. Verizon appears to provide a service relevant to Mozilla users: It is a commercial corporation with customers worldwide. Note: This CA has been formerly known as Cybertrust, Betrusted, Baltimore Technologies and GTE CyberTrust.

The certificate policies for Verizon are published on their website and listed in the entry on the pending applications list. The main documents are the Certificate Policy and Certification Practice Statement. Both are provided in English.

http://cybertrust.omniroot.com/repository/Cybertrust_CP_v_2_3_cl.pdf
http://cybertrust.omniroot.com/repository/Cybertrust_CPS_v_5_4.pdf

Section 7 [Validation]. Verizon appears to meet the minimum requirements for subscriber verification, as follows:

* Email: The email trust bit has not been requested for this root.

* SSL: Verizon verifies the organizational information and other information by checking third party databases or resources.
** CPS section 1.6.5, SureServer EV Data Verification: As to data verification, Cybertrust ensures that the following Subject organization information has been submitted by the applicant and shall be verified by the CA in accordance with the EV Guidelines (Sections 14 through 25) by taking all verification steps reasonably necessary:
1 Applicant’s existence and identity, including: (a) Applicant’s legal existence and identity (as established with an Incorporating Agency), (b) Applicant’s physical existence (business presence at a physical address), and (c) Applicant’s operational existence (business activity)
2 Applicant’s exclusive control of the domain name to be included in certificate;

* Code: The code signing trust bit has not been requested for this root. 

Section 8-10 [Audit]. Section 8-10 [Audit].  This root has been included in a recent WebTrust CA audit, and the audit report by Ernst and Young has been posted on the cert.webtrust.org website. This root has also been subjected to a WebTrust EV point in time readiness check, which was also performed by Ernst and Young. The WebTrust EV audit statement is posted on the Cybertrust website, and the authenticity was confirmed through an email exchange with the auditor. No issues were noted in the audit reports.

Section 13 [Certificate Hierarchy].  Relying on the GTE CyberTrust Global Root for ubiquity through cross-certification, this is Verizon’s main root for issuance of EV SSL certificates. This Cybertrust Global Root has one internally-operated subordinate CA, the Cybertrust SureServer EV CA, which only issues EV SSL server certificates. In response to a completed WebTrust EV point in time readiness check, it has issued one subordinate CA for reseller use. 
** From Verizon: Before we will allow a reseller to issue EV SSL certificates, they must first have a completed WT/CA audit and a WT/EVCA point in time readiness check.  They must annually pass their WT/CA and WT/EVCA audits.  Their WT/EVCA audits become incorporated by reference into our WT/EVCA audit – we are directly responsible for resolution of their critical findings.

Other: 
* CRL is provided.
** NextUpdate for the Cybertrust SureServer EV CA is 4 days.
** CRL issuing frequency for end-entity certificates: “every three hours with four day grace period for DR/BCP”

* OCSP is not provided under this root. 
** The latest version of NSS in use by Mozilla trunk does not give EV treatment to certificates that offer CRL-based revocation, because support for crlDistributionPoint  CRL-fetching is not yet implemented (bug #321755).  Verizon should refer to bug #485052 to see how another CA resolved this problem by specifying a "default OCSP responder" for EV CAs, even though their certs don't specify a responder.  This allows a CRL-based CA provide revocation information, and hence get EV treatment, even given the current limitations with respect to CRLs. 

Potentially problematic practices: None of note.

Based on this assessment I recommend that Mozilla approve this request to add the Cybertrust Global Root certificate to NSS, enable the Websites trust bit, and enable the root for EV.

Comment 9

9 years ago
To Kathleen: Thank you for your work on this request.

To the representatives of Verizon Business: Thank you for your cooperation and your patience.

To all others who have commented on this bug and participated in the associated public discussion: Thank you for volunteering your time to assist in reviewing this CA request.

I have reviewed the summary and recommendation in comment #8, and on behalf of
the Mozilla project I approve the request from Verizon Business to include the following root certificate, with trust bits as noted, and to enable this same root for EV:

* Cybertrust Global Root (SSL only)

Kathleen, please do the following:

1. File the necessary bugs against NSS (for inclusion of the root and setting the trust bits) and PSM (for the EV enablement).
2. Mark the PSM bug as dependent on the NSS bug.
3. Mark this bug as dependent on the PSM and NSS bugs.
4. When those bugs are complete, change the status of this bug to RESOLVED
FIXED.

Thanks in advance!
Keywords: 4xp
Whiteboard: EV - In public discussion → Approved
(Assignee)

Updated

9 years ago
Depends on: 493258
(Assignee)

Updated

9 years ago
Depends on: 493259
(Assignee)

Comment 10

9 years ago
I have filed bug 493258 against NSS and bug 493259 against PSM for the actual changes.
Blocks: 398944
I believe this bug was fixed by the checkin for 
Bug 493709 -  Combined EV enablement 
so I am resolving this bug as fixed.  
Please reopen it if it is not fixed.
I hope Kathleen doesn't mind me resolving these bugs.
Status: ASSIGNED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
(Assignee)

Comment 12

a year ago
Created attachment 8778393 [details]
Verizon - WebTrust for EV scope.pdf

Updated

5 months ago
Product: mozilla.org → NSS
You need to log in before you can comment on or make changes to this bug.