Closed Bug 453460 Opened 11 years ago Closed 11 years ago

Add "SwissSign Gold CA - G2" as EV Root Certificate

Categories

(NSS :: CA Certificate Root Program, task)

task
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: michael.doujak, Assigned: kwilson)

References

Details

(Whiteboard: Approved)

Attachments

(7 files, 2 obsolete files)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14
Build Identifier: 

SwissSign has starte Phase 1 of the EV compliance Audit Phase 1 and would like to have the "SwissSign Gold CA - G2" added as EV Root Certificate.

This Root Certificate is alread in the NSS Store and it can be identified with:
    Subject    /CN=SwissSign Gold CA - G2/O=SwissSign AG/C=CH
    SHA1 Hash    d8 c5 38 8a b7 30 1b 1b 6e d4 7a e6 45 25 3a 6f 9f 1a 27 61
    Key Size    4096
    Validity (Effective) Date    Wednesday, 25. Oktober 2006 10:30:35
    Expiration Date    Saturday, 25. Oktober 2036 10:30:35

See also: https://bugzilla.mozilla.org/show_bug.cgi?id=343756

We will create a new intermediate Issuing CA for the sole purpose of issuing EV certificates, but I believe we do not need to add this Issuing CA to the root store.

All our EV certificates will be issued with the following "constant" OID in the Certificate Policy extension
    Policy Identifier: 2.16.756.1.89.1.2.3

The "Policy Qualifier" will always have the form:
    "http://repository.swisssign.com/SwissSign-Gold-CP-CPS-R?.pdf"
and the question mark will point to the actual revision of the CP/CPS. In this fashion we ensure the link between the certificate and the CP/CPS it was issued under.


Reproducible: Always

Steps to Reproduce:
1.
2.
3.
Letter from KPMG (certified Auditor) to Microsoft concerning the actual status of the certification and the start of the phase 1 EV certification audit.
Accepting this bug so I can proceed with the information-gathering phase.
Assignee: hecker → kathleen95014
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attached is the initial information gathering document which summarizes the information that has been gathered and verified. Within the document the items highlighted in yellow indicate where more information or clarification is needed.  I will summarize below.

1) Please point me to the sections of the CP/CPS that define the policies and practices governing the issuance of Extended Validation Certificates under this root according to the Extended Validation Guidelines at
http://www.cabforum.org/EV_Certificate_Guidelines_V11.pdf

2) When do you expect to have the audit report for EV?

3)  Does this root have any sub-CAs that are operated by third parties? Has or will this root be used to cross-sign another CA?

4) What is the expiration time of the OCSP responses from this root? According to http://www.cabforum.org/EV_Certificate_Guidelines_V11.pdf Section 26(b):
“If the CA provides revocation information via an Online Certificate Status Protocol (OCSP) service, it MUST update that service at least every four days. OCSP responses from this service MUST have a maximum expiration time of ten days.”

5) Please review http://wiki.mozilla.org/CA:Problematic_Practices and comment as to whether any of these are relevant? If relevant, please provide further info.

6)  Is the Policy OID that you provided an EV Policy OID as per
http://www.cabforum.org/EV_Certificate_Guidelines_V11.pdf?

Thanks,
Kathleen
Unsigned and compressed version to bypass the attachment size limitation
1) Please point me to the sections of the CP/CPS that define the policies and practices governing the issuance of Extended Validation Certificates under this root according to the Extended Validation Guidelines
=> Refer to the attachment https://bugzilla.mozilla.org/attachment.cgi?id=346443 where the changes for EV are highlighted (comparing with R3)

2) When do you expect to have the audit report for EV?
=> Completed, refer to attachment https://bugzilla.mozilla.org/attachment.cgi?id=346440

3)  Does this root have any sub-CAs that are operated by third parties?
=> No
Has or will this root be used to cross-sign another CA?
=> No

4) What is the expiration time of the OCSP responses from this root?
=> There is no expiration time for OCSP as this is done in Real-time. The OCSP responder will report a certificate revoked immediately after the revocation has been completed. (Refer to the CP/CPS attachments, section 4.9.7)
=> In the answer itself from the OCSP side the nextUpdate is set to thisUpdate + 25 hours

5) Please review http://wiki.mozilla.org/CA:Problematic_Practices and comment as to whether any of these are relevant?
=> I looked at your comments in the Information Gathering Document and those are correct: no one is relevant for SwissSign

6)  Is the Policy OID that you provided an EV Policy OID as per
=> Yes According to the requirements for EV certificates, SwissSign uses the following OID to identify its EV certificates: 2.16.756.1.89.1.2.3
Thank you for your thorough responses to my questions.

As per Mozilla policy, I have begun the process to do an independent verification of the authenticity of the audit statement that has been attached to this request.

For testing purposes, would you please provide a website whose cert chains up to the EV subordinate-CA?

Thanks,
Kathleen
Hi for the website with chain up to EV Subordinate-CA: we are doing the integration and relative tests during this month; as we where waiting for the audit results. What do you expect there in detail?
The independent verification of the attached audit statements has been completed:

----- Forwarded Message ----
To: kathleen95014@yahoo.com
Sent: Friday, November 7, 2008 5:35:52 AM
Subject: EV Certification Audits & Management Assertion SwissPost (SwissSign AG)

Dear Mrs. Wilson 

With reference to your E-Mail (5. November 2008) to Mr. Günter Haag 
(Member of the Board of Director KPMG Ltd., Switzerland) we confirm the authenticy of the management letter and audits which we have executed during the year 2008 for SwissSign Ltd. (The Swiss Post).

All the KPMG attached letters and personal signatures in your E-Mail are valid and have been issued by KPMG Ltd. in Zurich (Switzerland).

The KPMG statement regarding EV (Extended Validation)-Audit and the aforementioned timeframe about the certification audits are correct.
In answer to #10, we will need a way to test the EV-enablement of the root. Preferably you can provide a website (can be a test site) that can be used.
Is this https://www.swisssign.net fine?
It chains to the same root but
- the issuing CA is not the EV one as specified in the CP/CPS
- the EV OID and other related fields are not present
In order to test the EV-enablement, we will need a real EV cert chain. This means that we need a server cert with the EV policy OID in it, and we need the appropriate intermediate CA cert for it.
Ok, here you should have the needed element(s): https://testevg2.swisssign.net/
This completes the information gathering and verification phase of this request.
Assigning back to Frank so this request for EV-enablement can get added to the queue for public discussion.
Assignee: kathleen95014 → hecker
Whiteboard: EV - information confirmed complete
Hi any update on this?
This request will be scheduled for public discussion as per
https://wiki.mozilla.org/CA:Schedule

Information will be posted here when the public discussion begins.
Severity: normal → enhancement
This CP/CPS is the same as Attachment 346442 [details] but with the new EV OID 2.16.756.1.89.1.2.1.1 (Previously 2.16.756.1.89.1.2.3)
Attachment #346442 - Attachment is obsolete: true
https://testevg2.swisssign.net contains the new EV OID for SwissSign:
2.16.756.1.89.1.2.1.1
Re-assigning this bug to Kathleen Wilson, since she'll be the person actively working on it.
Assignee: hecker → kathleen95014
Converting the Completed Information Gathering Document into pdf in preparation for public discussion as per https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion
Attachment #349003 - Attachment is obsolete: true
I am now opening the first public discussion period for this request from SwissSign to enable EV for the SwissSign Gold CA - G2 root certificate which is already included in NSS.

Public discussion will be in the mozilla.dev.security.policy newsgroup and the corresponding dev-security-policy@lists.mozilla.org mailing list.

http://www.mozilla.org/community/developer-forums.html
https://lists.mozilla.org/listinfo/dev-security-policy
news://news.mozilla.org/mozilla.dev.security.policy

The discussion thread is called “SwissSign EV-Enablement Request”

Please actively review, respond, and contribute to the discussion.
Whiteboard: EV - information confirmed complete → EV - In public discussion
The public comment period for this request is now over. 

This request has been evaluated as per sections 1, 5 and 15 of the official CA policy at

 http://www.mozilla.org/projects/security/certs/policy/

Here follows a summary of the assessment. If anyone sees any factual errors, please point them out.

To summarize, this assessment is for SwissSign’s request to enable the SwissSign Gold CA - G2 root CA certificate for EV. This root is already in the Mozilla root store.

Section 4 [Technical]. I am not aware of any technical issues with certificates issued by SwissSign, or of instances where they have knowingly issued certificates for fraudulent use. If anyone knows of any such issues or instances, please note them in this bug report.

Section 6 [Relevancy and Policy]. SwissSign appears to provide a service relevant to Mozilla users: It is a commercial corporation with customers in Switzerland, including the Swiss Post.

The certificate policies for SwissSign are published on their website and listed in the entry on the pending applications list. The main documents are the Certificate Policy and Certification Practice Statement of the SwissSign Gold CA, and the End User Agreement. Both are provided in English.

http://repository.swisssign.com/SwissSign-Gold-CP-CPS-R4.pdf
http://repository.swisssign.com/SwissSign-Gold-EUA-R4.pdf

Section 7 [Validation]. SwissSign appears to meet the minimum requirements for subscriber verification, as follows:

* Email: Section 3.2.3 of the SwissSign CP/CPS describes the procedures for authenticating individual 
and ownership/control of the email address: “The /email= field must be verified during the registration process. The requester must prove that he has access to the mailbox and that he can use it to receive mail.”

* SSL: Section 3.2.2 of the SwissSign CP/CPS describes the procedures for authenticating organizations and ownership/control of the domain name: “SwissSign validates that the person enrolling for the certificate has control of the domain by requiring the person to respond to an e-mail hosted at that domain (eg. webmaster@domain, postmaster@domain etc.).  Additionally, the domain will only be accepted if a printout of the WHOIS entry for the domain is included.”

* Code: SwissSign’s CP/CPS describes reasonable measures to verify the identity and authorization of the certificate requester. 

Section 8-10 [Audit]. Section 8-10 [Audit].  SwissSign attached a statement by KPMG that says that SwissSign has completed the point in time audit against the WebTrust EV criteria as of October, 2008. I have confirmed the authenticity of this document via email exchanged with the auditor. SwissSign also attached a letter from KPMG that says that SwissSign has been audited against the ETSI TS 101.456.  SwissSign is listed in the Directory of the certified bodies that conform to the Bundesgesetz über die elektronische Signatur (ZertES), and the criteria include ETSI TS 101.456.

Section 13 [Certificate Hierarchy].  This root has three internally-operated subordinate CAs: The SwissSign Personal Gold CA issues certificates that support digital signing and/or encryption for individuals. The SwissSign Server Gold CA issues certificates for servers. The SwissSign EV Gold CA issues Extended Validation SSL certificates.

Other: SwissSign provides both OCSP and CRL. 
** SwissSign Server Gold CA and SwissSign EV Gold CA end-entity CRL Frequency: At most, 24 hours may pass from the time a certificate is revoked until the revocation is reported on the CRL. 
** On the OCSP side the nextUpdate is set to thisUpdate + 25 hours

Potentially problematic practices: None of note.

Based on this assessment I recommend that Mozilla approve the request to enable the SwissSign Gold CA - G2 root CA certificate for EV.
To Kathleen: Thank you for your work on this request.

To the representatives of SwissSign: Thank you for your cooperation and your patience.

To all others who have commented on this bug: Thank you for volunteering your time to assist in reviewing this CA request.

I have reviewed the summary and recommendation in comment #25, and on behalf of the Mozilla project I approve this request from SwissSign to enable the SwissSign Gold CA - G2 root for EV.

Kathleen, could you please do the following:

1. File the necessary bug against PSM for the EV enablement.
2. Mark this bug as dependent on the PSM bug.
3. When those bugs are complete, change the status of this bug to RESOLVED
FIXED.

Thanks in advance!
Whiteboard: EV - In public discussion → Approved
Depends on: 492077
I have filed bug 492077 against PSM for the actual changes.
I believe this bug was fixed by the checkin for 
Bug 493709 -  Combined EV enablement 
so I am resolving this bug as fixed.  
Please reopen it if it is not fixed.
I hope Kathleen doesn't mind me resolving these bugs.
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Product: mozilla.org → NSS
You need to log in before you can comment on or make changes to this bug.