Add SECOM Trust Security Communication EV RootCA1 certificate to NSS

RESOLVED FIXED in 3.12.4

Status

NSS
CA Certificates Code
--
enhancement
RESOLVED FIXED
10 years ago
9 years ago

People

(Reporter: Kathleen Wilson, Assigned: kaie)

Tracking

Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

10 years ago
This bug requests inclusion in the NSS root certificate store of the following certificate, owned by SECOM Trust.

Friendly name: "Security Communication EV RootCA1"
Certificate location:
https://repository.secomtrust.net/EV-Root1/EVRoot1ca.cer
SHA1 Fingerprint:
FE:B8:C4:32:DC:F9:76:9A:CE:AE:3D:D8:90:8F:FD:28:86
Trust flags: Websites
Test URL: 
https://repo2.secomtrust.net/ev.gif

This CA has been assessed in accordance with the Mozilla project guidelines, and the certificate approved for inclusion in bug 394419.

The next steps are as follows:

1) A representative of the CA must confirm that all the data in this bug is correct, and that the correct certificate(s) have been attached. They must also specify what OS they would like to use to perform the verification below.

2) A Mozilla representative creates a test build of NSS with the new certificate(s), and attaches nssckbi.dll to this bug. A representative of the CA must download this, drop it into a copy of Firefox and/or Thunderbird on the OS in question and confirm (by adding a comment here) that the certificate(s) have been correctly imported and that websites work correctly.

3) The Mozilla representative checks the certificate(s) into the NSS store, and marks the bug RESOLVED FIXED.

4) At some time after that, various Mozilla products will move to using a version of NSS which contains the certificate. This process is mostly under the control of the release drivers for those products.
(Reporter)

Comment 1

10 years ago
Kamo-san, please see step #1 above.
(Reporter)

Updated

10 years ago
Blocks: 477145
(Reporter)

Updated

10 years ago
Summary: Add SECOM Trust Security Communication EV RootCA1 C certificate to NSS → Add SECOM Trust Security Communication EV RootCA1 certificate to NSS
Assignee: nobody → kaie
Version: unspecified → trunk

Comment 2

10 years ago
Thank you for everyone to work with us Secom.
Let us clarify our request as follows.
1. The current root CA "Security Communication RootCA1" has been already embedded.
To make "Security Communication RootCA1" an EV arrangement as an EV root CA.
2. To embed a new root CA,"Security Communication EV RootCA1" and to make it an EV arrangement as an EV root CA.
Because the environments covered by "Security Communication EV RootCA1" is not enough as "Security Communication RootCA1", we need the treatment on such request #1. 
Both root CAs are authorized by WebTrust EV audit and already embedded in IE and Google Chrome.

SHA1 Finger print of "Security Communication EV RootCA1" is wrong.
The correct one is:
FEB8 C432 DCF9 769A CEAE 3DD8 908F FD28 8665 647D

"Security Communication EV RootCA1" is available at URL below.
https://repository.secomtrust.net/EV-Root1/EVRoot1ca.cer

OS used to perform the verification are as follows.
Mac OS X
Windows 2000
Windows Vista
Windows XP

Thank you again for your cosideration.

Comment 3

10 years ago
I just wanted to clarify that both the "Security Communication RootCA1" AND the new "Security Communication EV RootCA1" require EV support.  It is not clear to me that BOTH will now receive EV support, so I wanted to clarify that.
(Reporter)

Comment 4

10 years ago
This particular bug is specifically to add the "Security Communication EV RootCA1" cert to NSS. EV-enablement is not done within the scope of this bug.

Gen, please post your clarification about the request to also EV-enable the "Security Communication RootCA1" cert to the original request, bug 394419. We will have to go through the proper procedures to approve the EV-enablement of "Security Communication RootCA1" before creating the corresponding request to make the change in the PSM.

Also, please find out if there is a 2008 Webtrust EV audit statement for "Security Communication RootCA1". The Webtrust EV audit statement that is dated 10/31/2008 states that it is for two CAs "Security Communication EV RootCA1" and "Secom Passport for Web EV CA". I do not see mention of the "Security Communication RootCA1" in this Webtrust EV audit.

Comment 5

10 years ago
I apologize for confusion on the previous comment.

The trust anchor of our EV serivce is "Security Communication RootCA1".
The hierarchy is as below.
"Security Communication RootCA1(top)" - "Security Communication EV
RootCA1" - "Secom Passport for Web EV CA" - "EV SSL certificate"

What we would like to what are as follows.
1. Old Firefox browsers before embedded "Security Communication EV
RootCA1" :
SSL ensured without any alart.
2. New Firefox browsers after embedded "Security Communication EV
RootCA1" :
SSL ensured without any alart and EV treatement.

Because the environments covered by "Security Communication EV RootCA1" is not
enough as "Security Communication RootCA1", we have "Security Communication RootCA1" on top of the hierarchy and cross sign for "Security Communication EV RootCA1".
We would like to have the above #1 and #2 on your arrangement this time.

We are all right if above #1 and #2 are both available after the such work described at the summary comment #66 from Kathleen san at https://bugzilla.mozilla.org/show_bug.cgi?id=394419, "the plan is to EV-enable only the new EV root, leaving the existing root as is."

Thank you again for your consideration.
Component: Libraries → CA Certificates
QA Contact: libraries → root-certs
(Assignee)

Comment 6

9 years ago
A test firefox build is available here:
Please verify it contains your root CA cert with the correct trust flags.
You should be able to connect to your test server.

https://build.mozilla.org/tryserver-builds/2009-03-11_10:52-kaie@kuix.de-kaie-evroots-0903/

Please give feedback whether it looks correct.
Thanks.

Comment 7

9 years ago
Kamo-san, to be clear, please have SecomTrust test the build that Kai has provided in Comment #6.  Thank you very much.

Comment 8

9 years ago
We appreciate very much your work regarding EV arrangement for Secom.
The test conducted for Windows and Mac by our engineer and they were both OK.
We need some work to test for Linux platform, thus as soon as test finished we will let you know about Linux.
Maybe, it will be Monday or Tuesday your time.

Again, thank you very much.

Comment 9

9 years ago
We checked Linux and it worked OK.
Thus, all of the environements such as Windows, Mac OS and Linux worked EV properly.
Please let us know the schedule for the release.
Thanks very much.

Comment 10

9 years ago
Would you please let us know the release schedule?
(Assignee)

Updated

9 years ago
Depends on: 487718
(Assignee)

Comment 11

9 years ago
fixed with the patch in bug 487718
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
(Assignee)

Updated

9 years ago
Target Milestone: --- → 3.12.4
You need to log in before you can comment on or make changes to this bug.