Closed Bug 477147 Opened 15 years ago Closed 15 years ago

Add DCSSI IGC/A root certificate to NSS

Categories

(NSS :: CA Certificates Code, task)

Product:
NSS
Component:
CA Certificates Code
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
3.12.4

People

(Reporter: kathleen.a.wilson, Assigned: KaiE)

References

Details

Attachments

(1 file)

The root CA cert, here with the right MIME type for download
1.01 KB, application/x-x509-ca-cert
Details 
This bug requests inclusion in the NSS root certificate store of the following certificate, owned by DCSSI.

Friendly name: "IGC/A"
Certificate location:
http://www.ssi.gouv.fr/fr/sigelec/igca/cert_igca_rsa.crt
SHA1 Fingerprint:
60:D6:89:74:B5:C2:65:9E:8A:0F:C1:88:7C:88:D2:46:69:1B:18:2C
Trust flags: all
Test URL: 
https://www.journal-officiel.gouv.fr

This CA has been assessed in accordance with the Mozilla project guidelines, and the certificate approved for inclusion in bug 368970.

The next steps are as follows:

1) A representative of the CA must confirm that all the data in this bug is correct, and that the correct certificate(s) have been attached. They must also specify what OS they would like to use to perform the verification below.

2) A Mozilla representative creates a test build of NSS with the new certificate(s), and attaches nssckbi.dll to this bug. A representative of the CA must download this, drop it into a copy of Firefox and/or Thunderbird on the OS in question and confirm (by adding a comment here) that the certificate(s) have been correctly imported and that websites work correctly.

3) The Mozilla representative checks the certificate(s) into the NSS store, and marks the bug RESOLVED FIXED.

4) At some time after that, various Mozilla products will move to using a version of NSS which contains the certificate. This process is mostly under the control of the release drivers for those products.
Blocks: 368970
Florence, Please see step #1 above.
Assignee: nobody → kaie
Version: unspecified → trunk
Hello,
I replied yesterday but I can't see my comment today in this bug (?) ; no matter... I confirm that all the data are correct :
> Friendly name: "IGC/A"
> Certificate location:
> http://www.ssi.gouv.fr/fr/sigelec/igca/cert_igca_rsa.crt
> SHA1 Fingerprint:
> 60:D6:89:74:B5:C2:65:9E:8A:0F:C1:88:7C:88:D2:46:69:1B:18:2C
> Trust flags: all
> Test URL: 
> https://www.journal-officiel.gouv.fr

The correct certificate has been attached. 
In order to perform the verification, we would like to use :
Linux (Debian stable, unstable and testing, Ubuntu - at least)
Windows XP SP2, SP3, Vista, 2003 server
Mac OS 10.4 and 10.5

Thanks to all.
Florence Esselin
Chef de projet IGC/A Phase2
In reply to comment 2, 
For testing purposes, we generally provide a build on just one single 
platform.  This is because there is a single source of these certificates
for all platforms, and if it appears correctly on one platform, it will 
appear correctly in all.  So, I take your statement to be that any one of 
the platforms you mentioned will be acceptable.
(In reply to comment #3)

> So, I take your statement to be that any one of 
> the platforms you mentioned will be acceptable.
Ok.
Component: Libraries → CA Certificates
QA Contact: libraries → root-certs
A test firefox build is available here:
Please verify it contains your root CA cert with the correct trust flags.
You should be able to connect to your test server.

https://build.mozilla.org/tryserver-builds/2009-03-11_10:52-kaie@kuix.de-kaie-evroots-0903/

Please give feedback whether it looks correct.
Thanks.
Please note, when I tested using https://www.journal-officiel.gouv.fr/ I saw "broken security", which usually means, some content on the site is provided using plain http (not https).
It might also be a bug, we recently saw a new problem where we incorrectly report broken security, despite all content being from secure sources.

The above is not a certificate bug, it's a content bug.

When I open https://www.journal-officiel.gouv.fr/mosimages/stories/visuel/visuel_01.gif I get valid encryption.
Looks like there really is an unsecure request: http://pro.weborama.fr/fcgi-bin/comptage.fcgi?ID=49230&ZONE=1&PAGE=1&ver=2&da2=1236949777&ta=1280x1024&co=24&ref=

Personally I would love to see which all parts of the page are loaded with low or none security, not just media.
I forget to mention that IT IS an image request but it is NOT visible in the media tab... 

Information shown is 67 bytes 1x1 gif. Seems to be some analytics request made by an advertisement page?
(In reply to comment #7)
Thank you for the information. We contacted the webmaster. 
> Looks like there really is an unsecure request:
> http://pro.weborama.fr/fcgi-bin/comptage.fcgi?ID=49230&ZONE=1&PAGE=1&ver=2&da2=1236949777&ta=1280x1024&co=24&ref=
This is a link to a site which counts hits on the Journal officiel site on behalf of the Direction des Journaux officiels (DJO).
Some other links in http point to DJO's servers (BODACC, BOAMP, Info financière).

F.E.
> Please give feedback whether it looks correct.
> Thanks.
Hello. The flags seem correct.
We noticed "something like a bug" with Thunderbird on a MacOSX : the CA certificate is not configured as trusted by default, but well appears in the list of trusted CAs. We failed to test it on another Mac up to now, to verify if it's really a bug.
Is it possible to show "Administration française" in the list of trusted root CAs instead of PM/SGDN ? Indeed in some months we will have to publish a new certificate for a new IGC/A key (RSA 4096 SHA256), and the DCSSI is planned to have a new name : Agence nationale de la sécurité des systèmes d'information (National IT security Agency).
Thus, as the CA will be the same (our director, on behalf of the Prime minister), it would be easyer for people to find all the certificates under the "Administration française" title.

Last but not least : would thunderbird be patched at the same time that Firefox would ?
Thanks.
F.E.
(In reply to comment #10)
> We noticed "something like a bug" with Thunderbird on a MacOSX : the CA
> certificate is not configured as trusted by default, but well appears in the
> list of trusted CAs.

Is the certificate issued from an intermediate CA certificate and is this CA certificate imported into Thunderbird too?

> Is it possible to show "Administration française" in the list of trusted root
> CAs instead of PM/SGDN ? 

I would object to such a general term as the organization name. It should be either PM/SGDN, DCSSI or IGC. I guess this should be either "DCSSI" or the long version "Direction centrale de la sécurité des systèmes d'information"

> Indeed in some months we will have to publish a new
> certificate for a new IGC/A key (RSA 4096 SHA256), and the DCSSI is planned to
> have a new name : Agence nationale de la sécurité des systèmes d'information
> (National IT security Agency).

Upon change you might want to file another bug to have the name changed to "Agence nationale de la sécurité des systèmes d'information". Which however leads me to a different question: Is this new certificate going to replace the current one or in addition?
(In reply to comment #10)

> Is it possible to show "Administration française" in the list of trusted root
> CAs instead of PM/SGDN ? 

No, the name shown comes directly from the content of the certificate itself.

E=igca@sgdn.pm.gouv.fr,
CN=IGC/A,        <--
OU=DCSSI,
O=PM/SGDN,       <--
L=Paris,
ST=France,
C=FR
(In reply to comment #11)
> Is the certificate issued from an intermediate CA certificate and is this CA
> certificate imported into Thunderbird too?
Yes, it is the DJO's server certificate, issued by the JO CA, subordinated to the IGC/A root CA. The JO CA certificate wasn't imported in Thunderbird previously.
 
> I would object to such a general term as the organization name. It should be
> either PM/SGDN, DCSSI or IGC. I guess this should be either "DCSSI" or the 
DCSSI would be clearer. But is this ok regarding Comment #13 ? 

> Upon change you might want to file another bug to have the name changed to
> "Agence nationale de la sécurité des systèmes d'information" (ANSSI). 
Taking into account Comment #13 : when the DCSSI name will change (it will be acted in French Law), will the current IGC/A certificate be moved under the tree ANSSI or will there be two trees : DCSSI and ANSSI ?
I guess a way to have one tree is to put O=PM/SGDN in the next certificate DN - but the SGDN name will change also (SGDSN)...

> leads me to a different question: Is this new certificate going to replace the
> current one or in addition?
This new one will be used in addition, to sign subordinated CA using SHA256.
The current certificate is valid until 2011 for CA certificates signing, and until 2020 for CRL signing and trusted paths validation.
The names displayed by the certificate manager come directly from the 
certificates themselves.  There is presently no way to substitute another
name for the name in the certificate.

Certificates are grouped by the Organization attribute in the cert's Issuer
name.  Certs with the same Issuer Organization name are grouped together,
and displayed under a header which is that Issuer Organization name.
Certs are individually listed with each group by their Subject Common Names.  

Plan your certificate names accordingly.
(In reply to comment #15)
OK, this is clear, thanks.
Hello,
Do you need any other information from us ?
Concerning flags, we didn't notice any problem yet. Indeed our root CA just delivers CA certificates, and signs ARL (so flags e-mail signing certificate, SSL certificate authority and status responder authority are sufficient). 
But our subordinated CAs can issue :
- governmental CA certificates, or 
- authentication, or signature or encipher end-user certificates, or
- code-signing certificates, or 
- SSL servers certificates. 
Depending on how the trusted paths validation is coded, do the flags have to contain also "email recipient certificate, code signing certificate and ssl server certificate" ? 

In case not, would you mind telling us when the IGC/A root CA would be added to NSS ?
Would Thunderbird be upgraded at the same time as Firefox ?
Thanks
Florence
It will be added soon, thanks for your confirmation that the test build works correctly for you.

Thunderbird 2: I don't know if it will update to a newer NSS snapshot.

Thunderbird 3: yes
Depends on: 487718
fixed with the patch in bug 487718
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.12.4
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: