Closed
Bug 497917
Opened 15 years ago
Closed 14 years ago
Enable Keynectis root CA cert for EV SSL
Categories
(CA Program :: CA Certificate Root Program, task)
CA Program
CA Certificate Root Program
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: erwann.abalea, Assigned: kathleen.a.wilson)
References
Details
Attachments
(6 files, 1 obsolete file)
User-Agent: Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.0.6) Gecko/2009020409 Iceweasel/3.0.6 (Debian-3.0.6-1) Build Identifier: Dear sir, KEYNECTIS, as a public CA with Root CA already inserted in your products for standard SSL server certificate issuance (bug #335392), decided to issue EV SSL certificates under a new dedicated subCA. KEYNECTIS successfully passed the readiness WebTrust EV SSL audit performed by independant auditor KPMG, and now applies for making our existing Root CA (reference below) for issuance of EV digital certificates. Root CA Certificate (already inserted in your browser product): CN = Class 2 Primary CA SerialNumber = 00 85 bd 4b f3 d8 da e3 69 f6 94 d7 5f c3 a5 44 23 Hash (SHA1) = 74 20 74 41 72 9c dd 92 ec 79 31 d8 23 10 8d c2 81 92 e2 bb New EV SSL dedicated subCA certificate: CN = KEYNECTIS Extended Validation CA SerialNumber = 11 20 53 22 f3 aa 58 a6 57 23 35 88 ba 75 ef 4b e8 24 Hash (SHA1) = 25 8b 0d b3 12 31 d8 e2 a4 eb 9f bd 4d 8f 67 b3 7c f2 26 1b CPS OID for EV SSL Certificate CPS: 1.3.6.1.4.1.22234.2.5.2.3.1 Downloading url for CA certificate and CPS: - general: https://www.keynectis.com/PC - english: https://www.keynectis.com/en/support-information/pc.html (the selection of the good page following the language will soon be in place) I'll also add the documents to this bug. To validate the audit report, you can contact KPMG: Mr P.H. (Patrick) Paling RE Senior Manager, IT Advisory ICT Security & Control, Identity & Access Management KPMG Advisory N.V. Trade register number: 33263682 P.O. Box 74105 1070BC Amsterdam The Netherlands Tel: +31 206568392 Secr: +31 206568131 Fax: +31 206568388 Mobile: +31 651186824 paling.patrick@kpmg.nl Regards, Erwann Abalea <erwann.abalea@keynectis.com> Reproducible: Always
|
Reporter | |
Comment 1•15 years ago
|
||
|
|
Reporter | |
Comment 2•15 years ago
|
||
|
||
Updated•15 years ago
|
Assignee: nobody → kathleen95014
Status: UNCONFIRMED → NEW
Component: Security → CA Certificates
Ever confirmed: true
Product: Firefox → mozilla.org
QA Contact: firefox → ca-certificates
Version: unspecified → other
|
||
Updated•15 years ago
|
Summary: Activate our root CA for EVSSL → Enable Keynectis root CA cert for EV SSL
|
Assignee | |
Comment 3•15 years ago
|
||
Accepting this bug. I will begin the Information Gathering and Verification phase as describe in https://wiki.mozilla.org/CA:How_to_apply#Information_gathering_and_verification
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 4•15 years ago
|
||
Attaching the Initial Information Gathering document which summarizes the information that has been gathered and verified. Please review for accuracy and completeness. Also, please respond to the items that are highlighted in yellow to indicate where further clarification or more information is needed. I have added the entry to the pending page: http://www.mozilla.org/projects/security/certs/pending/#Keynectis Note that it will take a while for the changes to propagate.
|
|
Reporter | |
Comment 5•15 years ago
|
||
|
|
Reporter | |
Comment 6•15 years ago
|
||
Some answers to the highlighted items on comment #4: - URL to download the CRL was wrong. It is and has always been http://www.certplus.com/CRL/class2.crl - CRL of our "Keynectis EV CA" is generated every 24 hours, and made valid for 7 days. But this CRL isn't the root CA one - The OCSP service is updated every hour, and OCSP responses have an expiration date/time equal to that of the CRL (thus, max 7 days for the "Keynectis EV CA") - We renewed our ETSI TS101456 in october 2008. The audit statement is available at http://www.lsti-certification.fr/index.php?option=com_content&view=article&id=58&Itemid=53&lang=fr
|
|
Assignee | |
Comment 7•15 years ago
|
||
Thank you for the information. I have a couple more questions. 1) When I enforce OCSP in Firefox, the website https://www.keynectis.com results in error: An error occurred during a connection to www.keynectis.com. The OCSP server returned unexpected/invalid HTTP data. (Error code: sec_error_ocsp_bad_http_response) Would you please try this to see if you get the same error? 2) The WebTrust EV Readiness audit was attached to the bug, rather than posted on a site such as cert.webtrust.org, so Mozilla process requires that I contact the auditor directly to confirm the authenticity of the audit report. Would you please send me the KPMG email address of the auditor(s)?
|
|
Reporter | |
Comment 8•15 years ago
|
||
Sorry for the delay, I've been on vacation. 1) This is a bug on our side, correctly identified and corrected; the new version is being qualified before getting into production. That introduces a new set of questions for my hierarchy: what is the "standard" release period for the NSS library and Firefox? What is the "standard" delay before approval of our request? (considering everything's OK, of course) 2) The email was included in the bug report at the first place: Mr P.H. (Patrick) Paling RE <paling.patrick@kpmg.nl>
|
|
Assignee | |
Comment 9•15 years ago
|
||
> This is a bug on our side, correctly identified and corrected; > the new version is being qualified before getting into production. OK. Please let me know when it’s ready. I’ll proceed with contacting the auditor in the meantime. > what is the "standard" release period for the NSS library and Firefox? > What is the "standard" delay before approval of our request? I recently added the following section to the wiki, which should answer these questions: https://wiki.mozilla.org/CA:How_to_apply#Timeline
|
|
Assignee | |
Comment 10•15 years ago
|
||
I have received confirmation from KPMG that the WebTrust EV audit that was provided is indeed authentic. By the way, I have recently learned that according to the CAB Forum Guidelines, http://www.cabforum.org/EV_Certificate_Guidelines_V11.pdf, WebTrust EV audit guidelines are to be used only in conjunction with the Principles and Criteria in the WebTrust Program for Certification Authorities. This means that CAs that wish to issue EV certificates must first go through a WebTrust CA audit and then go through a WebTrust EV audit. I realize that your ETSI 101 456 audit is still current, but would you also please provide the report for the WebTrust CA audit that must have been performed before or in conjunction with doing the WebTrust EV audit?
|
|
Reporter | |
Comment 11•15 years ago
|
||
This is an answer from Mr Patrick Paling (KPMG): ----- I am just about to leave the office for a week. Could you please send an email to Kathleen and mention that: * The CAB Forum also allows ETSI TS 102042 and TS 101456 as a basis for WebTrust EV SSL. In fact, the CAB Forum (Tim Moses, the CABforum chairman) is working together with Inigo Barreira (CAB forum member IZENPE) and Nick Pope (ETSI representative specialist) to further promote this. Inigo and Nick have worked on a new version of ETSI TS 102042 (with EV SSL already incorporated!) (see attached pdf). * IZENPE also uses ETSI TS 101456 as a basis for its WebTrust EV SSL point in time audit * Diginotar (Netherlands) was, to my knowledge, the first CSP to have EV SSL (point in time) with ETSI TS 101456 as a basis (I believe already in 2007) In case of questions, Kathleen or you could send an e-mail to tim.moses@entrust.com (chair CAB forum) to obtain further information on using a ETSI TS 101456 certification report issued by an accredited certification body in a EU member state as a basis for EV SSL. I advised your collegue Patrick DUBOYS two weeks ago to contact tim moses on CABforum membership. Perhaps you can benefit from this recent contact to also clarify this issue. -----
|
|
Reporter | |
Comment 12•15 years ago
|
||
|
|
Reporter | |
Comment 13•15 years ago
|
||
(In reply to comment #9) > > This is a bug on our side, correctly identified and corrected; > > the new version is being qualified before getting into production. > > OK. Please let me know when it’s ready. The new version of our OCSP responder has been deployed yesterday evening, I checked it with OpenSSL with success.
|
|
Assignee | |
Comment 14•15 years ago
|
||
|
|
Assignee | |
Comment 15•15 years ago
|
||
Thanks for the information about the audit. The website is also working for me now with OCSP enforced. This request has been added to the queue for public discussion: https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion
Whiteboard: EV - Information Confirmed Complete
|
|
Assignee | |
Comment 16•14 years ago
|
||
Updated the information gathering document in preparation for the upcoming public discussion.
Attachment #395958 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 17•14 years ago
|
||
I am now opening the first public discussion period for this request from Keynectis/Certplus to EV-enable the Certplus “Class 2 Primary CA” root certificate. For a description of the public discussion phase, see https://wiki.mozilla.org/CA:How_to_apply#Public_discussion Public discussion will be in the mozilla.dev.security.policy newsgroup and the corresponding dev-security-policy@lists.mozilla.org mailing list. http://www.mozilla.org/community/developer-forums.html https://lists.mozilla.org/listinfo/dev-security-policy news://news.mozilla.org/mozilla.dev.security.policy The discussion thread is called “Keynectis EV Enablement Request” Please actively review, respond, and contribute to the discussion. A representative of the CA should promptly respond directly in the discussion thread to all questions that are posted.
Whiteboard: EV - Information Confirmed Complete → EV - In Public Discussion
|
|
Assignee | |
Comment 18•14 years ago
|
||
The public comment period for this request is now over. This request has been evaluated as per sections 1, 5 and 15 of the official CA policy at http://www.mozilla.org/projects/security/certs/policy/ Here follows a summary of the assessment. If anyone sees any factual errors, please point them out. To summarize, this assessment is for the request to enable EV in the Certplus “Class 2 Primary CA” root certificate. Section 4 [Technical]. I am not aware of any technical issues with certificates issued by Keynectis/Certplus, or of instances where they have knowingly issued certificates for fraudulent use. If anyone knows of any such issues or instances, please note them in this bug report. Section 6 [Relevancy and Policy]. Keynectis/Certplus appears to provide a service relevant to Mozilla users: they are a French commercial CA who issue certificates to the general public. Policies are documented in the documents published on their website and listed in the entry on the pending applications list. The main documents of interest for this request are the EV SSL CPS and the SSL CPS. EV SSL CPS (English): https://bugzilla.mozilla.org/attachment.cgi?id=387860 SSL CPS (French): https://www.keynectis.com/static/content/common/pc-dpc/DSQ_PC_PC_AC_KEYNECTIS_SSL_1.2s.pdf CPS (French): http://www.keynectis.com/PC/CPS_KEYNECTIS_120407v1.1.pdf Section 7 [Validation]. Keynectis appears to meet the minimum requirements for subscriber verification, as follows: * Email: Keynectis verifies that the entity submitting the request controls the email account associated with the email address referenced in the certificate. (CPS section 2.3) * Code: Not applicable. Not requesting the Code Signing trust bit. * SSL: Keynectis verifies domain control by communicating with the Administrative Contact listed in WHOIS. (CPS section 6.1.3) * EV SSL Keynectis verifies the organization identity and the organization’s ownership/control of the domain name as per section 3.2.2.4 of the EV SSL CPS. * EV Policy OID: 1.3.6.1.4.1.22234.2.5.2.3.1 Section 8-10 [Audit]. The WebTrust EV Readiness audit was performed by KPMG. The audit report and management assertion was attached to the bug: https://bugzilla.mozilla.org/attachment.cgi?id=382979. I exchanged email with an auditor at KPMG who confirmed the authenticity of the document. Keynectis has also been audited according to the ETSI 101 456 criteria by La Sécurité des Technologies de l'Information (LSTI), and the audit is valid until October 2011. Section 13 [Certificate Hierarchy]. This root has two internally-operated subordinate CAs: Class 2 KEYNECTIS CA issues SSL certificates, and KEYNECTIS Extended Validation CA issues EV SSL certificates. Other: * The NextUpdate for the CRL for end-entity certs is 7 days. * OCSP is provided. The OCSP service is updated every hour, and OCSP responses have an expiration date/time equal to that of the CRL (thus, max 7 days for the "Keynectis EV CA"). Based on this assessment I intend to approve this request to enable EV in the Certplus “Class 2 Primary CA” root certificate.
|
|
Assignee | |
Comment 19•14 years ago
|
||
To the representatives of Keynectis/Certplus: Thank you for your cooperation and your patience. To all others who have commented on this bug or participated in the public discussion: Thank you for volunteering your time to assist in reviewing this CA request. As per the summary in Comment #18, and on behalf of the Mozilla project I approve this request from Keynectis/Certplus to enable EV for the Certplus “Class 2 Primary CA” root certificate. I will file the PSM bug to effect the approved change.
Whiteboard: EV - In Public Discussion → Approved - awaiting PSM
|
|
Assignee | |
Comment 20•14 years ago
|
||
I have filed bug 555860 against PSM for the actual changes.
|
|
Assignee | |
Comment 21•14 years ago
|
||
This appears to be in Firefox 3.6.7.
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Whiteboard: Approved - awaiting PSM
|
||
Updated•7 years ago
|
Product: mozilla.org → NSS
|
||
Updated•2 years ago
|
Product: NSS → CA Program
You need to log in
before you can comment on or make changes to this bug.
Description
•