Closed Bug 515425 Opened 16 years ago Closed 15 years ago

Request to enable code-object-signing "trust bit" for DigiCert's three Root CAs

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: benwilsonusa, Assigned: kathleen.a.wilson)

References

Details

(Whiteboard: In FF4Beta)

Attachments

(7 files)

Initial Information Gathering Document
25.59 KB, application/pdf
Details
Initial Information Gathering Document revised by DigiCert
41.18 KB, application/pdf
Details
Completed Information Gathering Document
21.75 KB, application/pdf
Details
DigiCert Certificate Policy, v.4.0
437.61 KB, application/pdf
Details
DigiCert Certification Practices Statement, v.4.0
521.39 KB, application/pdf
Details
Updated CP
600.81 KB, application/pdf
Details
Updated DigiCert CPS
678.73 KB, application/pdf
Details
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB6; SLCC1; .NET CLR 2.0.50727; eMusic DLM/4; .NET CLR 3.5.30729; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; MS-RTC LM 8; .NET CLR 3.0.30729) Build Identifier: In previous request - Bug 364568 - Add DigiCert CA Root Certificates (3 Roots, 1 EV) (March 2007), DigiCert was advised to apply at a later date when it had more details concerning the processes to be used to issue code object signing certificates. DigiCert now renews this request. Reproducible: Always
Starting the Information Gathering and Verification phase as described in https://wiki.mozilla.org/CA:How_to_apply
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
The attached document summarizes the information that has been gathered and verified for this request. The items highlighted in yellow indicate where further information or clarification is requested.
Whiteboard: information incomplete
The attached Initial Information Gathering Document revised by DigiCert has been edited in the locations highlighted in yellow to provide clarification of DigiCert's practices where that information was not previously available for evaluation.
This request has been added to the queue for public discussion: https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion
Whiteboard: information incomplete → Information confirmed complete
I have re-reviewed the information in this request in preparation for the upcoming discussion https://wiki.mozilla.org/CA:How_to_apply#Public_discussion https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion I have no further questions at this time. I will post a comment in this bug when I start the discussion.
I am now opening the first public discussion period for this request from DigiCert to enable the Code Signing trust bit for three DigiCert root certificates that are currently included in NSS. For a description of the public discussion phase, see https://wiki.mozilla.org/CA:How_to_apply#Public_discussion Public discussion will be in the mozilla.dev.security.policy newsgroup and the corresponding dev-security-policy@lists.mozilla.org mailing list. http://www.mozilla.org/community/developer-forums.html https://lists.mozilla.org/listinfo/dev-security-policy news://news.mozilla.org/mozilla.dev.security.policy The discussion thread is called “DigiCert Code Signing Enablement Request” Please actively review, respond, and contribute to the discussion. A representative of the CA must promptly respond directly in the discussion thread to all questions that are posted.
Whiteboard: Information confirmed complete → In public discussion
This is the revised Certificate Policy for DigiCert effective August 9, 2010.
This is the revised Certification Practices Statement for DigiCert effective August 9, 2010.
Attached file Updated CP
Attached file Updated DigiCert CPS
Attachment #470061 - Attachment description: The DigiCert CPS with updated language in section 3.2.5 about the code signing verification process → Updated DigiCert CPS
Attachment #470059 - Attachment description: This the DigiCert CP with updated language in section 3.2.5 about the code signing verification process → Updated CP
Comment on attachment 470059 [details] Updated CP This updates the validation process for code signing certificates in section 3.2.5
Comment on attachment 470061 [details] Updated DigiCert CPS This updates the validation process for code signing certificates in section 3.2.5
This request has been evaluated as per the Mozilla CA Certificate Policy at http://www.mozilla.org/projects/security/certs/policy/ Here follows a summary of the assessment. If anyone sees any factual errors, please point them out. To summarize, this assessment is for the request from DigiCert to enable the Code Signing trust bit for the “DigiCert Assured ID Root CA”, “DigiCert Global Root CA”, and “DigiCert High Assurance EV Root CA” root certificates. Section 4 [Technical]. I am not aware of any technical issues with certificates issued by DigiCert, or of instances where they have knowingly issued certificates for fraudulent use. If anyone knows of any such issues or instances, please note them in this bug report. Section 6 [Relevancy and Policy]. DigiCert appears to provide a service relevant to Mozilla users: It is a US-based commercial CA that provides digital certification and identity assurance services internationally to a variety of sectors including business, education, and government. Policies are documented in the documents published on their website and listed in the entry on the pending applications list. The main documents of interest are the CP and CPS, which are in English. DigiCert Document repository: http://www.digicert.com/ssl-cps-repository.htm Updated CP: https://bugzilla.mozilla.org/attachment.cgi?id=470059 Updated CPS: https://bugzilla.mozilla.org/attachment.cgi?id=470061 CPS for EV: http://www.digicert.com/DigiCert_EV-CPS.pdf Section 7 [Validation]. DigiCert appears to meet the minimum requirements for subscriber verification, as follows: * Email: DigiCert verifies that the certificate subscriber has control of the email address to be included in the certificate. (CPS sections 3.2.3 and 3.2.5) * SSL: DigiCert verifies that the certificate subscriber owns and controls the domain name to be included in the certificate. (CPS section 3.2.2 and 3.2.5) * Code: DigiCert verifies the existence and identity of the organization, and the authority of the certificate subscriber to request the certificate on behalf of the organization. (CP and CPS sections 3.2.2, 3.2.3, and 3.2.5) * EV Policy OID: 2.16.840.1.114412.2.1 ** CPS for EV section 3.2.2 describes the steps DigiCert takes to verify the existence and identity of the organization, and the steps taken to verify that the certificate subscriber has exclusive control of the domain name to be included in the certificate. Section 13 [Certificate Hierarchy]. * Each root has internally-operated intermediate CAs for each level of assurance. Other: * DigiCert issues CRLs with NextUpdate 7 days for end-entity certs. * OCSP is provided. Section 8-10 [Audit]. DigiCert is audited annually by KPMG according to the WebTrust CA and WebTrust EV criteria, and the audit statements are posted on the webtrust.org website: https://cert.webtrust.org/ViewSeal?id=845 https://cert.webtrust.org/ViewSeal?id=962 Based on this assessment I intend to approve this request to enable the Code Signing trust bit for the “DigiCert Assured ID Root CA”, “DigiCert Global Root CA”, and “DigiCert High Assurance EV Root CA” root certificates. The following action item will also be tracked in this bug. ACTION DigiCert: Publish the updated CP and CPS on the DigiCert website, and post an update in this bug when completed.
To the representatives of DigiCert: Thank you for your cooperation and your patience. To all others who have commented on this bug or participated in the public discussion: Thank you for volunteering your time to assist in reviewing this CA request. As per the summary in Comment #14, and on behalf of the Mozilla project I approve this request from DigiCert to enable the Code Signing trust bits for the following three root certificates: * DigiCert Assured ID Root CA * DigiCert Global Root CA * DigiCert High Assurance EV Root CA I will file the NSS bug to effect the approved changes.
Whiteboard: In public discussion → Approved - awaiting NSS
Depends on: 595013
I have filed bug #595013 against NSS for the actual changes.
Jeremy, Please update this bug when the following action item has been completed. ACTION DigiCert: Publish the updated CP and CPS on the DigiCert website.
Updated CP and CPS were posted online on 9-Sep-2010. CP is here - http://www.digicert.com/DigiCert_CP_v401.pdf and updated CPS is here - http://www.digicert.com/DigiCert_CPS_v401.pdf. If for some reason either of these URIs change, the CP and CPS will still be accessible from the repository at this page - http://www.digicert.com/ssl-cps-repository.htm.
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Whiteboard: Approved - awaiting NSS → In FF4Beta
Product: mozilla.org → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: