Closed Bug 539255 Opened 15 years ago Closed 11 years ago

EV enable GeoTrust SHA256 root certificate

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: kathleen.a.wilson, Assigned: kathleen.a.wilson)

References

Details

(Whiteboard: EV - Approved - in Firefox 26)

Attachments

(6 files, 2 obsolete files)

Initial Information Gathering Document
29.42 KB, application/pdf
Details
Response to initial information request
40.00 KB, application/octet-stream
Details
Completed Information Gathering Document
103.57 KB, application/pdf
Details
Answers to questions in the checklist
305.30 KB, application/pdf
Details
test_ev_roots.txt
363 bytes, text/plain
Details
Screenshot showing EV treatment
126.13 KB, image/png
Details
This request is to EV enable the following GeoTrust ECC and SHA256 root certificates that are currently included in NSS. - GeoTrust Primary Certificate Authority - G2 (ECC root) Inclusion Bug #409236 - GeoTrust Primary Certificate Authority - G3 (SHA256 root) Inclusion Bug #484899
Status: NEW → ASSIGNED
Whiteboard: Information incomplete
The attached document summarizes the information that has been gathered and verified. The items highlighted in yellow indicate where further information or clarification is needed. Please review the full document for accuracy and completeness.
Assignee: kathleen95014 → nobody
Product: mozilla.org → NSS
QA Contact: ca-certificates → root-certs
Version: other → unspecified
Matthew Middleton: This bug is properly assigned to mozilla.org component CA Certificates, and to Kathleen Wilson. Please don't mess with these bugs.
Assignee: nobody → kathleen95014
Product: NSS → mozilla.org
QA Contact: root-certs → ca-certificates
Version: unspecified → other
This request has been added to the queue for public discussion: https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion Now that you have a request in the Queue for Public Discussion, you are directly impacted by the time it takes to work through the queue. The goal is to have each discussion take about two weeks. However, that time varies dramatically depending on the number of reviewers contributing to the discussion, and the types of concerns that are raised. If no one reviews and contributes to a discussion, then a request may be in the discussion for several weeks. When there are not enough people contributing to the discussions ahead of yours, then your request will sit in the queue longer. How can you help reduce the time that your request sits in the queue? You can help by reviewing and providing your feedback in the public discussions of root inclusion requests, or by asking a knowledgeable colleague to do so. Participating in other discussions is a great way to learn the expectations and be prepared for the discussion of your request. Please see: https://wiki.mozilla.org/CA:How_to_apply#Public_discussion
Whiteboard: Information incomplete → Information confirmed complete
Whiteboard: Information confirmed complete → EV - Information Confirmed Complete
HI a test site is now available for the "GeoTrust Primary Certification Authority - G2": https://ecc-test-valid.geotrust.com
HI, Please can you eable the GeoTrust Primary Certification Authority - G3 for EV. It is included in GeoTrust's latest EV WbTrust audi: https://cert.webtrust.org/SealFile?seal=650&file=pdf Thanks Tony
Summary: EV enable GeoTrust ECC and SHA256 root certificates → EV enable GeoTrust SHA256 root certificate
Attachment #494846 - Attachment is obsolete: true
This request is near the top of the queue for public discussion: https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion As such, I am re-reviewing the information that has been gathered, and I have a couple questions about the current status of the hierarchy chaining up to this "GeoTrust Primary Certification Authority - G3" root certificate. According to my notes, there is no CRL or OCSP for this hierarchy yet, because this root is not yet in use. Is that still true?
Correct - neither "GeoTrust Primary Certification Authority - G3" nor "GeoTrust Primary Certificate Authority - G2" are in use yet.
The request to EV-enable the "GeoTrust Primary Certificate Authority - G2" root certificate was postponed, because it wasn't included in the WebTrust EV audit statement, see link in Comment #7.
Attachment #537711 - Attachment is obsolete: true
I am now opening the first public discussion period for this request from Symantec/GeoTrust to enable EV for the “GeoTrust Primary Certification Authority - G3” root certificate that is already included in NSS. For a description of the public discussion phase, see https://wiki.mozilla.org/CA:How_to_apply#Public_discussion Public discussion will be in the mozilla.dev.security.policy newsgroup and the corresponding dev-security-policy@lists.mozilla.org mailing list. http://www.mozilla.org/community/developer-forums.html https://lists.mozilla.org/listinfo/dev-security-policy news://news.mozilla.org/mozilla.dev.security.policy The discussion thread is called “GeoTrust EV Enablement Request” Please actively review, respond, and contribute to the discussion. A representative of Symantec/GeoTrust must promptly respond directly in the discussion thread to all questions that are posted.
Whiteboard: EV - Information Confirmed Complete → EV - In public discussion
(In reply to Kathleen Wilson from comment #13) > I am now opening the first public discussion period for this request from > Symantec/GeoTrust to enable EV for the “GeoTrust Primary Certification > Authority - G3” root certificate that is already included in NSS. > The first round of discussion has been closed, and resulted in the following action item. ACTION Symantec/GeoTrust: Provide the information listed in https://wiki.mozilla.org/CA:SubordinateCA_checklist for the GeoTrust root certificates that are currently included in NSS. After this information is provided in the bug, I will start a new discussion for this request.
Whiteboard: EV - In public discussion → EV - CA Action Items -- subCA checklist, EV testing
Kathleen, I have finally compiled the answers to your questions in the attached document (SubordinateCA_checklist_539255.pdf). Please restart discussion on this topic at your earliest convenience.
Also, for GeoTrust Primary Certification Authority - G3 (RSA 2048 with SHA 256), we tested Minefield at https://ssltest21.bbtest.net/, with these results: There is no warning when loading the page (expected) End Entity chains up to given root cert (expected) Green bar is not present (not expected)
BTW, here's the contents of the test_ev_roots file we used: 1_fingerprint 03:9E:ED:B8:0B:E7:A0:3C:69:53:89:3B:20:D2:D9:32:3A:4C:2A:FD 2_readable_oid 1.3.6.1.4.1.14370.1.6 3_issuer MIGYMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjE5MDcGA1UECxMwKGMpIDIwMDggR2VvVHJ1c3QgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MTYwNAYDVQQDEy1HZW9UcnVzdCBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzM= 4_serial
Attached file test_ev_roots.txt
Try using the attached test_ev_roots.txt file and also using an appropriate CA hierarchy (with an intermediate certificate). EV treatment will only be given if the requirements in the EV Guidelines are met.
I just reviewed the answers provided in Comment #15 regarding the subCA checklist. I'm concerned that you want to enable EV for a root certificate that gives control to enterprise customers to issue SSL certificates. Please consider keeping the EV CA hierarchy completely separate from the CA hierarchy that includes enterprise subCAs.
Kathleen, those answers were generic to cover all GeoTrust roots. We have not issued any external SubCAs from this root, nor do we have any plans to. The "external SubCA" product has been EOL'd, although we still have a few customers. No new customers will be added.
I am now opening the second public discussion for this request from Symantec/GeoTrust to enable EV for the “GeoTrust Primary Certification Authority - G3” root certificate that is already included in NSS. For a description of the public discussion phase, see https://wiki.mozilla.org/CA:How_to_apply#Public_discussion Public discussion will be in the mozilla.dev.security.policy forum. The discussion thread is called “Second discussion for GeoTrust EV Enablement Request” Please actively review, respond, and contribute to the discussion. A representative of Symantec/GeoTrust must promptly respond directly in the discussion thread to all questions that are posted.
Whiteboard: EV - CA Action Items -- subCA checklist, EV testing → EV - In public discussion
The public comment period for this request is now over. Symantec has the following action items: 1) Create the EV issuing intermediate certificate. 2) Perform the EV testing described here: https://wiki.mozilla.org/PSM:EV_Testing_Easy_Version 3) Update this bug to provide the URL to a test website whose EV SSL cert chains up to this root, and passes the EV test. After this bug has been updated to indicate completion of these action items, I will check the provided test website and then recommend approval in this bug to enable EV for the “GeoTrust Primary Certification Authority - G3” root certificate.
Whiteboard: EV - In public discussion → EV - CA Action Items -- EV testing
OK, we've added the intermediate and enabled OCSP, and tested with firefox-4.0b8pre.en-US.win32 (Minefield) and the new test_ev_roots.txt file that you provided. Testing was successful. We can hit the site without warnings or errors, and we see the green toolbar.
As per Comment #22, the public discussion for this request resulted in approval being on hold until the CA completed EV testing. As per Comment #23, the CA has successfully completed EV testing, and I confirmed this in Comment #24. This request has been evaluated as per Mozilla’s CA Certificate Policy at http://www.mozilla.org/projects/security/certs/policy/ Here follows a summary of the assessment. If anyone sees any factual errors, please point them out. To summarize, this assessment is for the request to enable EV treatment for the “GeoTrust Primary Certification Authority - G3” root certificate. Section 4 [Technical]. I am not aware of instances where Symantec has knowingly issued certificates for fraudulent use. If anyone knows of any such issues or instances, please note them in this bug report. Section 6 [Relevance and Policy]. Symantec appears to provide a service relevant to Mozilla users. GeoTrust is a subsidiary of Symantec. Symantec acquired the VeriSign Authentication Services and root certificates, and is a major commercial CA with worldwide operations and customer base. Policies are documented in the documents published on their website and listed in the entry on the pending applications list; the main document of interest is the CPS, which is in English. CPS: http://www.geotrust.com/resources/cps/pdfs/GeoTrustCPS-Version1.1.12.pdf Document Repository: http://www.geotrust.com/resources/repository/legal/ Section 7 [Validation]. Symantec appears to meet the minimum requirements for subscriber verification, as follows: * Email: Section 3.2.4 of GeoTrust’s CPS states that GeoTrust requires the certificate applicant to prove control over the Contact Address, which is the email address to be included in the cert. GeoTrust’s process for proving control over the email address is to send an email to the Contact Address requiring the applicant to respond to a link and enter a PIN that is also sent via email. * SSL: According to Section 3.2.3 of GeoTrust’s CPS, GeoTrust or the RA will verify that the Subscriber had the right to use the domain name submitted by the Subscriber at the time it submitted its application. Appendix B1 of the CPS contains supplemental validation procedures for EV SSL certificates. Section 11.6 describes the steps taken to verify the applicant’s domain name: GeoTrust performs a WHOIS inquiry on the Internet for the domain name supplied by the Applicant to verify that the Applicant is the entity to whom the domain name is registered. * Code: Section 3.2.2 of GeoTrust’s CPS describes the steps taken to verify the identity of the certificate subscriber. Whenever an organization name is included in the Certificate, GeoTrust or the RA will take reasonable steps to establish that a Certificate request made on behalf of that Organization is legitimate and properly authorized. Section 18 [Certificate Hierarchy] This root has internally-operated intermediate certificates. * EV Policy OID: 1.3.6.1.4.1.14370.1.6 * CRL: http://crl.geotrust.com/GeoTrustPCA-G3.crl http://gtextvalsha256-crl.geotrust.com/gtextvalsha256.crl CPS section 4.9.7: GeoTrust shall post the CRL online at least weekly (but no later than twenty-four (24) hours after revocation of a Certificate) CPS Appendix D: For Subscriber Certificates: CRLs. are be updated and reissued at least every seven (7) days, and the nextUpdate field value SHALL NOT be more than ten (10) days beyond the value of the thisUpdate field; * OCSP http://pca-g3-ocsp.geotrust.com http://gtextvalsha256-ocsp.geotrust.com CPS Appendix D: GeoTrust’s Online Certificate Status Protocol (OCSP) is updated at least every four (4) days, and with a maximum expiration time of ten (10) days. Sections 11-14 [Audit]. Symantec is audited according to the WebTust CA and WebTrust EV criteria, and audit statements are posted on the webtrust.org website. https://cert.webtrust.org/ViewSeal?id=650 Based on this assessment I intend to approve this request to enable EV treatment for the “GeoTrust Primary Certification Authority - G3” root certificate.
Whiteboard: EV - CA Action Items -- EV testing → EV - Pending Approval
As per the summary in Comment #25, and on behalf of Mozilla I approve this request from Symantec to enable EV treatment for the following root certificate: ** “GeoTrust Primary Certification Authority - G3”, enable EV. I will file the PSM bug for the actual changes.
Whiteboard: EV - Pending Approval → EV - Approved - awaiting PSM
Depends on: 872294
I have filed bug #872294 against PSM for the actual changes.
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Whiteboard: EV - Approved - awaiting PSM → EV - Approved - in Firefox 26
Product: mozilla.org → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: