Closed Bug 539257 Opened 15 years ago Closed 11 years ago

EV enable thawte SHA256 root certificate

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: kathleen.a.wilson, Assigned: kathleen.a.wilson)

References

Details

(Whiteboard: EV - Approved - in Firefox 26)

Attachments

(5 files, 3 obsolete files)

Initial Information Gathering Document
32.54 KB, application/pdf
Details
Response to initial request for information
33.50 KB, application/octet-stream
Details
Completed Information Gathering Document
116.35 KB, application/pdf
Details
test_ev_roots.txt
397 bytes, text/plain
Details
Screen showing EV treatment
105.79 KB, image/png
Details 
This request is to EV enable the following thawte ECC and SHA256 root
certificates that are currently included in NSS.

- thawte Primary Root CA – G3 (SHA256 root)
Inclusion Bug #484903

- thawte Primary Root - G2 (ECC root)
Inclusion Bug #409237
Status: NEW → ASSIGNED
Whiteboard: Information incomplete
The attached document summarizes the information that has been gathered and
verified.

The items highlighted in yellow indicate where further information or
clarification is needed. Please review the full document for accuracy and
completeness.

  

  



    
    

    
  
Thank you for the information.

I have a question about “thawte Primary Root CA - G2”… My notes indicate that all of the subCAs under this root will be of Class 3. However, my notes also indicate that the SSL verification type is DV, OV, and EV. Should it just be OV and EV since Class 3 verification means High Assurance?

(by DV, I mean DV only with no organizational verification).

  

  



    
    

    
  
Hi Kathleen,

There is a possibility that if Thawte moves all products to this root DV may be included under a DV intermediate CA.

  

  



    
    

    
  
A test site for this root has been created: https://ecc-test-valid.thawte.com

  

  



    
    

    
  


  

  

  



    
    

    
  
This request has been combined with the other Thawte request in the queue for public discussion: 
https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion

  

  


Whiteboard: Information incomplete → EV - Information Confirmed Complete

    
    

    
  
Hi

The thawte Primary Root CA - G3 was included in Thawte's latest EV audit. Please can you proceed with EV enabling this root.

https://cert.webtrust.org/SealFile?seal=527&file=pdf 

Thanks
Tony

  

  



    
  
Summary: EV enable thawte ECC and SHA256 root certificates → EV enable thawte SHA256 root certificate

    
    

    
  


  

  

  



        Attachment #507203 -
        Attachment is obsolete: true

    
    

    
  


  

  

  



        Attachment #537684 -
        Attachment is obsolete: true

    
    

    
  


  

  

  



        Attachment #537697 -
        Attachment is obsolete: true

    
    

    
  
I am now opening the first public discussion period for two requests from Thawte:

Bug #539257: Enable EV for the “thawte Primary Root CA - G3” root certificate.

Bug #601950: Turn on the code signing trust bit for the “thawte Primary Root CA” root certificate.

For a description of the public discussion phase, see https://wiki.mozilla.org/CA:How_to_apply#Public_discussion

Public discussion will be in the mozilla.dev.security.policy newsgroup and the corresponding dev-security-policy@lists.mozilla.org mailing list.

http://www.mozilla.org/community/developer-forums.html
https://lists.mozilla.org/listinfo/dev-security-policy
news://news.mozilla.org/mozilla.dev.security.policy

The discussion thread is called “Symantec/Thawte EV and Trust Bit Change Request”

Please actively review, respond, and contribute to the discussion.

  

  


Whiteboard: EV - Information Confirmed Complete → EV - In public discussion

    
    

    
  
The public comment period for this request is now over.

Symantec has the following action items:

1) Create the EV issuing intermediate CA, and OCSP service.

2) Perform the EV testing described here:
https://wiki.mozilla.org/PSM:EV_Testing_Easy_Version

3) Update this bug to provide the URL to a test website whose EV SSL cert chains up to this root.

After this bug has been updated to indicate completion of these action items, I will check the provided test website and then recommend approval in this bug to enable EV for the “thawte Primary Root CA - G3” root certificate.

  

  


Whiteboard: EV - In public discussion → EV - CA Action Items -- EV testing

    
    

    
  
Kathleen, I presume you intend those action items to apply to both roots:
- thawte Primary Root CA – G3 (SHA256 root)
- thawte Primary Root - G2 (ECC root)
Right?

  

  



    
    

    
  
(In reply to Rick Andrews from comment #14)
> Kathleen, I presume you intend those action items to apply to both roots:
> - thawte Primary Root CA – G3 (SHA256 root)
> - thawte Primary Root - G2 (ECC root)
> Right?

Please note comment #8. Tony requested that we proceed with EV-enablement for only the SHA256 root in this particular request.

  

  



    
    

    
  
Reminder, this request is to enable EV for the "thawte Primary Root CA - G3" root certificate. 

As per Comment #13, the discussion of this request was completed, and this request is only waiting on successful completion of EV Testing.

  

  



    
    

    
  
Here are the test results using Minefield to visit https://ssltest8.bbtest.net:

There is no warning when loading the page (expected)
End Entity chains up to given root cert (expected)
Green bar is not present (not expected)

  

  



    
    

    
  
BTW, here's the contents of the test_ev_roots file we used:

1_fingerprint F1:8B:53:8D:1B:E9:03:B6:A6:F0:56:43:5B:17:15:89:CA:F3:6B:F2
2_readable_oid 2.16.840.1.113733.1.7.48.1
3_issuer MIGuMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMdGhhd3RlLCBJbmMuMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMTgwNgYDVQQLEy8oYykgMjAwOCB0aGF3dGUsIEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25seTEkMCIGA1UEAxMbdGhhd3RlIFByaW1hcnkgUm9vdCBDQSAtIEcz
4_serial

  

  



    
    

    
  

      
      
      
      

        Attached file
          
        test_ev_roots.txt
      

    


  
Try using the attached test_ev_roots.txt file and also using an appropriate CA hierarchy (with an intermediate certificate). EV treatment will only be given if the requirements in the EV Guidelines are met.

  

  



    
    

    
  
OK, we've added the intermediate and enabled OCSP, and tested with firefox-4.0b8pre.en-US.win32 (Minefield) and the new test_ev_roots.txt file that you provided. Testing was successful. We can hit the site without warnings or errors, and we see the green toolbar.

  

  



    
    

    
  


  

  

  



    
    

    
  
As per Comment #13, the public discussion for this request resulted in approval being on hold until the CA completed EV testing.
As per Comment #20, the CA has successfully completed EV testing, and I confirmed this in Comment #21.

This request has been evaluated as per Mozilla’s CA Certificate Policy at

 http://www.mozilla.org/projects/security/certs/policy/

Here follows a summary of the assessment. If anyone sees any factual errors, please point them out.

To summarize, this assessment is for the request to enable EV treatment for the “thawte Primary Root CA - G3” root certificate.

Section 4 [Technical]. I am not aware of instances where Symantec has knowingly issued certificates for fraudulent use. If anyone knows of any such issues or instances, please note them in this bug report.

Section 6 [Relevance and Policy]. Symantec appears to provide a service relevant to Mozilla users. Thawte is a subsidiary of Symantec. Symantec acquired the VeriSign Authentication Services and root certificates, and is a major commercial CA with worldwide operations and customer base.

Policies are documented in the documents published on their website and listed in the entry on the pending applications list; the main document of interest is the CPS, which is provided in English.

http://www.thawte.com/cps

Section 7 [Validation]. Symantec appears to meet the minimum requirements for subscriber verification, as follows:

* Email: Not applicable -- not requesting the email trust bit.

* SSL: According to section 3.2.2 of the CPS: Where a domain name or e-mail address is included in the certificate thawte authenticates the Organization’s right to use that domain name. Confirmation of an organization’s right to use a domain name is not performed for SSL123 Certificates. For these certificates, validation of domain control only is performed … thawte validates the Certificate Applicant’s control of a domain by requiring the person to answer an e-mail sent to the e-mail address listed or predetermined for that domain.
** Supplemental validation procedures for EV SSL Certificates is provided in Appendix B1 of the CPS. Section 11.6 describes the procedures for verifying the applicant’s domain name, which includes: thawte performs a WHOIS inquiry on the Internet for the domain name supplied by the Applicant, to verify that the Applicant is the entity to whom the domain name is registered.

* Code: According to section 3.2.2.1 of the CPS: thawte confirms the identity of a Certificate Applicant for a High Assurance Server or Code Signing Certificate by: 1) Verifying that the organization exists through the use of at least one third party identity proofing service or database, or alternatively, organizational documentation issued by or filed with the applicable government that confirms the existence of the organization and 2) Confirming with an appropriate Organizational contact by telephone, postal mail, or a comparable procedure certain information about the organization, that the organization has authorized the Certificate Application, and that the person submitting the Certificate Application on behalf of the Organization is authorized to do so.

Section 18 [Certificate Hierarchy]
This root has internally-operated intermediate certificates. 

* EV Policy OID: 2.16.840.1.113733.1.7.48.1

* CRL: 
http://crl.thawte.com/ThawtePCA-G3.crl
http://ev-sha256-crl.thawte.com/ThawteEVSHA256.crl
CPS Appendix D: For Subscriber Certificates CRLs are be updated and reissued at least every seven (7) days, and the nextUpdate field value SHALL NOT be more than ten (10) days beyond the value of the thisUpdate field

* OCSP
http://ocsp.thawte.com
http://ev-sha256-ocsp.thawte.com
CPS Appendix D: For Subscriber Certificates … (OCSP) is updated at least every four (4) days, and with a maximum expiration time of ten (10) days.

Sections 11-14 [Audit]. 
Symantec is audited according to the WebTust CA and WebTrust EV criteria, and audit statements are posted on the webtrust.org website.
https://cert.webtrust.org/ViewSeal?id=527

Based on this assessment I intend to approve this request to enable EV treatment for the “thawte Primary Root CA - G3” root certificate.

  

  


Whiteboard: EV - CA Action Items -- EV testing → EV - Pending Approval

    
    

    
  
As per the summary in Comment #22, and on behalf of Mozilla I approve this request from Symantec to enable EV treatment for the following root certificate:

** “thawte Primary Root CA - G3”, enable EV.

I will file the PSM bug for the actual changes.

  

  


Whiteboard: EV - Pending Approval → EV - Approved - awaiting PSM

    
  
Depends on: 872304

    
    

    
  
I have filed bug #872304 against PSM for the actual changes.

  

  



    
  
Whiteboard: EV - Approved - awaiting PSM → EV - Approved - in Firefox 26

    
  
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED

    
  
Product: mozilla.org → NSS
Product: NSS → CA Program

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: