Enable Camerfirma root certificates for EV in PSM

VERIFIED FIXED

Status

()

Core
Security: PSM
--
enhancement
VERIFIED FIXED
7 years ago
7 years ago

People

(Reporter: Kathleen Wilson, Assigned: kaie)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

7 years ago
Per bug 406968 the request from Camerfirma has been approved to enable
its "Chambers of Commerce Root - 2008" and "Global Chambersign Root - 2008" root certificates for EV use. Please make the corresponding changes to PSM.

The relevant information is as follows.

Friendly name: Chambers of Commerce Root - 2008
SHA1 Fingerprint: 78:6a:74:ac:76:ab:14:7f:9c:6a:30:50:ba:9e:a8:7e:fe:9a:ce:3c
EV policy OID 1: 1.3.6.1.4.1.17326.10.14.2.1.2 
EV policy OID 2: 1.3.6.1.4.1.17326.10.14.2.2.2
Test URL: https://server1.camerfirma.com:8081/

Friendly name: Global Chambersign Root - 2008
SHA1 Fingerprint: 4a:bd:ee:ec:95:0d:35:9c:89:ae:c7:52:a1:2c:5b:29:f6:d6:aa:0c
EV policy OID 1: 1.3.6.1.4.1.17326.10.8.12.1.2 
EV policy OID 2: 1.3.6.1.4.1.17326.10.8.12.2.2
Test URL: https://server2.camerfirma.com:8082/

If testing determines that it is problematic to have two EV Policy OIDs for
a root, then Camerfirma would choose to use the first OID listed for each root.
(Reporter)

Comment 1

7 years ago
Ramiro, Please confirm that the above information is correct.

Comment 2

7 years ago
Yes it is correct.

Regards
Ramiro
(Reporter)

Comment 3

7 years ago
Thanks for confirming that the data in this bug is correct. 

This bug is dependent on bug 562395 because the root certificates need to be included in NSS before they can be enabled for EV in the PSM.
(Assignee)

Updated

7 years ago
Depends on: 582579
(Assignee)

Updated

7 years ago
No longer depends on: 582579
(Reporter)

Comment 4

7 years ago
As per https://bugzilla.mozilla.org/show_bug.cgi?id=562395#c10

the new test urls are:

Chambers of Commerce Root – 2008 --  https://www.camerfirma.com 

Global Chambersign Root – 2008  -- https://server3.camerfirma.com
(Assignee)

Updated

7 years ago
Depends on: 614852
(Assignee)

Comment 5

7 years ago
I can't connect to https://www.camerfirma.com/
see also bug 562395 comment 15 for more details.

I can connect to https://server3.camerfirma.com/
and I get the green EV status.

Comment 6

7 years ago
I can connect both of then, please try again. But I do not see the green EV status
(Assignee)

Comment 7

7 years ago
I made a new testbuild, now it includes the patch to enable roots for EV.

http://hg.mozilla.org/try/pushloghtml?changeset=c73f0117a36e
http://ftp.mozilla.org/pub/mozilla.org/firefox/tryserver-builds/kaie@kuix.de-c73f0117a36e/

I've learned that tryserver builds are automatically deleted quickly, after 4 days.
I've mirrored the most important files here:
http://kuix.de/mozilla/tryserver-roots-20101125/
(Assignee)

Comment 8

7 years ago
(In reply to comment #6)
> I can connect both of then, please try again. But I do not see the green EV
> status

The old testbuild did not yet enable EV.
The new testbuild from comment 7 now enables EV for your roots.
(Assignee)

Comment 9

7 years ago
This bug is about EV.
Let's not mix bug 562395 and this one.

Bug 562395 is about adding your roots to NSS.
That bug is mostly done, as soon as you confirm (in bug 562395).

This bug 562399 is about enabling your roots for EV.
This is not yet done.


You have requested to enable 4 combinations of {root, oid} for EV.
I think the most recent information about your test sites is in bug 562395 comment 10.


I will copy that information into this bug, in the next comment.
(Assignee)

Comment 10

7 years ago
Copying information from bug 562395 comment 10:


The new test websites for these roots are as follows. Note that these websites
are currently on servers that are used by Camerfirma developers for testing
purposes, so it is possible that at times these may be temporarily offline.

--  Chambers of Commerce Root – 2008 --

https://server1.camerfirma.com:8081    
Policy OID in end-entity cert: 1.3.6.1.4.1.17326.10.11.2:
(This is the OID for OV certs)

https://www.camerfirma.com 
Policy OID in end-entity cert: 1.3.6.1.4.1.17326.10.14.2.1.2
(This is the EV Policy OID)

I have successfully browsed to both of these websites in Firefox with OCSP
enforced. 
The SSL certs fo both of these sites chain up to the intermediate CA
“Camerfirma Corporate Server – 2009”.
The AIA for both the end-entity certs and the intermediate cert has
OCSP: URI: http://ocsp.camerfirma.com

Note: The CA hierarchy for “Chambers of Commerce Root – 2008” is a little
different than I described in 
https://bugzilla.mozilla.org/show_bug.cgi?id=406968#c92.
Express Corporate Server and Corporate Server EV was in the old hierarchy. In
the new, 2008, hierarchy the subCA "Corporate Server 2009" issues both OV and
EV certificates with different Policy OID. 

-- Global Chambersign Root – 2008  --

https://server2.camerfirma.com:8082 
Policy OID in end-entity cert: 1.3.6.1.4.1.17326.10.8.11.1.2
(This is the OID for OV certs)

https://server3.camerfirma.com 
Policy OID in end-entity cert: 1.3.6.1.4.1.17326.10.8.12.1.2
(This is the EV Policy OID)

I have successfully browsed to both of these websites in Firefox with OCSP
enforced.
The SSL certs chain up to “RACER – 2009”, which is signed by “AC Camerfirma –
2009”, which is signed by this root.
The AIA for the end-entity and intermediate certs all have
OCSP: URI: http://ocsp.camerfirma.com
(Assignee)

Comment 11

7 years ago
Looks like there have been confusing requests.

This EV bug initially requested the 4 EV OIDs shown in this bug comment 0.
I have used this information to produce the test build,
because this is what Ramiro had confirmed in comment 2 !


This is different from the information in comment 10 !

The test site at https://server1.camerfirma.com:8081/
does not use an OID from the confirmed comment,
it uses an OID from the non-confirmed comment 10.

The test site at https://server2.camerfirma.com:8082/
does not use an OID from the confirmed comment,
it uses another OID from the non-confirmed comment 10.


If the initial information in this bug,
and the initial confirmation from Ramiro in this bug is no longer correct,
then I propose to close this bug,
and start a fresh bug,
because this one is now full of confusion.
(Assignee)

Comment 12

7 years ago
Marking bug INVALID.

CA confirmed information that does not match attributes used in test sites.

Non-matching information has been posted in a related bug 562395,
which is apparently the new expectation of the CA, because of information found in test sites.

The new expectation has not been stated in this EV bug,
and has not been confirmed by a CA representative,
and is different from the confirmed information in this bug.

I would have expected the CA to be proactive and revoke their confirmation statement from comment 2.

Before you ask me to work on this again,
please make sure everything is well organized.
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → INVALID
Kay sorry we have made changes since comment 2. comment 2 is revoked.

I confirm next information:

Friendly name: Chambers of Commerce Root - 2008
SHA1 Fingerprint: 78:6a:74:ac:76:ab:14:7f:9c:6a:30:50:ba:9e:a8:7e:fe:9a:ce:3c
EV policy OID 1: 1.3.6.1.4.1.17326.10.14.2.1.2 
EV policy OID 2: 1.3.6.1.4.1.17326.10.14.2.2.2
Test URL: https://www.camerfirma.com 
Policy OID in end-entity cert: 1.3.6.1.4.1.17326.10.14.2.1.2
(This is the EV Policy OID)

I can not get the green flag (KO)

Friendly name: Global Chambersign Root - 2008
SHA1 Fingerprint: 4a:bd:ee:ec:95:0d:35:9c:89:ae:c7:52:a1:2c:5b:29:f6:d6:aa:0c
EV policy OID 1: 1.3.6.1.4.1.17326.10.8.12.1.2 
EV policy OID 2: 1.3.6.1.4.1.17326.10.8.12.2.2
Test URL: https://server3.camerfirma.com 
Policy OID in end-entity cert: 1.3.6.1.4.1.17326.10.8.12.1.2
(This is the EV Policy OID)

I can get the GREEN flag (OK)

Friendly name: Chambers of Commerce Root - 2008
https://server1.camerfirma.com:8081    
Policy OID in end-entity cert: 1.3.6.1.4.1.17326.10.11.2
(This is the OID for OV certs)

Friendly name: Global Chambersign Root - 2008
https://server2.camerfirma.com:8082 
Policy OID in end-entity cert: 1.3.6.1.4.1.17326.10.8.11.1.2
(This is the OID for OV certs)

I hope this clarify the situation.
Sorry again for the confusion.

Regards
Ramiro
(Assignee)

Comment 14

7 years ago
(In reply to comment #13)
> 
> Friendly name: Chambers of Commerce Root - 2008
> SHA1 Fingerprint: 78:6a:74:ac:76:ab:14:7f:9c:6a:30:50:ba:9e:a8:7e:fe:9a:ce:3c
> EV policy OID 1: 1.3.6.1.4.1.17326.10.14.2.1.2 
> EV policy OID 2: 1.3.6.1.4.1.17326.10.14.2.2.2
> Test URL: https://www.camerfirma.com 
> Policy OID in end-entity cert: 1.3.6.1.4.1.17326.10.14.2.1.2
> (This is the EV Policy OID)


Question (1):

Does this mean,
you request to enable Chamber-Commerce-2008 for EV, for both EV OIDs,
but you provide a test URL only for one EV OID ?


> Test URL: https://www.camerfirma.com 
> I can not get the green flag (KO)

I *sometimes* get green EV status for this test url.
- start with fresh profile
- go to https://www.camerfirma.com 
- get blue domain indicator
- use reload
- now get green domain indicator

I notice, on the initial conection, the decision blue is very quick.
If I hit reload, the page loads for several seconds, until we get green.

We must investigate why this happens.

I don't have ideas.
Someone must trace and debug.


> Friendly name: Global Chambersign Root - 2008
> SHA1 Fingerprint: 4a:bd:ee:ec:95:0d:35:9c:89:ae:c7:52:a1:2c:5b:29:f6:d6:aa:0c
> EV policy OID 1: 1.3.6.1.4.1.17326.10.8.12.1.2 
> EV policy OID 2: 1.3.6.1.4.1.17326.10.8.12.2.2
> Test URL: https://server3.camerfirma.com 
> Policy OID in end-entity cert: 1.3.6.1.4.1.17326.10.8.12.1.2
> (This is the EV Policy OID)


Question (2):

Does this mean,
you request to enable Global-Chamber-2008 for EV, for both EV OIDs,
but you provide a test URL only for one EV OID ?



> Friendly name: Chambers of Commerce Root - 2008
> https://server1.camerfirma.com:8081    
> Policy OID in end-entity cert: 1.3.6.1.4.1.17326.10.11.2
> (This is the OID for OV certs)


Question (3):

Please help me understand, what is a "OV cert" ?


Question (4):

Do you request EV for Chamber-Commerce-2008 and OID 1.3.6.1.4.1.17326.10.11.2 ?



> Friendly name: Global Chambersign Root - 2008
> https://server2.camerfirma.com:8082 
> Policy OID in end-entity cert: 1.3.6.1.4.1.17326.10.8.11.1.2
> (This is the OID for OV certs)


Question (5):

Do you request EV for Global-Chamber-2008 and OID 1.3.6.1.4.1.17326.10.8.11.1.2 ?


Question (6):

I count 6 different OIDs in your comment.
Do you really request EV status for 6 different OIDs?
Question (1):
Does this mean,
you request to enable Chamber-Commerce-2008 for EV, for both EV OIDs,
but you provide a test URL only for one EV OID ?

Yes, if it is possible I whould like to have activated both OID. 
Both certificates are just the same, but with diferent policy since the keys in ...1.2 are generated in software and the keys in ...2.2 are generates in a hw device.
If it is not possible then activate only the ...1.2.

Question (2):
Does this mean,
you request to enable Global-Chamber-2008 for EV, for both EV OIDs,
but you provide a test URL only for one EV OID ?

Yes as I said in question 1, certificate are completely the same but with diferent policy.


Question (3):
Please help me understand, what is a "OV cert" ?
There are three kind of SSL certificates DV(Domain validation) OV(Organization validation) anf EV(Extended Validation). Only the EV have the green label.

Question (4):
Do you request EV for Chamber-Commerce-2008 and OID 1.3.6.1.4.1.17326.10.11.2 ?

NO

Question (5):
Do you request EV for Global-Chamber-2008 and OID 1.3.6.1.4.1.17326.10.8.11.1.2
?

NO

Question (6):
I count 6 different OIDs in your comment.
Do you really request EV status for 6 different OIDs?

I have answered it, in previous questions.


Regards
Ramiro
I have downloaded a new version of Minenfield and now I can´t get the green label for https://www.camerfirma.com and https://server3.camerfirma.com.

Regards
Ramiro
(Assignee)

Comment 17

7 years ago
Thank you for the clarification regarding "OV" certs.
OV is different than EV.
You do NOT request green EV indicators for OV certs.


Initially, in the first comment in this bug,
you had requested:
- EV for server1
- EV for server2

This is what had caused the confusion, because now you want:
- no EV for server1
- no EV for server2
- EV for www
- EV for server 3


After understanding this confusion,
I conclude that most of the request from the initial comment is still correct.

When comparing the initial comment in this bug with your latest comments,
you still request EV for the same roots and OIDs.

The only difference is the URLs for the test servers.


This is how I understand your comment 13 and your comment 15.


Based on this clarification I'm OK to reopen this bug and proceed to work on this request.
Status: RESOLVED → REOPENED
Resolution: INVALID → ---
(Assignee)

Comment 18

7 years ago
Camerfirma, please don't make any more changes to the existing test servers until this task has been completed and marked as resolved.

Thanks
(Assignee)

Comment 19

7 years ago
(In reply to comment #15)
> Does this mean,
> you request to enable Chamber-Commerce-2008 for EV, for both EV OIDs,
> but you provide a test URL only for one EV OID ?
> 
> Yes, if it is possible I whould like to have activated both OID. 


I need a separate test URL for each combination of {root, OID} that you are requesting EV for.

You are requesting EV for 4 combinations of {root, OID},
but you only provided test URLS for 2 combinations.


If you really want all 4 combinations enabled for EV,
then please provide test URLs for all 4 combinations.
=> Keep the existing test servers, and give us 2 additional test URLs.


If you cannot provide the additional test servers, then tell me to proceed with only the existing 2 combinations.
Comment 17
OK you are right with the actual situation.
Comment 18
OK no more changes will be made on test servers.
Comment 19
Proceed with only the existing 2 combinations

Regards
Ramiro
(Assignee)

Comment 21

7 years ago
fixed by bug 614852 (for mozilla-central and upcoming ff 4)

ff 3.5.x and ff 3.6.x not yet done
(Assignee)

Updated

7 years ago
Status: REOPENED → RESOLVED
Last Resolved: 7 years ago7 years ago
Resolution: --- → FIXED
(Reporter)

Comment 22

7 years ago
Ramiro, What are the two test URLs that I can use to try this in my installation of FF4?
https://www.camerfirma.com      EV
https://server3.camerfirma.com  EV

https://server1.camerfirma.com:8081 non EV
https://server2.camerfirma.com:8082 non EV
(Reporter)

Comment 24

7 years ago
Thanks. When I tried them yesterday I got an OCSP error, but they are working today.

What sort of monitoring do you have on your OCSP service to make sure it can be noticed and recovered quickly if it goes down?
Verified fixed on Firefox 4.0b12pre.  Will this be backported?
Status: RESOLVED → VERIFIED
Hi Kathleen

I have no report about problems in our OCSP service. Can you give me more information about the error you have found?.

We have two platforms providing OCSP service, and our system department have a application that messure the OCSP availability and response time.

I can provide you with the figures about the ocsp service for the 17th of Feb.

Regards
Ramiro
(Reporter)

Comment 27

7 years ago
I just tried them again, and they're working. I haven't been able to reproduce the error. 

For the EV test sites I get the green bar. (I'm on FF 4.0b12)
You need to log in before you can comment on or make changes to this bug.