Closed
Bug 577665
Opened 14 years ago
Closed 12 years ago
Add Trustis FPS Root CA certificate
Categories
(CA Program :: CA Certificate Root Program, task)
CA Program
CA Certificate Root Program
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: rob.horne, Assigned: kathleen.a.wilson)
References
Details
(Whiteboard: In FF16)
Attachments
(5 files, 1 obsolete file)
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6 Build Identifier: Trustis Ltd. is one of the UK's leading authorities in Public Key Infrastructure and digital certificates. Our Trustis FPS Root CA has just passed the WebTrust audit (see http://cert.webtrust.org/ViewSeal?id=1060), is ISO 27001 accredited and has been tScheme approved (https://www.tscheme.org/directory/trustis/index.html). Additionally, the Trustis FPS Root CA is a current member of Microsoft's Root Certificate Program: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/rootcertprog.asp A copy of the Trustis FPS Root CA certificate and CRL can be obtained here: http://www.trustis.com/roots/fps/index.html Should you require a copy of our FPS Root Certificate Policy, we can provide it as an attachment to this request. Reproducible: Always
This is the resubmission of bug 324126. I believe the only thing missing then was a successful WebTrust audit which has now been completed. If you need anything else let me know asap as I would really like to get this sorted quickly. Thanks!
Assignee | ||
Comment 3•14 years ago
|
||
Accepting this bug. I will start the Information Gathering and Verification phase as per https://wiki.mozilla.org/CA:How_to_apply, referencing the info from bug 324126.
Severity: normal → enhancement
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Summary: This is an enhancement request to include the Trustis FPS Root CA certificate in Mozilla's built-in list of approved Root CA certificates. → Add Trustis FPS Root CA certificate
Whiteboard: Information incomplete
Assignee | ||
Comment 4•14 years ago
|
||
The attached document summarizes the information that has been gathered and verified. The items highlighted in yellow indicate where further information or clarification is needed. Please review the full document for accuracy and completeness.
Hi Kathleen, sorry for the delay but I'm almost ready to submit the answers to your questions. Should be in the next couple of days.
Hi Kathleen, at long last I've just uploaded the response to all the questions asked on 07-21-2010.
Assignee | ||
Comment 8•14 years ago
|
||
Thank you for the information. In regards to Organization Identity Verification, Domain Name Ownership/Control Verification, and Email Address Ownership/Control verification, you refer me to "GAF Level 2". However, I have reviewed both the Certificate Policy and the PKI Disclosure Statement, and I do not see a statement in either of them saying that GAF Level 2 or GAF Level 3 must be met in verifying these things. I don't see a link to the UK Government Authentication Framework (GAF), in either document, so I haven't reviewed the GAF and I don't yet know what GAF Level 2 and Level 3 are. Additionally, we expect CAs to include information in their CP/CPS about steps that they require RAs to take to do the verification -- it's not sufficient to just reference documents/guidelines from others. In regards to RAs, I don't understand what the following means: "Where third party RAs conduct authentication any domain or email validation is part of those more rigorous authentication checks. We do not delegate just domain or just email validation alone to any third parties."
Hi Kathleen, There is no statement in the CP/CPS etc to say what level of verification is undertake as it is defined by the Issuing Authority through the enrolment requirements. As Trustis may issue certs under the FPS root to differing enrolment requirements it is not specified in the CP/CPS etc. Although in practice, certs are issued after verification to GAF level 2 or 3. Links to GAF are below: http://www.cabinetoffice.gov.uk/media/252559/regindividualsv2.pdf http://www.cabinetoffice.gov.uk/media/252565/registra_orgs_v2.pdf In response to your last para, although this forms part of the authentication process it is not separated out from the remainder of the verification process. In other words, we don't farm out part of the process to a third party. I hope this makes sense.
Assignee | ||
Comment 10•14 years ago
|
||
I see that the GAF documents address verification of identity, organization, and authority. However, the Trustis documents don't appear to actually reference the GAF documents and state that those guidelines must be followed. Also, please see https://wiki.mozilla.org/CA:Recommended_Practices#Verifying_Domain_Name_Ownership and https://wiki.mozilla.org/CA:Recommended_Practices#Verifying_Email_Address_Control The issue of needing publicly available documentation about the practices/policies in regards to verification of organization, domain name, and email address is a show stopper for us because we rely on publicly available documentation and audits of those documented processes to ascertain that the CA takes reasonable measures to confirm this information.
Reporter | ||
Comment 11•14 years ago
|
||
Hi Kathleen, We reference the HMG Documents and verification process in a number of formats locations depending on the Trustis FPS service. As FPS operates to a universal minimum standard (i.e. all services although varied MUST meet the minimum standards) it is best to look at the minimum standards document. You can find this at http://www.trustis.com/pki/fpsia/ under the link for Enrolment Requirements, or go direct to http://www.trustis.com/pki/fpsia/policy/T-0104-002-ATL-013-Trustis-FPS-Minimum-Enrolment-Requirements-V3_0.pdf This covers all the enrolment info and I believe it addresses the points you raise above in that the GAF standard for verification are referenced and outlined and it specifies the evidence validity and corroboration requirements for all aspects of enrolment including the specific points you make above namely email address and domain registration. Hopefully there's no other show-stoppers alongt the way!
Assignee | ||
Comment 12•14 years ago
|
||
Assignee | ||
Comment 13•14 years ago
|
||
This request has been added to the queue for public discussion: https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion Now that you have a request in the Queue for Public Discussion, you are directly impacted by the time it takes to work through the queue. The goal is to have each discussion take about two weeks. However, that time varies dramatically depending on the number of reviewers contributing to the discussion, and the types of concerns that are raised. If no one reviews and contributes to a discussion, then a request may be in the discussion for several weeks. When there are not enough people contributing to the discussions ahead of yours, then your request will sit in the queue longer. How can you help reduce the time that your request sits in the queue? You can help by reviewing and providing your feedback in the public discussions of root inclusion requests, or by asking a knowledgeable colleague to do so. Participating in other discussions is a great way to learn the expectations and be prepared for the discussion of your request. Please see: https://wiki.mozilla.org/CA:How_to_apply#Public_discussion
Whiteboard: Information incomplete → Information confirmed complete
Reporter | ||
Comment 14•14 years ago
|
||
Thanks for all your hard work Kathleen, much appreciated. One question I do have is now we're in the queue do you have any idea how long it takes to get to the actual discussion phase?
Assignee | ||
Comment 15•14 years ago
|
||
Please see my posting about the discussion queue that I added today in mozilla.dev.security.policy.
Reporter | ||
Comment 16•13 years ago
|
||
Hi Kathleen, a coouple of updates for you. To get the WebTrust audit more in line with our internal audit cycle we've gone through the assessment early and have had our WebTrust renewed. The latest audit report is at: https://cert.webtrust.org/ViewSeal?id=1120 We've also been through version 2.0 of the Mozilla CA Cerificate Policy and have not found any part where we do not comply.
Assignee | ||
Comment 17•13 years ago
|
||
Thanks for sending the current audit url, and for reviewing version 2.0 of the Mozilla CA Certificate Policy. I will update my records.
Assignee | ||
Comment 18•13 years ago
|
||
Please review the CA Communication that was recently sent, and is available here: https://wiki.mozilla.org/CA:Communications Please add a comment to this bug to provide your response to the action items listed in the CA Communication. For more information about action items #1 and #3, please see items #6 and #7 of https://wiki.mozilla.org/CA:Information_checklist#Verification_Policies_and_Practices
Reporter | ||
Comment 19•13 years ago
|
||
Hi Kathleen, in response to your request: 1) This is well underway with no sign of intrusion to date. 2) We have no cross signed certificates. 3) We are in the process of confirming this but so far all accounts checked require 2 factor authentication. 4) We have retrospective checking in place - all certificates issued are reviewed each day. All certificate requests need manual checking and accounts capable of issuing certificates have been advised of the domains to be aware of. 5) We have no external CAs and one external RA. We are investigating the best approach to answering this. As our answers are refined I will update this bug.
Reporter | ||
Comment 20•13 years ago
|
||
Hi Kathleen, I was wondering if the queue is likely to go back to processing one applicant every two weeks?
Assignee | ||
Comment 21•13 years ago
|
||
Rob, Thanks for your response to the CA Communication action items (Comment #19). In regards to Comment #20, that is my goal, but it may take a little more time to get there.
Assignee | ||
Comment 22•13 years ago
|
||
It looks like this request is next in the queue for discussion. I'll plan to start the discussion in early January. In the meantime, please provide an update to Comment 19.
Reporter | ||
Comment 23•13 years ago
|
||
Kathleen, that's great news, thanks! Update to Comment 19: 1) We have audited our PKI and no sign of intrusion or compromise is evident. The audit also reviewed the network security controls and found no potential issues. 2) We have no cross signed certificates. 3) We can confirm that all accounts capable of directly causing certificate issuance require two factor authentication. 4) All certificate requests require manual checking and RA Operators have been advised of the domains to be aware of. Each day all certificates issued in the last 24 hours are checked against the list of domains. 5) Still under investigation but hope to have this covered by early January.
Assignee | ||
Comment 24•12 years ago
|
||
Attachment #490635 -
Attachment is obsolete: true
Assignee | ||
Comment 25•12 years ago
|
||
I am now opening the first public discussion period for this request from Trustis to add the “Trustis FPS Root CA” root certificate, and turn on the websites and email trust bits. For a description of the public discussion phase, see https://wiki.mozilla.org/CA:How_to_apply#Public_discussion Public discussion will be in the mozilla.dev.security.policy newsgroup and the corresponding dev-security-policy@lists.mozilla.org mailing list. http://www.mozilla.org/community/developer-forums.html https://lists.mozilla.org/listinfo/dev-security-policy news://news.mozilla.org/mozilla.dev.security.policy The discussion thread is called “Trustis Root Inclusion Request” Please actively review, respond, and contribute to the discussion. A representative of Trustis must promptly respond directly in the discussion thread to all questions that are posted.
Whiteboard: Information confirmed complete → In public discussion
Reporter | ||
Comment 26•12 years ago
|
||
Hi Kathleen, a quick update for you regarding our WebTrust compliance. The audit conducted at the end of November 2011 was successful but we're still waiting on KPMG to issue the report.
Reporter | ||
Comment 27•12 years ago
|
||
Our WebTrust compliance has been recertified and the latest confirmation is at https://cert.webtrust.org/ViewSeal?id=1250 We will be answering the questions on the public discussion thread in the next day or two.
Assignee | ||
Comment 28•12 years ago
|
||
Please respond here to the recent CA Communication: https://wiki.mozilla.org/CA:Communications#February_17.2C_2012
Reporter | ||
Comment 29•12 years ago
|
||
Here are our answers to the recent CA Communication: 1) SubCAs are technically and/or contractually restricted to only issue certificates to domains that they legitimately own or control, and they are specifically not allowed to use their subordinate certificates for the purpose of MITM. Furthermore, the contract allows us to audit the customer and we can monitor all certificates the Sub CA issues so we can revoke any MITM certs. 2) The required statement will be added and the link sent to you. 3) We have not issued any EV SSL certificates. When we do so we plan to add these requirements to the service-specific documentation. 4) We have never used MD5; all keys in CAs or EEs are 2048. 5) We hope to have a response to this requirement with you by 03/26/12.
Assignee | ||
Comment 30•12 years ago
|
||
The public comment period for this request is now over. This request has been evaluated as per Mozilla’s CA Certificate Policy at http://www.mozilla.org/projects/security/certs/policy/ Here follows a summary of the assessment. If anyone sees any factual errors, please point them out. To summarize, this assessment is for the request to add the “Trustis FPS Root CA” root certificate, and turn on the websites and email trust bits. Section 4 [Technical]. I am not aware of instances where Trustis has knowingly issued certificates for fraudulent use. If anyone knows of any such issues or instances, please note them in this bug report. Section 6 [Relevancy and Policy]. Trustis appears to provide a service relevant to Mozilla users; it is a commercial CA operating primarily in the UK and Europe. Policies are documented in the documents published on their website and listed in the entry on the pending applications list; the main documents of interest are the Certificate Policy and the Minimum Enrolment Requirements, which are in English. http://www.trustis.com/pki/fpsia/ http://www.trustis.com/pki/fpsia/policy/T-FPS-CP-V1-04.pdf http://www.trustis.com/pki/fpsia/policy/T-0104-002-ATL-013-Trustis-FPS-Minimum-Enrolment-Requirements-V3_0.pdf Section 7 [Validation]. Trustis appears to meet the minimum requirements for subscriber verification, as follows: * Email: According to the CP and the Minimum Enrolment Requirements, back contact using the declared email address and or third party corroboration is undertaken as part of the enrolment process. Certificates are not issued on the basis of email address only. Applicants must fulfil all identity verification requirements AND prove ownership of the email address to be identified in the certificate. * SSL: According to the CP and the Minimum Enrolment Requirements, the registration data for the domain is collected from approved and/or third party public sources (WHOIS) and corroborated against the information verified as part of the individual or organisation registration submitted in the application. Where third party or public evidence does not provide corroboration of ownership of a domain, or an organisation or individual controls a domain not registered with it. Certified written evidence of ownership/control must be provided. This is verified and/or corroborated with the registered owner of the domain. * Code: Trustis is not requesting the Code Signing trust bit at this time. EV Policy OID: Trustis is not requesting EV treatment at this time. Section 15 [Certificate Hierarchy]. This root signs internally-operated Issuing CAs that sign end-entity certs. The Trustis FPS Enterprise Authority is the subCA used for issuing general SSL certificates. The Trustis DTP Issuing Authority does not issue SSL certificates. The Trustis Healthcare Issuing Authority issues SSL certificates to UK NHS facilities. * CRL http://www.trustis.com/pki/fps/crl/fpsder.crl http://www.trustis.com/pki/trustis-ssl/crl/ee.crl (NextUpdate: 24 hours) CP section 4.4.9: CRL for end-entity certs is scheduled at least every 24 hours. * OCSP is not currently provided Sections 9-11 [Audit]. Trustis’ audits are performed annually by KPMG and posted on the webtrust.org website: https://cert.webtrust.org/ViewSeal?id=1250 Based on this assessment I intend to approve this request to add the “Trustis FPS Root CA” root certificate, and turn on the websites and email trust bits.
Whiteboard: In public discussion → Pending Approval
Reporter | ||
Comment 31•12 years ago
|
||
That's great news Kathleen, thanks very much for your help during this long process. Here's our updated response to the Feb 17 CA Communication: 1) We don't allow the issuance of these types of certificates from any of our sub CAs. So our response for your table is: B* *Note Trustis does not have any Sub CAs operated by third parties but the CP permits it. 2) Our legal Dept and Policy Authority assert that our existing policy enforces this. However for clarity our Root CA PDS has been updated and can be found here http://www.trustis.com/pki/fps/policy/PKI-disclosure.htm (Formatting will be improved as soon as our web guy is back in). Our response for your table is: CP/CPS does not allow MITM usage 3) The root application we have submitted does not cover EV certificates so our response for your table is: N/A 4) We have never used MD5. All keys in CAs are at a minimum 2048. We transitioned to 2048 bit key size for all End Entity keys some time ago. Our response for your table is: Confirmed 5) Trustis are reviewing the applicability of the CAB Forum Baseline requirements to our range of services and shall be adopting them as appropriate. So our response for your table is: IP
Assignee | ||
Comment 32•12 years ago
|
||
Thank you for the update. Now that I have stated my intent to approve this request, I will wait a couple more days to allow for further input. Then I plan to approve the request and create the corresponding NSS bug for making the actual changes.
Assignee | ||
Comment 33•12 years ago
|
||
To the representatives of Trustis: Thank you for your cooperation and your patience. To all others who have commented on this bug or participated in the public discussion: Thank you for volunteering your time to assist in reviewing this CA request. As per the summary in Comment #30, and on behalf of Mozilla I approve this request from Trustis to include the following root certificate in Mozilla: * Trustis FPS Root CA (websites, email) I will file the NSS bug to effect the approved changes.
Whiteboard: Pending Approval → Approved - awaiting NSS
Assignee | ||
Comment 34•12 years ago
|
||
I have filed bug #742514 against NSS for the actual changes.
Assignee | ||
Updated•12 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Whiteboard: Approved - awaiting NSS → In FF16
Assignee | ||
Comment 35•9 years ago
|
||
Assignee | ||
Comment 36•8 years ago
|
||
Assignee | ||
Comment 37•8 years ago
|
||
I exchanged email with the auditor to confirm the authenticity of the attached audit statement.
Updated•7 years ago
|
Product: mozilla.org → NSS
Updated•1 year ago
|
Product: NSS → CA Program
You need to log in
before you can comment on or make changes to this bug.
Description
•