Closed Bug 639763 Opened 15 years ago Closed 14 years ago

Add Swiss Government Root CA Certificate to Trusted Root Store

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: philipp.langenegger, Assigned: kathleen.a.wilson)

Details

(Whiteboard: Information incomplete)

Attachments

(2 files)

Swiss Government Root CA 1
2.65 KB, text/plain
Details
Swiss Government Root CA 2
2.67 KB, text/plain
Details
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Tablet PC 2.0) Build Identifier: Request to add Swiss Government Root CA 1 and Swiss Government Root CA 2 to the Trusted Mozilla Root Store. Replaces old rejected request with Bug ID 435026... Reproducible: Always See CA Information Checklist Will be attached soon
The attachments aren't working for me. I'll try changing the MIME type for the first one to see if I can figure it out.
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: Information incomplete
Attachment #517681 - Attachment mime type: application/x-x509-ca-cert → text/plain
Attachment #517682 - Attachment mime type: application/x-x509-ca-cert → text/plain
The Issuer Field Values for these roots are: CN = Swiss Government Root CA I O = Admin OU = Services OU = Certification Authorities C = CH CN = Swiss Government Root CA II O = Admin OU = Services OU = Certification Authorities C = CH That is interesting, because these roots show up under "Admin" in the Certificate Manager Authorities list. Take a look... in Firefox click on Tools -> Certificate Manager -> Authorities Import these two new roots, and see where they get displayed in the list, under "Admin". Why did you choose to use "Admin" for the "O", and not something more descriptive like "Swiss Government"? Anyways, since the CN has "Swiss Government" in it, I think it addresses the issue that was raised in the previous request. https://bugzilla.mozilla.org/show_bug.cgi?id=435026#c38 https://wiki.mozilla.org/CA:Problematic_Practices#Generic_names_for_CAs Please provide the information listed here: https://wiki.mozilla.org/CA:Information_checklist Then I will begin the Information Verification phase https://wiki.mozilla.org/CA:How_to_apply#Information_Verification
As soon as I posted my last comment, I started to receive feedback that it is not acceptable to have the "O" be so generic as "Admin". It could mislead users that rely on the issuer details (like hover with your mouse over the domain or organization section in the address bar). Therefore, it appears that the new roots don't satisfy the requirement that the Issuer be meaningful. Both the O and the CN should be meaningful. I will update the CA:Problematic_Practices wiki page to be more specific about this.
As Swiss Government owns the domain "admin.ch" the O=admin C=CH is correct (and the corresponding OID is officially registrated). Thus, we need to have this entry in the certificate. Because of the concerns regarding the full DN was not meaningful (the CN was Admin-Root-CA) we did change the CN-Entry to "Swiss Government Root CA I / II". We did that beacuse we agree to the concerns that it might not be obvious for users outside Switzerland, that Swiss Government stands behind the DN / CA. We also agree, that it is possible that somebody might take notice of a CN-enty only (which as you know is a part of the DN); that's why we understand the concerns regarding too generic CNs and that's why we processed a new Root Ceremony (audited by an accredited body and a Swiss notary). However, it's hard to imagine, that somebody only relies on the O-entry without considerung the full DN or at least the CN. I suggest for the policy, that the CN and thus the DN must contain a meaningful description. The O-entry must be true. IF the O-Field must be meaningful "stand-alone", that would be a problem for every firm/organisation with a name that is not meaningful (yet) but officially registrated (in the beginings organisations as "apple" would not have had a chance even if they are officially registrated firms). However, we are (still) admin.ch. This is registrated and well established with millions hits each day (in other words: unfortunately we are not able to change admin.ch). Summary: - We are admin.ch and we issue certificates for *.admin.ch - We changed the CN to make it obvious for any user around the world (without taking reference to the registrated OID), that Swiss Government stands behind the CA. - The users of Swiss Gevernance applications need to have a valid certificate chain also in firefox
Dear Daniel, First of all the Organization field is displayed with Firefox - but also many other browsers - as the Issuer of the certificate. You can check this by yourself and you'll see prominently: "Verified by: Organization Name". It is NOT acceptable that a meaningless phrase like "Admin" is used for the organization field or common name. The legal identifier must be used in this context. If we are at it, to all of my knowledge there is no entity called the "Swiss Government" either. Most likely your CA is operated by a specific ministry or one of the federal authorities of the Swiss Confederation. However it's hard to believe that your CA is operated by the Federal Council (Bundesrat) or the national council (Parliament) or the council of states (Staenderat) directly. Perhaps it's the Federal Administration of Switzerland, but I don't know. In any case, you'll have to use the most correct and legal name for your CA - that which is directly responsible for your CA. The domain you are using has no relevance for the organization field (besides that you aren't using the domain name either, but just "admin"). As to organization names in certificates, "apple" wouldn't be acceptable, but "Apple, inc." is. Or "Admin GmBH" or similar might be an existing and legal entity, but "admin" is not.
Dear Eddy Thanks for your comments. I completely agree: All that is mentioned in the Certificate must be true. That is! We are the Administration of Switzerland. The term "ADMIN" is indeed legally registered. We can proof this with a formal act of disposal (Verfügung) that proofes the Registration of the RDN-Name (ADMIN) and the Registration-Nummer 2 16 756 1 17. I do now posses a copy of this legal document and I can send you a scanned version (unfortunately in German only). Dear all I have a question to the whole user group: Do you agree that it is important (and sufficient) that the O-entry is true and that additionally the CN (and thus the DN) must be meaningful? In other words: Do you think our request can be precessed if we can proof the content? I would be glad to hear different voices... Kind regards and have a nice weekend Daniel
(In reply to comment #8) > We are the Administration of Switzerland. The term "ADMIN" is indeed > legally registered. We can proof this with a formal act of disposal (Verfügung) > that proofes the Registration of the RDN-Name (ADMIN) and the > Registration-Nummer 2 16 756 1 17. I do now posses a copy of this legal > document and I can send you a scanned version (unfortunately in German only). German is fine. ;-) However I believe we would have to find out together what an acceptable name for the organization field would be for your CA. I would object to "Admin" itself standing alone. Firefox would claim that so-and-so is "Verified by: Admin". I can understand the inconvenience this will cause you, but better we fix this now than later.
The Issuer Field Values for a root certificate to be included in NSS must be meaningful, and clearly identify the organization responsible in the appropriate way. The O and CN values must be much more specific than "admin" or "root".
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → WONTFIX
Product: mozilla.org → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: