Last Comment Bug 661681 - Enable A-Trust-nQual-03 root certificate for EV in PSM
: Enable A-Trust-nQual-03 root certificate for EV in PSM
Status: RESOLVED FIXED
:
Product: Core
Classification: Components
Component: Security: PSM (show other bugs)
: unspecified
: All All
: -- enhancement (vote)
: mozilla11
Assigned To: Kai Engert (:kaie)
:
Mentors:
Depends on: 661672
Blocks: 530797
  Show dependency treegraph
 
Reported: 2011-06-02 14:46 PDT by Kathleen Wilson
Modified: 2011-12-18 15:39 PST (History)
5 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Patch v1 (1.30 KB, patch)
2011-07-20 07:45 PDT, Kai Engert (:kaie)
honzab.moz: review+
Details | Diff | Splinter Review

Description Kathleen Wilson 2011-06-02 14:46:49 PDT
Per bug #530797 the request from A-Trust has been approved to enable its A-Trust-nQual-03 root certificate for EV use. Please make the corresponding changes to PSM.

The relevant information is as follows.

Friendly name: A-Trust-nQual-03
SHA1 Fingerprint: D3:C0:63:F2:19:ED:07:3E:34:AD:5D:75:0B:32:76:29:FF:D5:9A:F2
EV policy OID: 1.2.40.0.17.1.22 
Test URL: https://test1.a-trust.at/
Comment 1 Kathleen Wilson 2011-06-02 14:47:58 PDT
Christoph, Please confirm that the above information is correct.

Also, please perform the testing described on the following wiki page, and post
a comment in this bug when the testing has been successfully completed.

https://wiki.mozilla.org/PSM:EV_Testing_Easy_Version
Comment 2 klein 2011-06-17 02:15:54 PDT
The self signed A-Trust-nQual-03 only issues intermediate CA Certificates, the EV end user certificates are issued by the intermediate CA: a-sign-SSL-EV-03

Friendly name: a-sign-SSL-EV-03
SHA1 Fingerprint: FD:65:2B:F7:C2:3B:F6:91:17:F6:81:7E:95:84:7B:CF:15:51:75:77
EV policy OID: 1.2.40.0.17.1.22 
Test URL: https://test1.a-trust.at/
Comment 3 Kathleen Wilson 2011-06-20 14:55:04 PDT
Since we store the root (not intermediate) cert information in NSS, we also use the root cert information (friendly name) to enable EV in PSM. 

Please confirm that the root cert info is as follows.
Friendly name: A-Trust-nQual-03
SHA1 Fingerprint: D3:C0:63:F2:19:ED:07:3E:34:AD:5D:75:0B:32:76:29:FF:D5:9A:F2
EV policy OID: 1.2.40.0.17.1.22 
Test URL: https://test1.a-trust.at/

Also, please perform the testing described on the following wiki page, and post
a comment in this bug when the testing has been successfully completed.
https://wiki.mozilla.org/PSM:EV_Testing_Easy_Version
Comment 4 Kai Engert (:kaie) 2011-07-12 11:17:56 PDT
Subject:
    CN=A-Trust-nQual-03,OU=A-Trust-nQual-03,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT
Issuer:
    CN=A-Trust-nQual-03,OU=A-Trust-nQual-03,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT
Serial Number: 93214 (0x16c1e)
Issuer DER Base64:
MIGNMQswCQYDVQQGEwJBVDFIMEYGA1UECgw/QS1UcnVzdCBHZXMuIGYuIFNpY2hl
cmhlaXRzc3lzdGVtZSBpbSBlbGVrdHIuIERhdGVudmVya2VociBHbWJIMRkwFwYD
VQQLDBBBLVRydXN0LW5RdWFsLTAzMRkwFwYDVQQDDBBBLVRydXN0LW5RdWFsLTAz
Serial DER Base64:
AWwe
Fingerprint (MD5):
    49:63:AE:27:F4:D5:95:3D:D8:DB:24:86:B8:9C:07:53
Fingerprint (SHA1):
    D3:C0:63:F2:19:ED:07:3E:34:AD:5D:75:0B:32:76:29:FF:D5:9A:F2
Comment 5 Kai Engert (:kaie) 2011-07-12 11:44:10 PDT
I'm running a test build which attempts to enable your cert for EV.
It does not work, I only get the basic DV status.

I would like to ask A-Trust to perform your own testing, see comment 3 for the link to more information.

The information I've given to you in comment 4 should enable you to follow the instructions easily.
Comment 6 Kai Engert (:kaie) 2011-07-12 12:11:07 PDT
A mistake that many CAs run into, is an OCSP responder certificate that isn't according to RFCs.
Comment 7 Kai Engert (:kaie) 2011-07-12 12:27:02 PDT
So, I debugged what's wrong with your environment, and I stopped at the first issue:

Your issueing (intermediate) certificate does not include any policy OID.

It must either list your EV policy OID, or the special "any policy" OID.
Comment 8 Kai Engert (:kaie) 2011-07-13 04:00:04 PDT
Although your infrastructure is not yet working to our expectation,
I have enabled your root for EV in the build.

This means, you may not need to go through the steps mentioned in comment 3, under the assumption the data in comment 4 is correct.

http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/kaie@kuix.de-34aa937b13fb/try-win32/firefox-8.0a1.en-US.win32.zip
http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/kaie@kuix.de-34aa937b13fb/try-linux/firefox-8.0a1.en-US.linux-i686.tar.bz2
http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/kaie@kuix.de-34aa937b13fb/try-linux64/firefox-8.0a1.en-US.linux-x86_64.tar.bz2
http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/kaie@kuix.de-34aa937b13fb/try-macosx64/firefox-8.0a1.en-US.mac.dmg

Please note, we require that we get a positive EV test, prior to enabling your CA for EV in Firefox.
Comment 9 klein 2011-07-18 02:05:11 PDT
We corrected the certificate, the anyPolicy identifier is now included in our intermediate certificate.

We are still not able to get a positive EV - authentication using the test website (https://test1.a-trust.at).

Thank you for your help,
Regards Christoph
Comment 10 Kai Engert (:kaie) 2011-07-18 07:47:57 PDT
Quoting from:
  http://www.cabforum.org/Guidelines_v1_3.pdf
  Guidelines For The Issuance And Management Of Extended Validation Certificates
  Version 1.3

(I believe this is the most recent version.)


Problem 1
=========

(2) Subordinate CA Certificate
(A) certificatePolicies

You have fixed that, after I made you aware. Fixed.


Problem 2
=========

Referring to
  Appendix B - Extensions for EV Certificates Intended for use with SSL/TLS (Normative)
  (3) Subscriber Certificate
  (B) cRLDistributionPoint
  "If present, it MUST contain the HTTP URL of the CA‟s CRL service."

The subscriber certificate used by
  https://test1.a-trust.at/
contains a cRLDistributionPoint extension, but it contains an LDAP URL, not HTTP URL.

I believe you violate the EV guidelines.


Problem 3
=========

Referring to
  Appendix B - Extensions for EV Certificates Intended for use with SSL/TLS (Normative)
  (2) Subordinate CA Certificate
  (B) cRLDistributionPoint
  "This extension MUST be present ...
   It MUST contain the HTTP URL of the CA‟s CRL service."

The subordinate/intermediate CA certificate used by
  https://test1.a-trust.at/
contains a cRLDistributionPoint extension, but it contains an LDAP URL, not HTTP URL.

I believe you violate the EV guidelines.


Problem 4
=========

The subordinate CA cert does not contain an AIA/OCSP http URL.
It's absent.

The EV guidelines allow that to be absent.

Unfortunately that's a problem for Firefox, because we don't support automatic CRL download (yet), we require OCSP in subordinates for EV to work.
Comment 11 Kathleen Wilson 2011-07-18 14:44:18 PDT
(In reply to comment #10)
> 
> Problem 4
> =========
> 
> The subordinate CA cert does not contain an AIA/OCSP http URL.
> It's absent.
> 
> The EV guidelines allow that to be absent.
> 
> Unfortunately that's a problem for Firefox, because we don't support
> automatic CRL download (yet), we require OCSP in subordinates for EV to work.


It is the responsibility of the CA to demonstrate (using the provided test) that their EV SSL certificate hierarchy works as expected in Firefox. For the time being, this means that the intermediate certificate needs to have the OCSP URI in the AIA.

Item 14 (fifth bullet) of https://wiki.mozilla.org/CA:Information_checklist#Technical_information_about_each_root_certificate
Comment 12 klein 2011-07-20 05:16:30 PDT
Hello!

We modified our certificates and were able to successfully test the EV certificate on https://test1.a-trust.at (Browser bar went green).

Regards,
Christoph
Comment 13 Kai Engert (:kaie) 2011-07-20 07:45:41 PDT
Created attachment 547092 [details] [diff] [review]
Patch v1

This is the patch that was included in the test build and was confirmed to work by the CA.

Requesting code review.
Comment 14 Kai Engert (:kaie) 2011-07-20 07:46:18 PDT
(In reply to comment #12)
> 
> We modified our certificates and were able to successfully test the EV
> certificate on https://test1.a-trust.at (Browser bar went green).

Ok. I was able to repeat the test and get a green result, too.
Comment 15 Honza Bambas (:mayhemer) 2011-07-20 08:19:30 PDT
Comment on attachment 547092 [details] [diff] [review]
Patch v1

r=honzab
Comment 16 Kai Engert (:kaie) 2011-12-18 07:11:32 PST
I apologize for the late landing, I overlook that this has been ready for quite a while.

https://hg.mozilla.org/integration/mozilla-inbound/rev/123160236bf1
Comment 17 Matt Brubeck (:mbrubeck) 2011-12-18 15:39:15 PST
https://hg.mozilla.org/mozilla-central/rev/123160236bf1

Note You need to log in before you can comment on or make changes to this bug.