Closed Bug 669849 Opened 9 years ago Closed 7 years ago

Add T-Systems Root CA Certificate and enable it for EV

Categories

(NSS :: CA Certificate Root Program, task)

All
Other
task
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: carsten.dahlenkamp, Assigned: kwilson)

References

Details

(Whiteboard: In NSS 3.14, Firefox 18, EV in Firefox 23)

Attachments

(14 files, 1 obsolete file)

166.50 KB, application/octet-stream
Details
100.10 KB, application/pdf
Details
361.00 KB, application/octet-stream
Details
464.11 KB, application/pdf
Details
84.76 KB, application/pdf
Details
29.82 KB, image/jpeg
Details
1.17 MB, application/pdf
Details
445.74 KB, application/pdf
Details
329.58 KB, application/pdf
Details
81.45 KB, application/pdf
Details
339.46 KB, application/pdf
Details
624.27 KB, application/pdf
Details
617.49 KB, application/pdf
Details
273.92 KB, application/pdf
Details
User Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.18) Gecko/20110614 Firefox/3.6.18
Build ID: 20110614230723

Steps to reproduce:

N/A


Actual results:

N/A


Expected results:

N/A
@All,

T-Systems would like to embed an additional Root CA into Mozilla's NSS and get it enabled for EV usage.
I have filled in the appropriate template to provide the requested information and attached it to the bug. 

Thanks
Carsten
Accepting this bug, to start the Information Verification phase.

https://wiki.mozilla.org/CA:How_to_apply#Information_Verification
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
The attached document summarizes the information that has been verified.

The items highlighted in yellow indicate where further information or
clarification is needed. Please review the full document for accuracy and
completeness.
Hi Kathleen,

We will update the document to answer the questions and provide more detailed information where needed.
Once finished we will upload it to this bug.

Thanks
  Carsten
Hi Kathleen,

sorry for the delay - due to holiday season and personal vacation it took a while to get all information to answer your questions.
I have attached a new version of the document, containing our replies.

Kind regards, 
   Carsten
Thank you for the information.

Where may I find the ServerPass CPS?

Also, please let me know when the updates are in place regarding OCSP max expiration time, and that Class 3 subCAs and RAs will only be internal.

I will get back to you regarding the EV testing question.
Hi Kathleen,

Information page regarding CP/CPS for service "ServerPass" can be found here:
http://www.telesec.de/serverpass/cps.html

Direct link to the valid version: 
http://www.telesec.de/downloads/CP_CPS_TeleSecServerPass_1.1.pdf

We are expecting that further amendments to our documentation may be needed, so our plan would be to collect all requested changes and create a new version containing those. Do you have any issues with this procedure?

Thanks for the support regarding EV testing.

Cheers
  Carsten
My links provided above are containing the German version of the document only. I have attached the English translation of ServerPass' CP/CPS to this bug for your reference, too.

Thanks
Carsten
See https://wiki.mozilla.org/PSM:EV_Testing for an example of how the file should look like.

For your certificate
Subject:
    CN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE
Issuer:
    CN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE
Serial Number: 1 (0x1)

use the following entries for the test_ev_roots.txt file:

1_fingerprint 55:A6:72:3E:CB:F2:EC:CD:C3:23:74:70:19:9D:2A:BE:11:E3:81:D1
2_readable_oid 2.16.840.1.114028.10.1.2
3_issuer MIGCMQswCQYDVQQGEwJERTErMCkGA1UECgwiVC1TeXN0ZW1zIEVudGVycHJpc2UgU2VydmljZXMgR21iSDEfMB0GA1UECwwWVC1TeXN0ZW1zIFRydXN0IENlbnRlcjElMCMGA1UEAwwcVC1UZWxlU2VjIEdsb2JhbFJvb3QgQ2xhc3MgMw==
4_serial AQ==

REMEMBER to insert your own OID
Is this version of the document accurate? Please especially check the certificate summary and hierarchy information.
We reviewed document "Updated CA Information Document.pdf" and found no errors, typos, nor do we have any other issues. Thanks for the summary.

We will work on the EV testing beginning of next week - once finished we will come back to you (posting to this bug).
We have tested successfully the EV-enabling of our root certificate "T-TeleSec Global Root Class 3" using the the firefox build as recommended. Please find a screenshot as evidence attached to this bug.
BTW: As an unix-guy I set the required environment variable for this test using windows' DOS box. And ran into trouble as it did not work - until finally I noticed that I had to define the variable under windows itself. 
Shame on me :-)
Attached file Completed CA Information Document (obsolete) —
This request has been added to the queue for public discussion:
https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion

Now that you have a request in the Queue for Public Discussion, you are
directly impacted by the time it takes to work through the queue. The goal is
to have each discussion take about two weeks. However, that time varies
dramatically depending on the number of reviewers contributing to the
discussion, and the types of concerns that are raised. If no one reviews and
contributes to a discussion, then a request may be in the discussion for
several weeks. When there are not enough people contributing to the discussions
ahead of yours, then your request will sit in the queue longer.

How can you help reduce the time that your request sits in the queue?

You can help by reviewing and providing your feedback in the public discussions
of root inclusion requests, or by asking a knowledgeable colleague to do so.

Participating in other discussions is a great way to learn the expectations and
be prepared for the discussion of your request.

Please see: https://wiki.mozilla.org/CA:How_to_apply#Public_discussion
Whiteboard: EV - Information confirmed complete
(In reply to comment 13)
Typically this is because firefox is already running. If you quit firefox first, then environment variables set in a cmd.exe session will affect a firefox.exe launched from that session.
Where do you state how you protect your system against malware (e.g., viruses)?   

Where do you state your internal password controls?  Examples:  Do you require a different password for each distinct login?  Does anyone have all passwords, or do you limit passwords to different individuals according to their responsibilities?
Hi David,

please find our comments below:

1) Malware
==========

a) RA Desktop Clients:
All RA Operator desktop systems are managed by the T-Systems internal IT departement. Desktop systems are using Windows desktop operating system along with an anti-virus protection suite. Software installation and update process is solely managed by skilled IT stuff - users are not allowed to do so, nor do they have administrator privileges. 
Software installation and updates are performed automatically once they are available - no user interaction required.
This includes, but is not limited to:
•	Microsoft updates for Windows operating system 
•	Update for AV software 
•	Update for virus patterns 

Those desktops do not have an internet connectivity. RA Operators are working with 2 desktop systems, one "standard" desktop client for email, internet, ... and a second desktop for RA business only.

b) Backend Server:
As all backend server are either Linux or Unix systems, there is no virus protection present. Security patches are installed in a timley manner. The list of processes is monitored continuously.
 
Both statements above are not part of the appropriate CP/CPS. 
 
2) Password Controls
====================
ServerPass EV is using an internal RA for validation procedure. RA operator desktops are located within an separated office area to which acess is restricted by smartcard access control.
Operators have to log into their desktops using username/password. The enterprise password rule set apply (e.g. password expiry, password history, enforced password length). Additionally a certificate based authorisation is required for  RA Operator business.
All RA operator accounts are provided with the same level of access rights within the application.
The audit statements that I have appear to be from December of 2010. Are the new audit statements available?

My notes indicate that you were planning to update chapter 4.9.9 of the CPS for EV Service “ServerPass EV” to add a statement about OCSP in regards to 
CA/Browser Forum's EV Guidelines Section 26(b): “If the CA provides revocation information via an Online Certificate Status Protocol (OCSP) service, it MUST update that service at least every four days. OCSP responses from this service MUST have a maximum expiration time of ten days.” 

Has that been completed?
Hi Kathleen,

sorry for the delayed response - I was on easter vacation for a couple of days.

Please find below the direct link to T-Systems latest WebTrust audit statement dated from the 17th of July 2011:

https://cert.webtrust.org/SealFile?seal=1219&file=pdf
https://cert.webtrust.org/SealFile?seal=1220&file=pdf

Kind regards,
Carsten
I have attached the audit statement PDF documents to the bug for your convenience.
We have included the OSCP requirements into the root CPS document (see attached pdf version). It describes the situation for the root-CA and furthermore it explicitly sets minimum requirements for every Sub-CA chaining to this root.

In section 4.9.9 it says:
"T-Systems  maintenance a OCSP responder signed by the Root-CA to validate issued Sub-CA certificates. OCSP responses are valid for three (3) days. The OCSP repository is updated within 24 hours in cases a certificate is revoked.

Sub-CA Requirements:
Sub-CAs must maintain an  OCSP responder to validate issued certificates. OCSP responses must have a maximum expiration time of ten (10) days. The OCSP repository must be updated at least every four (4) days."


Does this updated document meet Mozilla's requirement?
(In reply to Carsten from comment #24)
> ...
> Does this updated document meet Mozilla's requirement?

Yes. Please also push the update to your document repository
http://www.telesec.de/pki/service/GlobalRoot_Class_3/cps_en.pdf
http://www.telesec.de/pki/service/GlobalRoot_Class_3/cps.pdf
I have applied to upload them to our website. Will keep you informed :-)

BTW: We have included the "MitM" statement as requested by your latest communication into this version also.
Both CPS documents (german & english) on our website are now updated to the latest version 1.3:
http://www.telesec.de/pki/service/GlobalRoot_Class_3/cps_en.pdf
http://www.telesec.de/pki/service/GlobalRoot_Class_3/cps.pdf
Attachment #558978 - Attachment is obsolete: true
I am now opening the first public discussion period for this request from T-Systems to add the “T-TeleSec GlobalRoot Class 3” root certificate, turn on the Websites trust bit, and enable EV.

For a description of the public discussion phase, see https://wiki.mozilla.org/CA:How_to_apply#Public_discussion

Public discussion will be in the mozilla.dev.security.policy newsgroup and the corresponding dev-security-policy@lists.mozilla.org mailing list.

http://www.mozilla.org/community/developer-forums.html
https://lists.mozilla.org/listinfo/dev-security-policy
news://news.mozilla.org/mozilla.dev.security.policy

The discussion thread is called “T-Systems Additional Root Inclusion Request”

Please actively review, respond, and contribute to the discussion.

A representative of T-Systems must promptly respond directly in the discussion thread to all questions that are posted.
Whiteboard: EV - Information confirmed complete → EV - In public discussion
Draft Version 1.3.1 CPS T-TeleSec GlobalRoot Class 3: Amendments to clarify that no external Sub-CAs are allowed under this root CA
The public comment period for this request is now over. 

This request has been evaluated as per Mozilla’s CA Certificate Policy at

 http://www.mozilla.org/projects/security/certs/policy/

Here follows a summary of the assessment. If anyone sees any factual errors, please point them out.

To summarize, this assessment is for the request to add the “T-TeleSec GlobalRoot Class 3” root certificate, turn on the Websites trust bit, and enable EV.

Section 4 [Technical]. I am not aware of instances where T-Systems has knowingly issued certificates for fraudulent use. If anyone knows of any such issues or instances, please note them in this bug report.

Section 6 [Relevancy and Policy]. T-Systems appears to provide a service relevant to Mozilla users. It is a wholly-owned subsidiary of Deutsche Telekom AG.

Policies are documented in the documents published on their website and listed in the entry on the pending applications list; the main documents of interest are the CP, CPS, and the ServerPass CP/CPS, which are provided in English.

Document Repository: http://www.telesec.de/pki/roots.html
ServerPass CP/CPS (German): http://www.telesec.de/serverpass/cps.html
ServerPass CP/CPS (English): https://bugzilla.mozilla.org/attachment.cgi?id=555341
CP: http://www.telesec.de/pki/service/GlobalRoot_Class_3/cp_en.pdf
CPS: http://www.telesec.de/pki/service/GlobalRoot_Class_3/cps_en.pdf

Section 7 [Validation]. T-Systems appears to meet the minimum requirements for subscriber verification, as follows:

* Email: Not applicable, not requesting the email trust bit.

* SSL: According to the ServerPass CP/CPS section 3.2.2, T-Systems verifies the organization, the authority of the certificate subscriber to request the certificate, and that the customer owns the domain or has been given the exclusive right to use the domain to be included in the certificate. Official directories and Whois are checked.

* Code: Not applicable, not requesting the code signing trust bit.

EV Policy OID: 1.3.6.1.4.1.7879.13.24.1

Section 15 [Certificate Hierarchy]. 
This is an offline root that will have internally-operated subordinate CAs corresponding to the high security services that are offered.

* CRL
** http://pki.telesec.de/rl/GlobalRoot_Class_3.crl
** http://crl.serverpass.telesec.de/rl/EV_SSL_CA_Class_3.crl (NextUpdate: 24hours)
** ServerPass CP/CPS section 4.9.7: The certificate revocation list (CRL), which contains the revoked certificates of end entities, is updated twice a day and published by the repository.

* OCSP
** EE Cert: http://ocsp.telesec.de/ocspr
** Intermediate Cert: http://ocsp.serverpass.telesec.de/ocspr
** Global Root Class 3 CPS section 4.9.9: Sub-CAs must maintain an OCSP responder to validate issued certificates. OCSP responses must have a maximum expiration time of ten (10) days. The OCSP repository must be updated at least every four (4) days.

Sections 9-11 [Audit]. Annual audits are performed by Ernst & Young GmbH according to the WebTrust for CA and EV criteria, and posted on the webtrust.org website.
https://cert.webtrust.org/SealFile?seal=1219&file=pdf
https://cert.webtrust.org/SealFile?seal=1220&file=pdf

Based on this assessment I intend to approve this request to add the “T-TeleSec GlobalRoot Class 3” root certificate, turn on the Websites trust bit, and enable EV.

There is one action item resulting from the discussion that will be tracked in this bug:

ACTION T-Systems: Make the draft version of the CPS as per Comment #31 official and post a comment in this bug when the new CPS is available on their website.
Whiteboard: EV - In public discussion → EV - Pending Approval
This is regarding the outstanding action item:
The draft version 1.3.1 of the CPS has gone through our procedure and is now available in a final version. We have uploaded it to our public website. 
It can be found at:
http://www.telesec.de/pki/service/GlobalRoot_Class_3/cps_en.pdf

Thanks, Carsten
(In reply to Carsten from comment #33)
> This is regarding the outstanding action item:
> The draft version 1.3.1 of the CPS has gone through our procedure and is now
> available in a final version. We have uploaded it to our public website. 
> It can be found at:
> http://www.telesec.de/pki/service/GlobalRoot_Class_3/cps_en.pdf

Confirmed... section 1.3.1: "Issuing of external sub CA certificates is not offered under this root CA."

> ACTION T-Systems: Make the draft version of the CPS as per Comment #31 official
> and post a comment in this bug when the new CPS is available on their website.

Completed.
To the representatives of T-Systems: Thank you for your cooperation and your patience.

To all others who have commented on this bug or participated in the public discussion: Thank you for volunteering your time to assist in reviewing this CA request.

As per the summary in Comment #32, and on behalf of Mozilla I approve this request from T-Systems to include the following root certificate in Mozilla:

** T-TeleSec GlobalRoot Class 3  (websites), enable EV.

I will file the NSS and PSM bugs to effect the approved changes.
Whiteboard: EV - Pending Approval → EV - Approved - awaiting NSS and PSM
Depends on: 760297
Depends on: 760313
I have filed bug #760297 against NSS and bug #760313 against PSM for the actual changes.
Attached file 2012 WebTrust EV
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Whiteboard: EV - Approved - awaiting NSS and PSM → In NSS 3.14, Firefox 18, EV in Firefox 23
Product: mozilla.org → NSS
You need to log in before you can comment on or make changes to this bug.