Closed Bug 680979 Opened 10 years ago Closed 10 years ago

Add Security Communication RootCA2 certificate to NSS

Categories

(NSS :: CA Certificates Code, task)

task
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: kwilson, Unassigned)

References

Details

Attachments

(1 file)

1.25 KB, application/x-x509-ca-cert
Details
This bug requests inclusion in the NSS root certificate store of the following
certificate, owned by SECOM.

Friendly name: Security Communication RootCA2
Certificate location: https://repository.secomtrust.net/SC-Root2/SCRoot2ca.cer
SHA1 Fingerprint: 5F:3B:8C:F2:F8:10:B3:7D:78:B4:CE:EC:19:19:C3:73:34:B9:C7:74
Trust flags: Websites, Email, Code Signing
Test URL: https://scrootca2test.secomtrust.net

This CA has been assessed in accordance with the Mozilla project guidelines,
and the certificate approved for inclusion in bug #527419.

The steps are as follows:

1) A representative of the CA must confirm that all the data in this bug is
correct, and that the correct certificate has been attached.

2) A Mozilla representative creates a patch with the new certificate, and
provides a special test version of Firefox.

3) A representative of the CA uses the test version of Firefox to confirm (by
adding a comment in this bug) that the certificate has been correctly
imported and that websites work correctly.

4) The Mozilla representative requests that another Mozilla representative
review the patch.

5) The Mozilla representative adds (commits) the patch to NSS, then closes this
bug as RESOLVED FIXED.

6) At some time after that, various Mozilla products will move to using a
version of NSS which contains the certificate(s). This process is mostly under
the control of the release drivers for those products.
I have tried to attach the cert, but I am running into an error. I have filed bug #680987 regarding this.
Kamo-san, Please see step #1 above.
Kathleen-san,

I confirm that all the data in this bug is correct.

Thank you for your time and concern.
Kamo-san,

Thanks for confirming that the data in this bug is correct.

Root inclusions are usually grouped and done as a batch when there is
either a large enough set of changes or about every 3 months.

At some point in the next 3 months a test build will be provided and this bug
will be updated to request that you test it. Since you are cc'd on this bug,
you will get notification via email when that happens.
Kathleen-san,

Thank you for your clear explanation.
We are looking forward to have your notice.
Kathleen has indicated that PriceWaterhouseCoopers' status as an acceptable auditor is under reconsideration, given the DigiNotar incident:
https://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/ff2d4be7449d510b/7148d2c72fe4197a?lnk=gst&q=pricewaterhousecoopers#8d80423a492c8192

I propose that this inclusion request be postponed until Mozilla publicly states whether PWC will continue to be trusted, and why.
(In reply to sjs from comment #7)
> Kathleen has indicated that PriceWaterhouseCoopers' status as an acceptable
> auditor is under reconsideration, given the DigiNotar incident:
> https://groups.google.com/group/mozilla.dev.security.policy/browse_thread/
> thread/ff2d4be7449d510b/
> 7148d2c72fe4197a?lnk=gst&q=pricewaterhousecoopers#8d80423a492c8192
> 
> I propose that this inclusion request be postponed until Mozilla publicly
> states whether PWC will continue to be trusted, and why.


The area where we are concerned about audits (ETSI and WebTrust in general) is in regards to network security and intrusion detection. We are still looking into this.

SECOM already has root certificates included in NSS, and SECOM was very responsive to the recent CA Communication. SECOM has already performed a review of their network security and checked for intrusion/compromise. This request should move forward has per our existing process.
So in this case a SECOM self-audit is sufficient?  When are CAs allowed to self-audit, versus when they are required to obtain an audit via an approved auditor?
(In reply to sjs from comment #9)
> So in this case a SECOM self-audit is sufficient?  When are CAs allowed to
> self-audit, versus when they are required to obtain an audit via an approved
> auditor?


SECOM has been audited by PWC according to WebTrust CA criteria and WebTrust EV criteria.

I was specifically responding to your concern about whether or not we can rely on those audits, because questions about audits have been raised in m.d.s.policy. Our concern about audits is specific to network security and intrusion detection.

As for the CA Communication action item to perform network security and intrusion detection audits, we did not specify who had to perform those audits, because we believed that the CA could perform the initial assessment and then if needed (based on what they found), follow up with hiring third-parties to do additional auditing and testing.
(In reply to Tom Lowenthal [:StrangeCharm] from comment #11)
> What about bsmith's suggestion in mozilla.dev.security.policy that we not
> trust any more root certificates for the short term?
> 
> <https://groups.google.com/group/mozilla.dev.security.policy/browse_frm/
> thread/4be194c52d7a8c12/
> 8af487365e3a925f?lnk=gst&q=Let%27s+temporarily+stop+adding+new+CAs+to+our+tru
> sted+CA+list#8af487365e3a925f>


Please follow up in m.d.s.policy if you would like to discuss Brian Smith's suggestion, which was made as a member of the community that is interested in Mozilla's CA Certificate Module.
https://wiki.mozilla.org/Module_Owners_Activities_Modules#CA_Certificates_Module
SECOM has been audited by PWC according to WebTrust CA criteria and WebTrust EV criteria, but PWC's trustworthiness as an auditor is unclear, as you stated.  Why would we trust either a questionably trustworthy auditor, or a company self-audit, in place of a known accepted auditor?

In short, is there any effect of PWC being "TBD" or do we carry on business as normal?
(In reply to sjs from comment #13)
> SECOM has been audited by PWC according to WebTrust CA criteria and WebTrust
> EV criteria, but PWC's trustworthiness as an auditor is unclear, as you
> stated.  Why would we trust either a questionably trustworthy auditor, or a
> company self-audit, in place of a known accepted auditor?
> 
> In short, is there any effect of PWC being "TBD" or do we carry on business
> as normal?

This discussion belongs in m.d.s.policy.
I propose that no further progress be made on this bug until Steve and Brian's comments have been evaluated in mozilla.dev.security.policy.
Let me just remind you. 
Our Secom's most recent audit was conducted by Deloitte Touche Tohmatsu LLC.
The audit period started from June 9, 2010 until June 8, 2011. 
You can find the report at the URL below.

https://cert.webtrust.org/ViewSeal?id=1214

WebTrust for Certification Authorities
 => The report is written in Japanese and English.
WebTrust for Certification Authorities – Extended Validation
 => The report is written in Japanese and English.
Kai, Please include this change when you do your next batch of NSS changes.

All, Please stop adding noise to this bug. This root refresh was approved, and is something we should be encouraging all of our CAs to do. If you have any further concerns, please post them in the mozilla.dev.security.policy forum.
Blocks: 711829
A test version of Firefox is available at https://kuix.de/mozilla/tryserver-roots-20111218/
This test build contains your new root(s).

TODO, in this bug, please confirm that your root has been correctly added.

In particular check the correct trust flags (in cert manager you can use "edit trust" to view the trust settings you've received).

Please note this build is based on a nightly development/test version of Firefox. It might be unstable and have bugs. Please be careful. 
It's best to use a "fresh, empty profile", for your testing. (Search the web how to use separate profiles, start the profile manager, with Firefox). 
This is also recommended to make sure you're not testing your own certificate database, but really this software with the embedded certs.
Dear Kai-san,

Thank you for your work.

We confirmed our root certificate, "Security Communication RootCA2" has been correctly added.
Trust flags are also all right.
Will be fixed in NSS 3.13.2
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.