685128 - Add Buypass Root certificates

Status: RESOLVED FIXED

(CA Program :: CA Certificate Root Program, task)

Description

[John Arild A. Johansen]

Attachment: CA Hierarchy - description

Buypass AS has set up our new CA structure and would like to add two additional root certificates.

CA Company/Organization Name: Buypass AS
Website: www.buypass.no

Buypass AS is a public corporation and a leading supplier of secure solutions for electronic identification, electronic signatures and payment in the Nordic countries. Our solutions are delivered via the Internet, mobile phones, POS terminals and company internal networks. Buypass has issued electronic IDs to over 2 million of Norway's 4.9 million inhabitants. Buypass is registered with the Post and Telecommunications Authority as the issuer of the qualified ID according to the law on electronic signature. The company is the market leading ID supplier within e-Government services in Norway, provides identification services to all government departments, over 70% of the country’s primary health care services and the entire customer base of the Norsk Tipping (the Norwegian national Lottery). We have the last few years made significant investment in SSL certificates for the European market. Buypass root certificates have been included in most of the browsers (Mozilla, IE, Safari/IOS and Opera) and we currently support 99.5% of customers' and partners’ browsers. We are a member of the international CA/Browser Forum.

Our enterprise and SSL certificates are issued in accordance with WebTrust for CA and EV SSL in addition to an ongoing ETSI 102 042 audit.
Auditor: KPMG (KPMG Advisory N.V.)
Auditor Website: www.kpmg.com 
Audit Document URL(s): https://cert.webtrust.org/ViewSeal?id=1139
Point-in-time WebTrust for CA and EV SSL audit report and management assertions for the new CA (CA2):
http://www.buypass.no/Bedrift/Produkter+og+tjenester/SSL-sertifikat/binary/10607/file?download=true

Certificate Details (1)

 
Certificate Name: Buypass Class 2 Root CA

The Buypass Class 2 certificates are issued to natural persons not registered in the Norwegian National Registry of Persons and the merchant certificates are issued to organizations. The Buypass Class 2 certificates have the same basic usage areas as Class 3 certificates. The Class 2 CP has, however, less strict requirements with respect to identification of the requesting party than Class 3 certificates. “Domain” and” Domain+” -SSL certificates are issued exclusively by Class 2 CA. All certificates are issued to the general public.
 
Number and type of subordinate CAs: See attachment "CA Hierarchy.pdf"
List or description of subordinate CAs operated internally: See attachment "CA Hierarchy.pdf"
List or description of subordinate CAs operated by third parties: N/A
List root CAs that have issued cross-signing certificates for this root CA: N/A

Certificate HTTP download URL (on CA website):
http://www.buypass.no/cert/BPClass2RootCA-sha2.cer

Version: 3
SHA1 Fingerprint:
49 0a 75 74 de 87 0a 47 fe 58 ee f6 c7 6b eb c6 0b 12 40 99

Public key length (for RSA, modulus length) in bits: RSA 4096
Valid From (YYYY-MM-DD):2010-10-26
Valid To (YYYY-MM-DD): 2040-10-26
CRL HTTP URL:http://crl.buypass.no/crl/BPClass2CA2.crl

CRL issuing frequency for end-entity certificates: 
Buypass issues and publishes a new CRL every 12 hour. A new CRL may be published at other times, e.g. after a Certificate is either revoked or suspended. The expiration time for each CRL is 25 hours.

OCSP URL: http://ocsp.buypass.no/ocsp/BPClass2CA2

Class (domain-validated, identity/organisationally-validated or EV): DV, OV

Certificate Policy URL: www.buypass.no/Bedrift/Kundeservice/Dokumentasjon/binary/8957/file?download=true
CPS URL:/www.buypass.no/Bedrift/Kundeservice/Dokumentasjon/binary/8961/file?download=true

List one or more Trust Bits to enable, choices are Websites (SSL/TLS), Email (S/MIME), and/or Code (code/document signing):

URL of website whose SSL certificate chains to this root (if applying for SSL):
Test Website URL:
https://valid.domainplus.ca22.ssl.buypass.no/CA2Class2

----
Certificate Details (2)

Certificate Name: Buypass Class 3 Root CA

The Buypass Class 3 qualified certificates are issued to natural persons and the enterprise certificates are issued to organizations. The certificates may be used for authentication purposes, encryption/decryption and/or electronic signatures (non-repudiation). The certificates are part of an infrastructure provided by Buypass AS enabling electronic commerce in Norway. The certificates are used by many different service providers ranging from purely commercial companies to governmental and other public institutions including the health sector. Extended Validation and Business SSL certificates are issued exclusively by the Buypass Class 3 CA. All certificates are issued to the general public. 

Number and type of subordinate CAs:  See attachment "CA Hierarchy.pdf"
List or description of subordinate CAs operated internally: "CA Hierarchy.pdf"
List or description of subordinate CAs operated by third parties: N/A
List root CAs that have issued cross-signing certificates for this root CA: N/A 

Certificate HTTP download URL (on CA website):
http://www.buypass.no/cert/BPClass3RootCA-sha2.cer

Version: 3
SHA1 Fingerprint:
da fa f7 fa 66 84 ec 06 8f 14 50 bd c7 c2 81 a5 bc a9 64 57
Public key length (for RSA, modulus length) in bits: RSA 4096
Valid From (YYYY-MM-DD): 2010-10-26
Valid To (YYYY-MM-DD): 2040-10-26

CRL HTTP URL: http://crl.buypass.no/crl/BPClass3CA2.crl
CRL issuing frequency for end-entity certificates: (same as above)
OCSP URL: http://ocsp.buypass.no/ocsp/BPClass3CA2

Class (domain-validated, identity/organisationally-validated or EV): OV, EV
EV policy OID(s) (if applicable): OID 2.16.578.1.26.1.3.3
Certificate Policy URL:
http://www.buypass.no/Bedrift/Kundeservice/Dokumentasjon/binary/8960/file?download=true
CPS URL:
http://www.buypass.no/Bedrift/Kundeservice/Dokumentasjon/binary/8963/file?download=true

Both CA certificates issues certificates for SSL-enabled servers and digitally signed or encrypted email. None of them issues certificates for signing executable code objects.

URL of website whose SSL certificate chains to this root (if applying for SSL):
Test Website URL:
https://valid.evident.ca23.ssl.buypass.no/CA2Class3

Diagram and/or description of certificate hierarchy: See attachment "CA Hierarchy.pdf"

Rgds., 

John Arild Johansen
john.johansen@buypass.no
Phone Number: (+47)2314 5019
Title / Department: CSO

Comment 1

[Kathleen Wilson]

I hope to begin Information Verification soon, and I will update this bug again at that time.
https://wiki.mozilla.org/CA:How_to_apply#Information_Verification

Comment 2

[Kathleen Wilson]

Attachment: Initial CA Information Document

The attached document summarizes the information that has been verified.

The items highlighted in yellow indicate where further information or
clarification is needed. Please review the full document for accuracy and
completeness.

Comment 3

[John Arild A. Johansen]

Attachment: Info Gathering - additional information

Comment 4

[Kathleen Wilson]

Attachment: Completed Information Gathering Document

Comment 5

[Kathleen Wilson]

This request has been added to the queue for public discussion:
https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion

Now that you have a request in the Queue for Public Discussion, you are
directly impacted by the time it takes to work through the queue. The goal is
to have each discussion take about two weeks. However, that time varies
dramatically depending on the number of reviewers contributing to the
discussion, and the types of concerns that are raised. If no one reviews and
contributes to a discussion, then a request may be in the discussion for
several weeks. When there are not enough people contributing to the discussions
ahead of yours, then your request will sit in the queue longer.

How can you help reduce the time that your request sits in the queue?

You can help by reviewing and providing your feedback in the public discussions
of root inclusion requests, or by asking a knowledgeable colleague to do so.

Participating in other discussions is a great way to learn the expectations and
be prepared for the discussion of your request.

Please see: https://wiki.mozilla.org/CA:How_to_apply#Public_discussion

Comment 6

[Kathleen Wilson]

Attachment: Completed Information Gathering Document

Comment 7

[Kathleen Wilson]

I am now opening the first public discussion period for this request from Buypass to add the “Buypass Class 2 Root CA” and the “Buypass Class 3 Root CA” root certificates, and to turn on the Websites trust bit for both. The request is to also enable EV for the new Class 3 root.

For a description of the public discussion phase, see https://wiki.mozilla.org/CA:How_to_apply#Public_discussion

Public discussion will be in the mozilla.dev.security.policy newsgroup and the corresponding dev-security-policy@lists.mozilla.org mailing list.

http://www.mozilla.org/community/developer-forums.html
https://lists.mozilla.org/listinfo/dev-security-policy
news://news.mozilla.org/mozilla.dev.security.policy

The discussion thread is called “Buypass Root Inclusion Request for Renewed Roots”

Please actively review, respond, and contribute to the discussion.

A representative of Buypass must promptly respond directly in the discussion thread to all questions that are posted.

Comment 8

[Kathleen Wilson]

The public comment period for this request is now over. 

This request has been evaluated as per Mozilla’s CA Certificate Policy at

 http://www.mozilla.org/projects/security/certs/policy/

Here follows a summary of the assessment. If anyone sees any factual errors, please point them out.

To summarize, this assessment is for the request to add the “Buypass Class 2 Root CA” and the “Buypass Class 3 Root CA” root certificates, and to turn on the Websites trust bit for both. The request is to also enable EV for the new Class 3 root.

Section 4 [Technical]. I am not aware of instances where Buypass has knowingly issued certificates for fraudulent use. If anyone knows of any such issues or instances, please note them in this bug report.

Section 6 [Relevancy and Policy]. Buypass appears to provide a service relevant to Mozilla users. It is a public corporation and a leading supplier of secure solutions for electronic identification, electronic signatures and payment in the Nordic countries. 

Policies are documented in the documents published on their website and listed in the entry on the pending applications list; the main documents of interest are the CP and CPS, which are provided in English.

http://www.buypass.com/home/support/ca-documentation-legal

Section 7 [Validation]. Buypass appears to meet the minimum requirements for subscriber verification, as follows:

* Email: Not applicable, not requesting the email trust bit.

* SSL: According to sections 2.1.1 and 4.1.1 of the Class 2 CP and Class 3 CP documents, Buypass warrants that the subscriber named in the SSL certificate has the right to use the domain name(s) listed in the certificate. BuyPass verifies that the subscriber is registered in the Norwegian Central Coordinating Register for Legal Entities and that the registered information conforms with information provided in the Certificate Application; that the Certificate Applicant and Certificate Approver are Authorized Subscriber Representatives; and that the Subscriber is a registered holder or has control of the domain name to be included in the SSL Certificate.

* Code: Not applicable, not requesting the code signing trust bit.

EV Policy OID:  2.16.578.1.26.1.3.3

Section 15 [Certificate Hierarchy]. 
Both of these roots have internally-operated subordinate CAs corresponding to the high security services that are offered.
CA Hierarchy: https://bugzilla.mozilla.org/attachment.cgi?id=558776

* Both CRL and OCSP are provided 
** Class 2 SSL CP Section 4.4.9: The CRL service SHALL at least issue CRLs every 24 hours and each CRL SHALL have a maximum expiration time of 48 hours.
http://crl.buypass.no/crl/BPClass3CA2.crl 
** Class 3 SSL CP Section 4.4.9: The CRL service SHALL at least issue CRLs every 24 hours and each CRL SHALL have a maximum expiration time of 48 hours.
** Class 3 SSL CP Section 4.4.11: The OCSP service SHALL be updated at least every 24 hours, and OCSP responses from this service SHALL have a maximum expiration time of 48 hours.

Sections 9-11 [Audit]. Annual audits are performed by KPMG according to the WebTrust CA and WebTrust EV criteria and posted on the webtrust.org website.
https://cert.webtrust.org/ViewSeal?id=1269  

Based on this assessment I intend to approve this request to add the “Buypass Class 2 Root CA” and the “Buypass Class 3 Root CA” root certificates, turn on the Websites trust bit for both, and enable EV for the new Class 3 root.

Comment 9

[Kathleen Wilson]

To the representatives of Buypass: Thank you for your cooperation and your patience.

To all others who have commented on this bug or participated in the public discussion: Thank you for volunteering your time to assist in reviewing this CA request.

As per the summary in Comment #8, and on behalf of Mozilla I approve this request from Buypass to include the following root certificates in Mozilla:

** Buypass Class 2 Root CA (websites).
** Buypass Class 3 Root CA (websites), enable EV.

I will file the NSS and PSM bugs to effect the approved changes.

Comment 10

[Kathleen Wilson]

I have filed bug #752103 against NSS and bug #752106 against PSM for the actual changes.