Closed Bug 685128 Opened 12 years ago Closed 7 years ago
Add Buypass Root certificates
94.01 KB, application/pdf
94.47 KB, application/pdf
135.36 KB, application/pdf
89.70 KB, application/pdf
Buypass AS has set up our new CA structure and would like to add two additional root certificates. CA Company/Organization Name: Buypass AS Website: www.buypass.no Buypass AS is a public corporation and a leading supplier of secure solutions for electronic identification, electronic signatures and payment in the Nordic countries. Our solutions are delivered via the Internet, mobile phones, POS terminals and company internal networks. Buypass has issued electronic IDs to over 2 million of Norway's 4.9 million inhabitants. Buypass is registered with the Post and Telecommunications Authority as the issuer of the qualified ID according to the law on electronic signature. The company is the market leading ID supplier within e-Government services in Norway, provides identification services to all government departments, over 70% of the country’s primary health care services and the entire customer base of the Norsk Tipping (the Norwegian national Lottery). We have the last few years made significant investment in SSL certificates for the European market. Buypass root certificates have been included in most of the browsers (Mozilla, IE, Safari/IOS and Opera) and we currently support 99.5% of customers' and partners’ browsers. We are a member of the international CA/Browser Forum. Our enterprise and SSL certificates are issued in accordance with WebTrust for CA and EV SSL in addition to an ongoing ETSI 102 042 audit. Auditor: KPMG (KPMG Advisory N.V.) Auditor Website: www.kpmg.com Audit Document URL(s): https://cert.webtrust.org/ViewSeal?id=1139 Point-in-time WebTrust for CA and EV SSL audit report and management assertions for the new CA (CA2): http://www.buypass.no/Bedrift/Produkter+og+tjenester/SSL-sertifikat/binary/10607/file?download=true Certificate Details (1) Certificate Name: Buypass Class 2 Root CA The Buypass Class 2 certificates are issued to natural persons not registered in the Norwegian National Registry of Persons and the merchant certificates are issued to organizations. The Buypass Class 2 certificates have the same basic usage areas as Class 3 certificates. The Class 2 CP has, however, less strict requirements with respect to identification of the requesting party than Class 3 certificates. “Domain” and” Domain+” -SSL certificates are issued exclusively by Class 2 CA. All certificates are issued to the general public. Number and type of subordinate CAs: See attachment "CA Hierarchy.pdf" List or description of subordinate CAs operated internally: See attachment "CA Hierarchy.pdf" List or description of subordinate CAs operated by third parties: N/A List root CAs that have issued cross-signing certificates for this root CA: N/A Certificate HTTP download URL (on CA website): http://www.buypass.no/cert/BPClass2RootCA-sha2.cer Version: 3 SHA1 Fingerprint: 49 0a 75 74 de 87 0a 47 fe 58 ee f6 c7 6b eb c6 0b 12 40 99 Public key length (for RSA, modulus length) in bits: RSA 4096 Valid From (YYYY-MM-DD):2010-10-26 Valid To (YYYY-MM-DD): 2040-10-26 CRL HTTP URL:http://crl.buypass.no/crl/BPClass2CA2.crl CRL issuing frequency for end-entity certificates: Buypass issues and publishes a new CRL every 12 hour. A new CRL may be published at other times, e.g. after a Certificate is either revoked or suspended. The expiration time for each CRL is 25 hours. OCSP URL: http://ocsp.buypass.no/ocsp/BPClass2CA2 Class (domain-validated, identity/organisationally-validated or EV): DV, OV Certificate Policy URL: www.buypass.no/Bedrift/Kundeservice/Dokumentasjon/binary/8957/file?download=true CPS URL:/www.buypass.no/Bedrift/Kundeservice/Dokumentasjon/binary/8961/file?download=true List one or more Trust Bits to enable, choices are Websites (SSL/TLS), Email (S/MIME), and/or Code (code/document signing): URL of website whose SSL certificate chains to this root (if applying for SSL): Test Website URL: https://valid.domainplus.ca22.ssl.buypass.no/CA2Class2 ---- Certificate Details (2) Certificate Name: Buypass Class 3 Root CA The Buypass Class 3 qualified certificates are issued to natural persons and the enterprise certificates are issued to organizations. The certificates may be used for authentication purposes, encryption/decryption and/or electronic signatures (non-repudiation). The certificates are part of an infrastructure provided by Buypass AS enabling electronic commerce in Norway. The certificates are used by many different service providers ranging from purely commercial companies to governmental and other public institutions including the health sector. Extended Validation and Business SSL certificates are issued exclusively by the Buypass Class 3 CA. All certificates are issued to the general public. Number and type of subordinate CAs: See attachment "CA Hierarchy.pdf" List or description of subordinate CAs operated internally: "CA Hierarchy.pdf" List or description of subordinate CAs operated by third parties: N/A List root CAs that have issued cross-signing certificates for this root CA: N/A Certificate HTTP download URL (on CA website): http://www.buypass.no/cert/BPClass3RootCA-sha2.cer Version: 3 SHA1 Fingerprint: da fa f7 fa 66 84 ec 06 8f 14 50 bd c7 c2 81 a5 bc a9 64 57 Public key length (for RSA, modulus length) in bits: RSA 4096 Valid From (YYYY-MM-DD): 2010-10-26 Valid To (YYYY-MM-DD): 2040-10-26 CRL HTTP URL: http://crl.buypass.no/crl/BPClass3CA2.crl CRL issuing frequency for end-entity certificates: (same as above) OCSP URL: http://ocsp.buypass.no/ocsp/BPClass3CA2 Class (domain-validated, identity/organisationally-validated or EV): OV, EV EV policy OID(s) (if applicable): OID 2.16.5220.127.116.11.3.3 Certificate Policy URL: http://www.buypass.no/Bedrift/Kundeservice/Dokumentasjon/binary/8960/file?download=true CPS URL: http://www.buypass.no/Bedrift/Kundeservice/Dokumentasjon/binary/8963/file?download=true Both CA certificates issues certificates for SSL-enabled servers and digitally signed or encrypted email. None of them issues certificates for signing executable code objects. URL of website whose SSL certificate chains to this root (if applying for SSL): Test Website URL: https://valid.evident.ca23.ssl.buypass.no/CA2Class3 Diagram and/or description of certificate hierarchy: See attachment "CA Hierarchy.pdf" Rgds., John Arild Johansen email@example.com Phone Number: (+47)2314 5019 Title / Department: CSO
I hope to begin Information Verification soon, and I will update this bug again at that time. https://wiki.mozilla.org/CA:How_to_apply#Information_Verification
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: EV - Information incomplete
The attached document summarizes the information that has been verified. The items highlighted in yellow indicate where further information or clarification is needed. Please review the full document for accuracy and completeness.
This request has been added to the queue for public discussion: https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion Now that you have a request in the Queue for Public Discussion, you are directly impacted by the time it takes to work through the queue. The goal is to have each discussion take about two weeks. However, that time varies dramatically depending on the number of reviewers contributing to the discussion, and the types of concerns that are raised. If no one reviews and contributes to a discussion, then a request may be in the discussion for several weeks. When there are not enough people contributing to the discussions ahead of yours, then your request will sit in the queue longer. How can you help reduce the time that your request sits in the queue? You can help by reviewing and providing your feedback in the public discussions of root inclusion requests, or by asking a knowledgeable colleague to do so. Participating in other discussions is a great way to learn the expectations and be prepared for the discussion of your request. Please see: https://wiki.mozilla.org/CA:How_to_apply#Public_discussion
Whiteboard: EV - Information incomplete → EV - Information confirmed complete
I am now opening the first public discussion period for this request from Buypass to add the “Buypass Class 2 Root CA” and the “Buypass Class 3 Root CA” root certificates, and to turn on the Websites trust bit for both. The request is to also enable EV for the new Class 3 root. For a description of the public discussion phase, see https://wiki.mozilla.org/CA:How_to_apply#Public_discussion Public discussion will be in the mozilla.dev.security.policy newsgroup and the corresponding firstname.lastname@example.org mailing list. http://www.mozilla.org/community/developer-forums.html https://lists.mozilla.org/listinfo/dev-security-policy news://news.mozilla.org/mozilla.dev.security.policy The discussion thread is called “Buypass Root Inclusion Request for Renewed Roots” Please actively review, respond, and contribute to the discussion. A representative of Buypass must promptly respond directly in the discussion thread to all questions that are posted.
Whiteboard: EV - Information confirmed complete → EV - In public discussion
The public comment period for this request is now over. This request has been evaluated as per Mozilla’s CA Certificate Policy at http://www.mozilla.org/projects/security/certs/policy/ Here follows a summary of the assessment. If anyone sees any factual errors, please point them out. To summarize, this assessment is for the request to add the “Buypass Class 2 Root CA” and the “Buypass Class 3 Root CA” root certificates, and to turn on the Websites trust bit for both. The request is to also enable EV for the new Class 3 root. Section 4 [Technical]. I am not aware of instances where Buypass has knowingly issued certificates for fraudulent use. If anyone knows of any such issues or instances, please note them in this bug report. Section 6 [Relevancy and Policy]. Buypass appears to provide a service relevant to Mozilla users. It is a public corporation and a leading supplier of secure solutions for electronic identification, electronic signatures and payment in the Nordic countries. Policies are documented in the documents published on their website and listed in the entry on the pending applications list; the main documents of interest are the CP and CPS, which are provided in English. http://www.buypass.com/home/support/ca-documentation-legal Section 7 [Validation]. Buypass appears to meet the minimum requirements for subscriber verification, as follows: * Email: Not applicable, not requesting the email trust bit. * SSL: According to sections 2.1.1 and 4.1.1 of the Class 2 CP and Class 3 CP documents, Buypass warrants that the subscriber named in the SSL certificate has the right to use the domain name(s) listed in the certificate. BuyPass verifies that the subscriber is registered in the Norwegian Central Coordinating Register for Legal Entities and that the registered information conforms with information provided in the Certificate Application; that the Certificate Applicant and Certificate Approver are Authorized Subscriber Representatives; and that the Subscriber is a registered holder or has control of the domain name to be included in the SSL Certificate. * Code: Not applicable, not requesting the code signing trust bit. EV Policy OID: 2.16.518.104.22.168.3.3 Section 15 [Certificate Hierarchy]. Both of these roots have internally-operated subordinate CAs corresponding to the high security services that are offered. CA Hierarchy: https://bugzilla.mozilla.org/attachment.cgi?id=558776 * Both CRL and OCSP are provided ** Class 2 SSL CP Section 4.4.9: The CRL service SHALL at least issue CRLs every 24 hours and each CRL SHALL have a maximum expiration time of 48 hours. http://crl.buypass.no/crl/BPClass3CA2.crl ** Class 3 SSL CP Section 4.4.9: The CRL service SHALL at least issue CRLs every 24 hours and each CRL SHALL have a maximum expiration time of 48 hours. ** Class 3 SSL CP Section 4.4.11: The OCSP service SHALL be updated at least every 24 hours, and OCSP responses from this service SHALL have a maximum expiration time of 48 hours. Sections 9-11 [Audit]. Annual audits are performed by KPMG according to the WebTrust CA and WebTrust EV criteria and posted on the webtrust.org website. https://cert.webtrust.org/ViewSeal?id=1269 Based on this assessment I intend to approve this request to add the “Buypass Class 2 Root CA” and the “Buypass Class 3 Root CA” root certificates, turn on the Websites trust bit for both, and enable EV for the new Class 3 root.
Whiteboard: EV - In public discussion → EV - Pending Approval
To the representatives of Buypass: Thank you for your cooperation and your patience. To all others who have commented on this bug or participated in the public discussion: Thank you for volunteering your time to assist in reviewing this CA request. As per the summary in Comment #8, and on behalf of Mozilla I approve this request from Buypass to include the following root certificates in Mozilla: ** Buypass Class 2 Root CA (websites). ** Buypass Class 3 Root CA (websites), enable EV. I will file the NSS and PSM bugs to effect the approved changes.
Whiteboard: EV - Pending Approval → EV - Approved - awaiting NSS and PSM
Whiteboard: EV - Approved - awaiting NSS and PSM → In FF16, EV in FF 19
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.