Closed Bug 723722 Opened 13 years ago Closed 13 years ago

EV SSL certificate (and OCSP response) for www.camerfirma.com fails to meet EV Guidelines

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: kathleen.a.wilson, Assigned: kathleen.a.wilson)

Details

I was notified by Camerfirma that their root certs are no longer being given EV Treatment, which was enabled in FF4, as per bug #562399. So I went to http://mxr.mozilla.org/firefox/source/security/manager/ssl/src/nsIdentityChecking.cpp#83 There are several entries that disappeared between the "mozilla2.0" tree and the "firefox" tree.
This website should get EV-treatment: https://www.camerfirma.com/ It does not show the green bar on Firefox 10 and Aurora 11.0a2.
Well, it doesn't in FF6 either. So the problem /might/ somewhere else.
Build 2010-12-09 : Untrusted Connection Build 2010-12-10 : Trusted connection but without EV-Cert green The cert seems to got included with that build (Bug 599324) but doesn't show the green bar from day0 with that server
Thanks Matthias and Eddy. Based on your comments, the problem must be on their side.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → INVALID
(In reply to Kathleen Wilson from comment #5) > Based on your comments, the problem must be on their side. Indeed. And it actually unveils a more serious problem: a failure to comply with the EV guidelines, in at least two respects. So far, I observed: - the end-entity cert (for www.camerfirma.com et al., serial no. 45:d4:27:ae:4c:13:4a:d5) includes a 1024-bit key - the OCSP response for said certificate includes the following data: Produced At: Fri Feb 03 06:07:55 2012 Response 0: Cert ID: Hash Algorithm: SHA-1 Issuer Name Hash: 70:fa:e2:a1:d7:b8:80:5d:37:a7:87:2a:1b:52:25:33: 68:94:b9:2a Issuer Key Hash: 30:75:08:16:79:78:bf:91:8a:64:8c:c6:f7:6b:a2:c8: 32:ab:cf:eb Serial Number: 45:d4:27:ae:4c:13:4a:d5 Status: Cert is good. This Update: Wed Jan 18 11:00:27 2012 Next Update: Tue Apr 17 11:00:27 2012 i.e., it is based on data from 18 January, and has an "expiry" in April (which definitely does not meet the requirements in section 11.1.1 of the EV guidelines) I'm reopening this bug, as I it needs to be considered in the light of http://www.mozilla.org/projects/security/certs/policy/EnforcementPolicy.html, IMO.
Assignee: nobody → kwilson
Status: RESOLVED → REOPENED
Component: Security: PSM → CA Certificates
Product: Core → mozilla.org
QA Contact: psm → ca-certificates
Resolution: INVALID → ---
Summary: Several EV-enablement entries were lost in nsIdentityChecking.cpp → EV SSL certificate (and OCSP response) for www.camerfirma.com fails to meet EV Guidelines
Version: unspecified → other
Hi I will solve the problem in our OCSP responder and the keylength ASAP. Regards
Kathleen We have already fix out problem with the CRL and the OCSP Responder. Our OCSP responder take certificate revocation information directly from a DDBB so there is no "next update" in the response. Next, we are going to reissue certificates form https://www.camerfirma.com and https://server3.camerfirma.com with a 2024 Keysize. Notice that these cert were issues for test purposes. Regards Ramiro
Hi Https://www.camerfirma.com has now a 2048 keylength. We have fixed our keylength policy. The source of these ploblems comes from a test environment that we offer when we was in the acreditacion process (https://www.camerfirma.com), in fact we have only issued 6 EV certificates for internal and test use, and 4 certificates for some specials custommers in order to they test the certificates. At the moment everything in ok. Best regards Ramiro
Camerfirma has fixed the issue with their OCSP service, and they have revoked the EV test certs that didn't meet the EV requirements. I have confirmed the green bar shows up now for https://www.camerfirma.com/
Status: REOPENED → RESOLVED
Closed: 13 years ago13 years ago
Resolution: --- → FIXED
Product: mozilla.org → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.