Enable EV and Turn on Code Signing trust bit for TWCA Root certificate

RESOLVED FIXED

Status

NSS
CA Certificate Root Program
--
enhancement
RESOLVED FIXED
6 years ago
a year ago

People

(Reporter: Robin Lin, Assigned: Kathleen Wilson)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: EV - Approved - in Firefox 26)

Attachments

(5 attachments, 1 obsolete attachment)

(Reporter)

Description

6 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20100101 Firefox/11.0
Build ID: 20120312181643

Steps to reproduce:

This request is to EV enable the TWCA Root certificate which has been included in Mozilla NSS.
CA Name: TWCA Root Certification Authority

The WebTrust for CA/EV audit report can be view with following link:
https://cert.webtrust.org/ViewSeal?id=1248
https://cert.webtrust.org/ViewSeal?id=1249

The EV CA CPS can be download using following link:
http://www.twca.com.tw/picture/file/20120102-152000370.pdf
(Reporter)

Updated

6 years ago
Severity: normal → enhancement
(Reporter)

Comment 1

6 years ago
The TWCA EVSSL test web site is:
https://evssldemo.twca.com.tw/index.html	(normal)
https://evssldemo1.twca.com.tw/index.html	(revoked)
https://evssldemo2.twca.com.tw/index.html	(expired)
(Reporter)

Comment 2

6 years ago
TWCA also needs to enable S/MIME and object signing trust bit. 
The issuing CA CPS can be download from following link:
http://www.twca.com.tw/picture/file/20110523-180517756.pdf
(Reporter)

Updated

6 years ago
Summary: Enable EV for TWCA Root certificate → Enable EV, S/MIME, object signing for TWCA Root certificate
(Assignee)

Comment 3

6 years ago
Accepting this bug, and starting the information verification phase.
https://wiki.mozilla.org/CA:How_to_apply#Information_Verification
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
(Assignee)

Comment 4

6 years ago
(In reply to Robin Lin from comment #2)
> TWCA also needs to enable S/MIME and object signing trust bit. 

The email and websites trust bits are already turned on for this root.

This request is to turn on the code signing trust bit and to enable EV.
Summary: Enable EV, S/MIME, object signing for TWCA Root certificate → Enable EV and Turn on Code Signing trust bit for TWCA Root certificate
(Assignee)

Comment 5

6 years ago
Created attachment 622131 [details]
Initial CA Information Document

The attached document summarizes the information that has been verified.

The items highlighted in yellow indicate where further information or
clarification is needed. Please review the full document for accuracy and
completeness.
(Assignee)

Updated

6 years ago
Whiteboard: EV - Information incomplete
(Reporter)

Comment 6

6 years ago
Created attachment 627148 [details]
Update TWCA information gathering document for EV, code signing

Update the required information for CA information gathering.
Please review.

Robin Lin
(Assignee)

Comment 7

6 years ago
Thanks for the information.

Please post a comment in this bug when:

1) The IDP extension has been removed from CRL.

2) EV Testing has been completed as per
https://wiki.mozilla.org/PSM:EV_Testing_Easy_Version
(Reporter)

Comment 8

6 years ago
(In reply to Kathleen Wilson from comment #7)
> Thanks for the information.
> 
> Please post a comment in this bug when:
> 
> 1) The IDP extension has been removed from CRL.
> 
> 2) EV Testing has been completed as per
> https://wiki.mozilla.org/PSM:EV_Testing_Easy_Version

I am try to test the EV enable but failed.
I create a text file(test_ev_root.txt) with following text:

1_fingerprint cf:9e:87:6d:d3:eb:fc:42:26:97:a3:b5:a3:7a:a0:76:a9:06:23:48
2_readable_oid 2.16.886.3.1.6.5
3_issuer MF8xCzAJBgNVBAYTAlRXMRIwEAYDVQQKDAlUQUlXQU4tQ0ExEDAOBgNVBAsMB1Jvb3QgQ0ExKjAoBgNVBAMMIVRXQ0EgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQ==
4_serial AQ==

I also set set ENABLE_TEST_EV_ROOTS_FILE=1 before start firefox test version(I test it in Windows 7 OS).
Did I do anything wrong with test_ev_root.txt file?
(Reporter)

Comment 9

6 years ago
(In reply to Kathleen Wilson from comment #7)
> Thanks for the information.
> 
> Please post a comment in this bug when:
> 
> 1) The IDP extension has been removed from CRL.
> 
> 2) EV Testing has been completed as per
> https://wiki.mozilla.org/PSM:EV_Testing_Easy_Version

The CRL IDP extension has been removed from EVSSL certificate CRL.
Please verify.

Thanks and Regards,
Robin Lin
(Assignee)

Comment 10

6 years ago
Kai, Robin is trying to do the PSM:EV_Testing_Easy_Version for a root certificate that is already included in NSS...
CN = TWCA Root Certification Authority
OU = Root CA
O = TAIWAN-CA
C = TW
SHA1: CF:9E:87:6D:D3:EB:FC:42:26:97:A3:B5:A3:7A:A0:76:A9:06:23:48

Would you please create and attach the test_ev_roots.txt file for this root?
(Assignee)

Comment 11

6 years ago
(In reply to Robin Lin from comment #9)
> The CRL IDP extension has been removed from EVSSL certificate CRL.
> Please verify.

Confirmed -- I'm able to import that CRL into my FF browser without error now.

Comment 12

6 years ago
The data in comment 8 appears to be correct.

Comment 13

6 years ago
Created attachment 644249 [details]
test_ev_roots

I tested, and I get EV status on site https://evssldemo.twca.com.tw/index.html

Did you place the file into the correct directory? It must be in the same directory as other existing profile files, e.g. prefs.js
(Reporter)

Comment 14

6 years ago
(In reply to Kai Engert (:kaie) from comment #13)
> Created attachment 644249 [details]
> test_ev_roots
> 
> I tested, and I get EV status on site
> https://evssldemo.twca.com.tw/index.html
> 
> Did you place the file into the correct directory? It must be in the same
> directory as other existing profile files, e.g. prefs.js

Hi Kai,

Thanks for your help. I modified the "test_ev_roots.txt" file, change the fingerprint with capital characters then it works. The EV green bar appears after I modify.

I will put the screen catch in the attachment.

Thanks a lot!
Robin Lin
(Reporter)

Comment 15

6 years ago
Created attachment 644812 [details]
TWCA EV simple test screen catch

This is my test result using Minefield 4.0b8pre.
The EV status bar appears in the URI toolbar.

Thanks for help.
Robin Lin
(Assignee)

Comment 16

6 years ago
Created attachment 647306 [details]
Completed CA Information Document
(Assignee)

Comment 17

6 years ago
I will try to start this discussion soon. I'll post an update to this bug when I do.
Whiteboard: EV - Information incomplete → EV - Information confirmed complete
(Assignee)

Comment 18

6 years ago
I am getting ready to start the discussion of this request to enable EV and turn on the code signing trust bit for the TWCA root cert.

https://bugzilla.mozilla.org/show_bug.cgi?id=745671

My notes indicate a few items that TWCA was planning to complete by September 30, as follows:

- Document Handling of IDNs in CP/CPS: "All IDNs certificate will be revoked before 2012/9/30."

- DNS names in SAN: "TWCA is modifying the CA system to comply with CAB Forum Baseline Requirements. It will be done before 2012/9/30."

- Long-Lived SSL certs: "TWCA UCA CPS section 4.2: 'The maximum validity of the SSL server certificate is 4 years and is subject to extension with the approval of PMA when there is a special need.' TWCA is modifying the CA system to comply with CAB Forum Baseline Requirements. It will be done before 2012/9/30."


Have those items been completed?

Are there new CP/CPS documents?
The URLs that I have are here: http://www.mozilla.org/projects/security/certs/pending/#TWCA
(Assignee)

Comment 19

6 years ago
(In reply to Kathleen Wilson from comment #18) via email:

1. About the IDNs certificate, our last one IDNs certificate have been replaced by FQDN certificate on 21st, September. No any IDNs certificate is used by our customer now.

2. DNS names in SAN: We patched our CA system on 23rd, August. All issued SSL certificates contain the SAN extension.

3. We will publish a new CPS for public trusted certificate. The maximum validity will be set on 39 months since Baseline requirement has the rule to re-verify the registration information no longer than 39 months. This new CPS will be release on tomorrow and put it on our repository.

We set our target to compliant with Baseline Requirement on 30, September. We also conduct an external audit to review the compliance with BR to make sure that we have done this task.

I will inform you once our new CPS is put on the repository. Please let me know if you have more question.
(Reporter)

Comment 20

6 years ago
Just for the record. TWCA WebTrust for CA seal renew URL.

1.	The WebTrust for CA audit report and seal of the both Root CA and EVSSL issuing CA link is “https://cert.webtrust.org/ViewSeal?id=1322”.
2.	The WebTrust EV audit report and seal link is “https://cert.webtrust.org/ViewSeal?id=1323”.
(Assignee)

Comment 22

6 years ago
The test website, https://evssldemo.twca.com.tw/index.html, isn't working in my Firefox browser. I get (Error code: sec_error_ocsp_unknown_cert).

Please test again, and also check that the EV test is still working.

Respond in this bug when ready, and I'll try again.
(Reporter)

Comment 23

6 years ago
Sorry for the fault.
The OCSP server has been fixed.
Please try again.
(Assignee)

Comment 24

6 years ago
(In reply to Kathleen Wilson from comment #22)
> The test website, https://evssldemo.twca.com.tw/index.html, isn't working in

It's working for me now.
(Assignee)

Comment 25

6 years ago
Created attachment 667122 [details]
Completed CA Information Document
Attachment #647306 - Attachment is obsolete: true
(Assignee)

Comment 26

6 years ago
I am now opening the first public discussion period for this request from TWCA to turn on the Code Signing trust bit and enable EV for the “TWCA Root Certification Authority” root certificate that is currently included in NSS.

For a description of the public discussion phase, see https://wiki.mozilla.org/CA:How_to_apply#Public_discussion

Public discussion will be in the mozilla.dev.security.policy newsgroup and the corresponding dev-security-policy@lists.mozilla.org mailing list.

http://www.mozilla.org/community/developer-forums.html
https://lists.mozilla.org/listinfo/dev-security-policy
news://news.mozilla.org/mozilla.dev.security.policy

The discussion thread is called “TWCA Request to enable EV and turn on Code Signing trust bit”

Please actively review, respond, and contribute to the discussion.

A representative of TWCA must promptly respond directly in the discussion thread to all questions that are posted.
Whiteboard: EV - Information confirmed complete → EV - In public discussion
(Reporter)

Comment 27

6 years ago
Hi,

May we request one more EV OID: 2.16.158.3.1.6.5 We need 2 EV OIDs, 
   2.16.886.3.1.6.5
   2.16.158.3.1.6.5

The reason is the historical political problem in Taiwan.

Thanks,
Robin Lin
(Reporter)

Comment 28

6 years ago
TWCA has been update EV OID, the CP/CPS are also available:
CP:
http://www.twca.com.tw/picture/file/12031626-Public%20Key%20Infrastructure%20Policy.pdf

CPS:
http://www.twca.com.tw/picture/file/12031629-EV%20SSL%20CA%20Certification%20Practice%20Statement.pdf

The TWCA EV OID will use this:
1.3.6.1.4.1.40869.1.1.22.3

Also described as:
{ISO(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) TWCA(40869) certificates(1) policies(1) EV(22) class3(3) }

This will no conflict with others since this is our own OID extend from our PEN.
(Assignee)

Comment 29

6 years ago
The public comment period for this request is now over. 

This request has been evaluated as per Mozilla’s CA Certificate Policy at

 http://www.mozilla.org/projects/security/certs/policy/

Here follows a summary of the assessment. If anyone sees any factual errors, please point them out.

To summarize, this assessment is for the request to turn on the Code Signing trust bit and enable EV for the “TWCA Root Certification Authority” root certificate that was included in NSS per bug #518503.

Section 4 [Technical]. I am not aware of instances where TWCA has knowingly issued certificates for fraudulent use. If anyone knows of any such issues or instances, please note them in this bug.

Section 6 [Relevance and Policy]. TWCA appears to provide a service relevant to Mozilla users. It is a commercial CA that provides a consolidated on-line financial security certificate service and a sound financial security environment, to ensure the security of on-line finance and electronic commercial trade in Taiwan. 

Policies are documented in the documents published on their website and listed in the entry on the pending applications list; the main documents of interest are the CP and CPS, which have been translated into English.

http://www.twca.com.tw/Portal/english/coporate_profile/Repository.html
On this page there are links to: CPS, CP, EV CPS, and sub-CA CPS.

Section 7 [Validation]. TWCA appears to meet the minimum requirements for subscriber verification, as follows:

* SSL: SSL certificates are issued under assurance level class 2 or 3. TWCA verifies the legal existence of the organization requesting the certificate, the identity and authorization of the certificate subscriber, and that the certificate subscriber has the exclusive right to use the domain name(s) to be listed in the certificate. This is documented in sections 2.2.1.1 and 5.1 of the CPS. According to the EV CPS, EV SSL certificates are only issued under assurance level class 3.

* Email: S/MIME certificates are issued under assurance level class 1, 2, or 3. TWCA verifies the identity of the subscriber, verifies the domain name ownership of the email address to be listed in the certificate, and exchanges email with the subscriber to confirm the application request. This is documented in sections 2.2.1.1 and 5.1 of the CPS.

* Code: According to CPS section 4.1.8, TWCA verifies the organization and the identity and authority of the certificate subscriber to request the code signing certificate on the organization’s behalf.

Section 15 [Certificate Hierarchy]. 
This root has internally-operated subordinate CAs, and no externally-operated subordinate CAs. All of the subCAs must follow TWCA UCA CPS to conduct their operations.

* EV Policy OID: 1.3.6.1.4.1.40869.1.1.22.3

* CRL 
http://RootCA.twca.com.tw/TWCARCA/revoke_2048.crl
http://sslserver.twca.com.tw/sslserver/EVSSL_Revoke_2011.crl
CPS section 5.4.9: CRL issuance frequency shall be 24 hours.

* OCSP
http://evssl_ocsp.twca.com.tw/

Sections 9-11 [Audit]. 
Annual audits are performed by SunRise CPAs’ Firm, a member firm of DFK, according to the WebTrust CA and WebTrust EV criteria and posted on the webtrust.org website.
https://cert.webtrust.org/ViewSeal?id=1322
https://cert.webtrust.org/ViewSeal?id=1323

Based on this assessment I intend to approve this request to turn on the Code Signing trust bit and enable EV for the “TWCA Root Certification Authority” root certificate.
Whiteboard: EV - In public discussion → EV - Pending Approval

Comment 30

6 years ago
(In reply to Kathleen Wilson from comment #29)
> * OCSP
> http://evssl_ocsp.twca.com.tw/

The URL has been changed because of the illegal '_' character in a host or domain name.
It's now "http://evsslocsp.twca.com.tw".
(Assignee)

Comment 31

6 years ago
To the representatives of TWCA: Thank you for your cooperation and your patience.

To all others who have commented on this bug or participated in the public discussion: Thank you for volunteering your time to assist in reviewing this CA request.

As per the summary in Comment #29, and on behalf of Mozilla I approve this request from TWCA to turn on the code signing trust bit and enable EV for the following root certificate.

** "TWCA Root Certification Authority" (websites, email, code signing), enable EV.

I will file the NSS bug to turn on the code signing trust bit, and the PSM bug to enable EV.
Whiteboard: EV - Pending Approval → EV - Approved - awaiting NSS and PSM
(Assignee)

Updated

6 years ago
Depends on: 823766
(Assignee)

Updated

6 years ago
Depends on: 823770
(Assignee)

Comment 32

6 years ago
I have filed bug #823766 against NSS and bug #823770 against PSM for the actual changes.
(Assignee)

Updated

5 years ago
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Whiteboard: EV - Approved - awaiting NSS and PSM → EV - Approved - in Firefox 26

Updated

a year ago
Product: mozilla.org → NSS
You need to log in before you can comment on or make changes to this bug.