Closed Bug 745671 Opened 13 years ago Closed 11 years ago

Enable EV and Turn on Code Signing trust bit for TWCA Root certificate

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: robin.lin, Assigned: kathleen.a.wilson)

References

Details

(Whiteboard: EV - Approved - in Firefox 26)

Attachments

(5 files, 1 obsolete file)

Initial CA Information Document
18.79 KB, application/pdf
Details
Update TWCA information gathering document for EV, code signing
31.18 KB, application/octet-stream
Details
test_ev_roots
262 bytes, text/plain
Details
TWCA EV simple test screen catch
310.65 KB, image/png
Details
Completed CA Information Document
75.00 KB, application/pdf
Details
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20100101 Firefox/11.0 Build ID: 20120312181643 Steps to reproduce: This request is to EV enable the TWCA Root certificate which has been included in Mozilla NSS. CA Name: TWCA Root Certification Authority The WebTrust for CA/EV audit report can be view with following link: https://cert.webtrust.org/ViewSeal?id=1248 https://cert.webtrust.org/ViewSeal?id=1249 The EV CA CPS can be download using following link: http://www.twca.com.tw/picture/file/20120102-152000370.pdf
Severity: normal → enhancement
TWCA also needs to enable S/MIME and object signing trust bit. The issuing CA CPS can be download from following link: http://www.twca.com.tw/picture/file/20110523-180517756.pdf
Summary: Enable EV for TWCA Root certificate → Enable EV, S/MIME, object signing for TWCA Root certificate
Accepting this bug, and starting the information verification phase. https://wiki.mozilla.org/CA:How_to_apply#Information_Verification
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
(In reply to Robin Lin from comment #2) > TWCA also needs to enable S/MIME and object signing trust bit. The email and websites trust bits are already turned on for this root. This request is to turn on the code signing trust bit and to enable EV.
Summary: Enable EV, S/MIME, object signing for TWCA Root certificate → Enable EV and Turn on Code Signing trust bit for TWCA Root certificate
The attached document summarizes the information that has been verified. The items highlighted in yellow indicate where further information or clarification is needed. Please review the full document for accuracy and completeness.
Whiteboard: EV - Information incomplete
Update the required information for CA information gathering. Please review. Robin Lin
Thanks for the information. Please post a comment in this bug when: 1) The IDP extension has been removed from CRL. 2) EV Testing has been completed as per https://wiki.mozilla.org/PSM:EV_Testing_Easy_Version
(In reply to Kathleen Wilson from comment #7) > Thanks for the information. > > Please post a comment in this bug when: > > 1) The IDP extension has been removed from CRL. > > 2) EV Testing has been completed as per > https://wiki.mozilla.org/PSM:EV_Testing_Easy_Version I am try to test the EV enable but failed. I create a text file(test_ev_root.txt) with following text: 1_fingerprint cf:9e:87:6d:d3:eb:fc:42:26:97:a3:b5:a3:7a:a0:76:a9:06:23:48 2_readable_oid 2.16.886.3.1.6.5 3_issuer MF8xCzAJBgNVBAYTAlRXMRIwEAYDVQQKDAlUQUlXQU4tQ0ExEDAOBgNVBAsMB1Jvb3QgQ0ExKjAoBgNVBAMMIVRXQ0EgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQ== 4_serial AQ== I also set set ENABLE_TEST_EV_ROOTS_FILE=1 before start firefox test version(I test it in Windows 7 OS). Did I do anything wrong with test_ev_root.txt file?
(In reply to Kathleen Wilson from comment #7) > Thanks for the information. > > Please post a comment in this bug when: > > 1) The IDP extension has been removed from CRL. > > 2) EV Testing has been completed as per > https://wiki.mozilla.org/PSM:EV_Testing_Easy_Version The CRL IDP extension has been removed from EVSSL certificate CRL. Please verify. Thanks and Regards, Robin Lin
Kai, Robin is trying to do the PSM:EV_Testing_Easy_Version for a root certificate that is already included in NSS... CN = TWCA Root Certification Authority OU = Root CA O = TAIWAN-CA C = TW SHA1: CF:9E:87:6D:D3:EB:FC:42:26:97:A3:B5:A3:7A:A0:76:A9:06:23:48 Would you please create and attach the test_ev_roots.txt file for this root?
(In reply to Robin Lin from comment #9) > The CRL IDP extension has been removed from EVSSL certificate CRL. > Please verify. Confirmed -- I'm able to import that CRL into my FF browser without error now.
The data in comment 8 appears to be correct.
Attached file test_ev_roots
I tested, and I get EV status on site https://evssldemo.twca.com.tw/index.html Did you place the file into the correct directory? It must be in the same directory as other existing profile files, e.g. prefs.js
(In reply to Kai Engert (:kaie) from comment #13) > Created attachment 644249 [details] > test_ev_roots > > I tested, and I get EV status on site > https://evssldemo.twca.com.tw/index.html > > Did you place the file into the correct directory? It must be in the same > directory as other existing profile files, e.g. prefs.js Hi Kai, Thanks for your help. I modified the "test_ev_roots.txt" file, change the fingerprint with capital characters then it works. The EV green bar appears after I modify. I will put the screen catch in the attachment. Thanks a lot! Robin Lin
This is my test result using Minefield 4.0b8pre. The EV status bar appears in the URI toolbar. Thanks for help. Robin Lin
Attached file Completed CA Information Document (obsolete) —
I will try to start this discussion soon. I'll post an update to this bug when I do.
Whiteboard: EV - Information incomplete → EV - Information confirmed complete
I am getting ready to start the discussion of this request to enable EV and turn on the code signing trust bit for the TWCA root cert. https://bugzilla.mozilla.org/show_bug.cgi?id=745671 My notes indicate a few items that TWCA was planning to complete by September 30, as follows: - Document Handling of IDNs in CP/CPS: "All IDNs certificate will be revoked before 2012/9/30." - DNS names in SAN: "TWCA is modifying the CA system to comply with CAB Forum Baseline Requirements. It will be done before 2012/9/30." - Long-Lived SSL certs: "TWCA UCA CPS section 4.2: 'The maximum validity of the SSL server certificate is 4 years and is subject to extension with the approval of PMA when there is a special need.' TWCA is modifying the CA system to comply with CAB Forum Baseline Requirements. It will be done before 2012/9/30." Have those items been completed? Are there new CP/CPS documents? The URLs that I have are here: http://www.mozilla.org/projects/security/certs/pending/#TWCA
(In reply to Kathleen Wilson from comment #18) via email: 1. About the IDNs certificate, our last one IDNs certificate have been replaced by FQDN certificate on 21st, September. No any IDNs certificate is used by our customer now. 2. DNS names in SAN: We patched our CA system on 23rd, August. All issued SSL certificates contain the SAN extension. 3. We will publish a new CPS for public trusted certificate. The maximum validity will be set on 39 months since Baseline requirement has the rule to re-verify the registration information no longer than 39 months. This new CPS will be release on tomorrow and put it on our repository. We set our target to compliant with Baseline Requirement on 30, September. We also conduct an external audit to review the compliance with BR to make sure that we have done this task. I will inform you once our new CPS is put on the repository. Please let me know if you have more question.
Just for the record. TWCA WebTrust for CA seal renew URL. 1. The WebTrust for CA audit report and seal of the both Root CA and EVSSL issuing CA link is “https://cert.webtrust.org/ViewSeal?id=1322”. 2. The WebTrust EV audit report and seal link is “https://cert.webtrust.org/ViewSeal?id=1323”.
The test website, https://evssldemo.twca.com.tw/index.html, isn't working in my Firefox browser. I get (Error code: sec_error_ocsp_unknown_cert). Please test again, and also check that the EV test is still working. Respond in this bug when ready, and I'll try again.
Sorry for the fault. The OCSP server has been fixed. Please try again.
(In reply to Kathleen Wilson from comment #22) > The test website, https://evssldemo.twca.com.tw/index.html, isn't working in It's working for me now.
Attachment #647306 - Attachment is obsolete: true
I am now opening the first public discussion period for this request from TWCA to turn on the Code Signing trust bit and enable EV for the “TWCA Root Certification Authority” root certificate that is currently included in NSS. For a description of the public discussion phase, see https://wiki.mozilla.org/CA:How_to_apply#Public_discussion Public discussion will be in the mozilla.dev.security.policy newsgroup and the corresponding dev-security-policy@lists.mozilla.org mailing list. http://www.mozilla.org/community/developer-forums.html https://lists.mozilla.org/listinfo/dev-security-policy news://news.mozilla.org/mozilla.dev.security.policy The discussion thread is called “TWCA Request to enable EV and turn on Code Signing trust bit” Please actively review, respond, and contribute to the discussion. A representative of TWCA must promptly respond directly in the discussion thread to all questions that are posted.
Whiteboard: EV - Information confirmed complete → EV - In public discussion
Hi, May we request one more EV OID: 2.16.158.3.1.6.5 We need 2 EV OIDs, 2.16.886.3.1.6.5 2.16.158.3.1.6.5 The reason is the historical political problem in Taiwan. Thanks, Robin Lin
TWCA has been update EV OID, the CP/CPS are also available: CP: http://www.twca.com.tw/picture/file/12031626-Public%20Key%20Infrastructure%20Policy.pdf CPS: http://www.twca.com.tw/picture/file/12031629-EV%20SSL%20CA%20Certification%20Practice%20Statement.pdf The TWCA EV OID will use this: 1.3.6.1.4.1.40869.1.1.22.3 Also described as: {ISO(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) TWCA(40869) certificates(1) policies(1) EV(22) class3(3) } This will no conflict with others since this is our own OID extend from our PEN.
The public comment period for this request is now over. This request has been evaluated as per Mozilla’s CA Certificate Policy at http://www.mozilla.org/projects/security/certs/policy/ Here follows a summary of the assessment. If anyone sees any factual errors, please point them out. To summarize, this assessment is for the request to turn on the Code Signing trust bit and enable EV for the “TWCA Root Certification Authority” root certificate that was included in NSS per bug #518503. Section 4 [Technical]. I am not aware of instances where TWCA has knowingly issued certificates for fraudulent use. If anyone knows of any such issues or instances, please note them in this bug. Section 6 [Relevance and Policy]. TWCA appears to provide a service relevant to Mozilla users. It is a commercial CA that provides a consolidated on-line financial security certificate service and a sound financial security environment, to ensure the security of on-line finance and electronic commercial trade in Taiwan. Policies are documented in the documents published on their website and listed in the entry on the pending applications list; the main documents of interest are the CP and CPS, which have been translated into English. http://www.twca.com.tw/Portal/english/coporate_profile/Repository.html On this page there are links to: CPS, CP, EV CPS, and sub-CA CPS. Section 7 [Validation]. TWCA appears to meet the minimum requirements for subscriber verification, as follows: * SSL: SSL certificates are issued under assurance level class 2 or 3. TWCA verifies the legal existence of the organization requesting the certificate, the identity and authorization of the certificate subscriber, and that the certificate subscriber has the exclusive right to use the domain name(s) to be listed in the certificate. This is documented in sections 2.2.1.1 and 5.1 of the CPS. According to the EV CPS, EV SSL certificates are only issued under assurance level class 3. * Email: S/MIME certificates are issued under assurance level class 1, 2, or 3. TWCA verifies the identity of the subscriber, verifies the domain name ownership of the email address to be listed in the certificate, and exchanges email with the subscriber to confirm the application request. This is documented in sections 2.2.1.1 and 5.1 of the CPS. * Code: According to CPS section 4.1.8, TWCA verifies the organization and the identity and authority of the certificate subscriber to request the code signing certificate on the organization’s behalf. Section 15 [Certificate Hierarchy]. This root has internally-operated subordinate CAs, and no externally-operated subordinate CAs. All of the subCAs must follow TWCA UCA CPS to conduct their operations. * EV Policy OID: 1.3.6.1.4.1.40869.1.1.22.3 * CRL http://RootCA.twca.com.tw/TWCARCA/revoke_2048.crl http://sslserver.twca.com.tw/sslserver/EVSSL_Revoke_2011.crl CPS section 5.4.9: CRL issuance frequency shall be 24 hours. * OCSP http://evssl_ocsp.twca.com.tw/ Sections 9-11 [Audit]. Annual audits are performed by SunRise CPAs’ Firm, a member firm of DFK, according to the WebTrust CA and WebTrust EV criteria and posted on the webtrust.org website. https://cert.webtrust.org/ViewSeal?id=1322 https://cert.webtrust.org/ViewSeal?id=1323 Based on this assessment I intend to approve this request to turn on the Code Signing trust bit and enable EV for the “TWCA Root Certification Authority” root certificate.
Whiteboard: EV - In public discussion → EV - Pending Approval
(In reply to Kathleen Wilson from comment #29) > * OCSP > http://evssl_ocsp.twca.com.tw/ The URL has been changed because of the illegal '_' character in a host or domain name. It's now "http://evsslocsp.twca.com.tw".
To the representatives of TWCA: Thank you for your cooperation and your patience. To all others who have commented on this bug or participated in the public discussion: Thank you for volunteering your time to assist in reviewing this CA request. As per the summary in Comment #29, and on behalf of Mozilla I approve this request from TWCA to turn on the code signing trust bit and enable EV for the following root certificate. ** "TWCA Root Certification Authority" (websites, email, code signing), enable EV. I will file the NSS bug to turn on the code signing trust bit, and the PSM bug to enable EV.
Whiteboard: EV - Pending Approval → EV - Approved - awaiting NSS and PSM
Depends on: 823766
Depends on: 823770
I have filed bug #823766 against NSS and bug #823770 against PSM for the actual changes.
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Whiteboard: EV - Approved - awaiting NSS and PSM → EV - Approved - in Firefox 26
Product: mozilla.org → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: