Closed Bug 759732 Opened 13 years ago Closed 11 years ago

Add new Swisscom root certs to trusted root CA cert list

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: markus.limacher, Assigned: kathleen.a.wilson)

References

Details

(Whiteboard: In NSS 3.15, Firefox 23, EV in Firefox 26)

Attachments

(10 files)

Initial CA Information Document
83.31 KB, application/pdf
Details
Swisscom Digital Certificate Services CP Extended-Validation-Certificate
280.90 KB, application/pdf
Details
WebTrust KPMG EV Cert Audit Cover Page
159.97 KB, application/pdf
Details
Updated CA Information Document
121.00 KB, application/pdf
Details
WebTrust KPMG EV Cert Audit
2.13 MB, application/octet-stream
Details
test_ev_roots.txt
292 bytes, text/plain
Details
Replay to Kathleen Wilson 2012-10-09 122337 PDT Comment #13
2.46 MB, application/octet-stream
Details
CP_Smaragd_SDCS_2.16.756.1.83.3_V2.2b
1.08 MB, application/pdf
Details
Completed CA Information Document
129.17 KB, application/pdf
Details
EV Testing Screenshot
176.03 KB, image/png
Details
Swisscom has issued a new SelfSigned Root CA. Swisscom is already with the Swisscom Root CA 1 part of the Mozilla Root Program. CA Details ---------- CA Name: Swisscom Root CA 2 Website: www.swissdigicert.ch One Paragraph Summary of CA, including the following: - General nature (e.g., commercial, government, academic/research, nonprofit) Swisscom AG is a commercial CSP that provides certification services for individual and corporate customers. Swisscom operates a certificate authority and registration authority. Customers may choose to use the registration services of Swisscom and purchase single certificates. Customers may also choose to operate their own registration authority (managed PKI). - Primary geographical area(s) served Swisscom operates Issuing CA for national (Switzerland) and internatinal purpose. Swisscom AG focuses for national (Switzerland) and internatinal purpose to provide managed PKI services. Registration Services may be used for national (Switzerland) and internatinal purpose. - Number and type of subordinate CAs The "Root CA2" Root CA currently has 8 (eight) direct subordinate CA's: - Swisscom Diamant CA 2 - Swisscom Diamant SuisseID CA 2 - Swisscom Sahir CA 2 - Swisscom Saphir SuisseID CA 2 - Swisscom Rubin CA 2 - Swisscom Smaragd CA 2 - Swisscom TSS CA 2 - Swisscom Customer Root CA 2 Audit Type (WebTrust, ETSI etc.): Swisscom AG has been audited for Swiss Digital Signature Law. ISO 27001 and ETSI 101.456 are part of this audit. The following link shows the page of the accreditaion body in Switzerland: http://www.seco.admin.ch/sas/00229/02208/index.html?lang=de http://www.seco.admin.ch/sas/00229/00251/index.html?lang=de Auditor: KPMG KPMG AG ISMS Zertifizierungsstelle SCES/m/ 071 Badenerstr. 172 8026 Zürich 4 SWITZERLAND Auditor Website: www.kpmg.ch Audit Document URL(s): http://www.seco.admin.ch/sas/00229/02208/index.html?lang=de Certificate Details (Root CA) ------------------- (To be completed once for each certificate) Certificate Name: Swisscom Root CA 2 Summary Paragraph, including the following: - End entity certificate issuance policy, i.e. what you plan to do with the root X509v3 Policy Mappings: 2.16.756.1.83.2.1:2.16.756.1.83.2.1 Certificate HTTP URL (on CA website): http://www.swissdigicert.ch/sdcs/portal/page?node=download_ca http://aia.swissdigicert.ch/sdcs-root2.crt Version: v3 SHA1 Fingerprint: 77 47 4f c6 30 e4 0f 4c 47 64 3f 84 ba b8 c6 95 4a 8a 41 ec MD5 Fingerprint: -- Modulus Length (a.k.a. "key length"): 4096 bit Valid From (YYYY-MM-DD): Jun 24 08:38:14 2011 GMT Valid To (YYYY-MM-DD): Jun 25 07:38:14 2031 GMT CRL HTTP URL: http://crl.swissdigicert.ch/sdcs-root2.crl OCSP URL: -- Class (domain-validated, identity-validated or EV): root Certificate Policy URL: X509v3 Policy Mappings: 2.16.756.1.83.2.1:2.16.756.1.83.2.1 CPS URL: http://www.swissdigicert.ch/sdcs/portal/page?node=download_docs http://www.swissdigicert.ch/sdcs/portal/open_pdf?file=deutsch%2F002_CPS_Swisscom_Digital_Certificate_Services_2_16_756_83_2_1_V2_1_de.pdf Requested Trust Indicators (email and/or SSL and/or code): Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing (86) Certificate Details (Issuing CA) ------------------- (To be completed once for each certificate) Certificate Name: Swisscom Diamant CA 2 Summary Paragraph, including the following: - End entity certificate issuance policy, i.e. what you plan to do with the root X509v3 Certificate Policies: Policy: 2.16.756.1.83.11.0 Certificate HTTP URL (on CA website): http://www.swissdigicert.ch/sdcs/portal/page?node=download_ca http://aia.swissdigicert.ch/sdcs-diamant2.crt Version: v3 SHA1 Fingerprint: d7 b3 70 41 f1 26 d0 bb 59 12 27 61 8a 54 76 f0 84 dc f2 38 MD5 Fingerprint: -- Modulus Length (a.k.a. "key length"): 2048 bit Valid From (YYYY-MM-DD): Jan 12 08:45:00 2012 GMT Valid To (YYYY-MM-DD): Jan 12 08:45:00 2022 GMT CRL HTTP URL: http://crl.swissdigicert.ch/sdcs-diamant2.crl OCSP URL: http://ocsp.swissdigicert.ch/sdcs-diamant2 Class (domain-validated, identity-validated or EV): issuing ca, identity-validated Certificate Policy URL: http://www.swissdigicert.ch/sdcs/portal/open_pdf?file=deutsch%2F001_CP_Diamant_SDCS_2_16_756_1_83_1_1_v2_0_de.pdf CPS URL: http://www.swissdigicert.ch/sdcs/portal/page?node=download_docs http://www.swissdigicert.ch/sdcs/portal/open_pdf?file=deutsch%2F002_CPS_Swisscom_Digital_Certificate_Services_2_16_756_83_2_1_V2_1_de.pdf Requested Trust Indicators (email and/or SSL and/or code): email, code Certificate Name: Swisscom Diamant SuisseID CA 2 Summary Paragraph, including the following: - End entity certificate issuance policy, i.e. what you plan to do with the root X509v3 Certificate Policies: Policy: 2.16.756.1.83.12.0 Certificate HTTP URL (on CA website): http://www.swissdigicert.ch/sdcs/portal/page?node=download_ca http://aia.swissdigicert.ch/sdcs-diamant2-suisseid.crt Version: v3 SHA1 Fingerprint: 33 0b 4c 90 6d 34 a7 22 75 a5 0c ec e9 0c 11 87 00 bf c6 15 MD5 Fingerprint: -- Modulus Length (a.k.a. "key length"): 2048 bit Valid From (YYYY-MM-DD): Mar 14 12:50:40 2012 GMT Valid To (YYYY-MM-DD): Mar 14 12:50:40 2015 GMT CRL HTTP URL: http://crl.swissdigicert.ch/sdcs-diamant2-suisseid.crl OCSP URL: http://ocsp.swissdigicert.ch/sdcs-diamant2-suisseid Class (domain-validated, identity-validated or EV): issuing ca, identity-validated Certificate Policy URL: http://www.swissdigicert.ch/sdcs/portal/open_pdf?file=deutsch%2F001_CP_SuisseIDDiamant_SDCS_2_16_756_1_83_1_3_V2_1_de.pdf CPS URL: http://www.swissdigicert.ch/sdcs/portal/page?node=download_docs http://www.swissdigicert.ch/sdcs/portal/open_pdf?file=deutsch%2F002_CPS_Swisscom_Digital_Certificate_Services_2_16_756_83_2_1_V2_1_de.pdf Requested Trust Indicators (email and/or SSL and/or code): email, code Certificate Name: Swisscom Saphir CA 2 Summary Paragraph, including the following: - End entity certificate issuance policy, i.e. what you plan to do with the root X509v3 Certificate Policies: Policy: 2.16.756.1.83.11.0 Certificate HTTP URL (on CA website): http://www.swissdigicert.ch/sdcs/portal/page?node=download_ca http://aia.swissdigicert.ch/sdcs-saphir2.crt Version: v3 SHA1 Fingerprint: b2 2c 4a b6 32 17 5b 85 6b a9 3b 69 c1 96 c9 18 7c 9e 53 fa MD5 Fingerprint: -- Modulus Length (a.k.a. "key length"): 2048 bit Valid From (YYYY-MM-DD): Jan 12 08:37:00 2012 GMT Valid To (YYYY-MM-DD): Jan 12 08:37:00 2022 GMT CRL HTTP URL: http://crl.swissdigicert.ch/sdcs-saphir2.crl OCSP URL: http://ocsp.swissdigicert.ch/sdcs-saphir2 Class (domain-validated, identity-validated or EV): issuing ca, identity-validated Certificate Policy URL: http://www.swissdigicert.ch/sdcs/portal/open_pdf?file=deutsch%2F006_CP_Saphir_SDCS_2_16_756_1_83_3_V2_0_de.pdf CPS URL: http://www.swissdigicert.ch/sdcs/portal/page?node=download_docs http://www.swissdigicert.ch/sdcs/portal/open_pdf?file=deutsch%2F002_CPS_Swisscom_Digital_Certificate_Services_2_16_756_83_2_1_V2_1_de.pdf Requested Trust Indicators (email and/or SSL and/or code): email, SSL, code Certificate Name: Swisscom Saphir SuissseID CA 2 Summary Paragraph, including the following: - End entity certificate issuance policy, i.e. what you plan to do with the root X509v3 Certificate Policies: Policy: 2.16.756.1.83.13.0 Certificate HTTP URL (on CA website): http://www.swissdigicert.ch/sdcs/portal/page?node=download_ca http://aia.swissdigicert.ch/sdcs-saphir2-suisseid.crt Version: v3 SHA1 Fingerprint: 13 a9 af 5f 1f 70 84 58 11 54 73 a0 77 b1 06 d5 34 86 01 33 MD5 Fingerprint: -- Modulus Length (a.k.a. "key length"): 2048 bit Valid From (YYYY-MM-DD): Mar 14 12:50:42 2012 GMT Valid To (YYYY-MM-DD): Mar 14 12:50:42 2015 GMT CRL HTTP URL: http://crl.swissdigicert.ch/sdcs-saphir2-suisseid.crl OCSP URL: http://ocsp.swissdigicert.ch/sdcs-saphir2-suisseid Class (domain-validated, identity-validated or EV): issuing ca, identity-validated Certificate Policy URL: http://aia.swissdigicert.ch/sdcs/portal/open_pdf?file=deutsch%2F006_CP_SuisseIDSaphir_SDCS_2_16_756_1_83_3_1_V2_2_de.pdf CPS URL: http://www.swissdigicert.ch/sdcs/portal/page?node=download_docs http://www.swissdigicert.ch/sdcs/portal/open_pdf?file=deutsch%2F002_CPS_Swisscom_Digital_Certificate_Services_2_16_756_83_2_1_V2_1_de.pdf Requested Trust Indicators (email and/or SSL and/or code): email, SSL, code Certificate Name: Swisscom Rubin CA 2 Summary Paragraph, including the following: - End entity certificate issuance policy, i.e. what you plan to do with the root X509v3 Certificate Policies: Policy: 2.16.756.1.83.14.0 Certificate HTTP URL (on CA website): http://www.swissdigicert.ch/sdcs/portal/page?node=download_ca http://aia.swissdigicert.ch/sdcs-rubin2.crt Version: v3 SHA1 Fingerprint: 47 6b a8 b2 8b a8 f8 d5 98 fa 25 e5 4e da 19 43 a9 11 63 aa MD5 Fingerprint: -- Modulus Length (a.k.a. "key length"): 2048 bit Valid From (YYYY-MM-DD): Jan 12 08:57:00 2012 GMT Valid To (YYYY-MM-DD): Jan 12 08:57:00 2022 GMT CRL HTTP URL: http://crl.swissdigicert.ch/sdcs-rubin2.crl OCSP URL: http://ocsp.swissdigicert.ch/sdcs-rubin2 Class (domain-validated, identity-validated or EV): issuing ca, identity-validated Certificate Policy URL: http://www.swissdigicert.ch/sdcs/portal/open_pdf?file=deutsch%2F009_CP_Rubin_SDCS_2_16_756_1_83_4_V2_0_de.pdf CPS URL: http://www.swissdigicert.ch/sdcs/portal/page?node=download_docs http://www.swissdigicert.ch/sdcs/portal/open_pdf?file=deutsch%2F002_CPS_Swisscom_Digital_Certificate_Services_2_16_756_83_2_1_V2_1_de.pdf Requested Trust Indicators (email and/or SSL and/or code): email, SSL, code Certificate Name: Swisscom Smaragd CA 2 Summary Paragraph, including the following: - End entity certificate issuance policy, i.e. what you plan to do with the root X509v3 Certificate Policies: Policy: 2.16.756.1.83.13.0 Certificate HTTP URL (on CA website): http://www.swissdigicert.ch/sdcs/portal/page?node=download_ca http://aia.swissdigicert.ch/sdcs-saphir2-suisseid.crt Version: v3 SHA1 Fingerprint: 13 a9 af 5f 1f 70 84 58 11 54 73 a0 77 b1 06 d5 34 86 01 33 MD5 Fingerprint: -- Modulus Length (a.k.a. "key length"): 2048 bit Valid From (YYYY-MM-DD): Mar 28 09:28:34 2012 GMT Valid To (YYYY-MM-DD): Mar 28 09:28:34 2022 GMT CRL HTTP URL: http://crl.swissdigicert.ch/sdcs-smaragd2.crl OCSP URL: http://ocsp.swissdigicert.ch/sdcs-smaragd2 Class (domain-validated, identity-validated or EV): issuing ca, domain-validated Certificate Policy URL: http://www.swissdigicert.ch/sdcs/portal/open_pdf?file=deutsch%2F007_CP_Smaragd_SDCS_2_16_756_1_83_3_V2_2_de.pdf CPS URL: http://www.swissdigicert.ch/sdcs/portal/page?node=download_docs http://www.swissdigicert.ch/sdcs/portal/open_pdf?file=deutsch%2F002_CPS_Swisscom_Digital_Certificate_Services_2_16_756_83_2_1_V2_1_de.pdf Requested Trust Indicators (email and/or SSL and/or code): SSL, code Best regards
Starting the Information Verification Phase. https://wiki.mozilla.org/CA:How_to_apply#Information_Verification
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
I will also include Bug #759733 (Add "Swisscom Root EV 2") in this request.
Summary: Add "Swisscom Root CA 2" to trusted root CA cert list → Add new Swisscom root certs to trusted root CA cert list
Whiteboard: EV - Information incomplete
The attached document summarizes the information that has been verified. The items highlighted in yellow indicate where further information or clarification is needed. Please review the full document for accuracy and completeness.
Anwser to attachement from 19.7.2012: Unfortunatelly the CP hasn't been published by now. I will attach the CP. Furthermore I will attach the cover sheet of the KPMG Audit Report for EV certificates. Kind regards Patrick =================== Swisscom Root EV CA 2 - EV Policy OID: 2.16.756.1.83.2.2 Swisscom Quarz EV CA 2 - EV Ploicy OID: 2.16.756.1.83.21.0 =================== Domains: Swisscom Root EV CA 2 - Swisscom Quarz EV CA 2 - https://test-quarz-ev-ca-2.pre.swissdigicert.ch Swisscom Root CA 2 - Swisscom Smaragd CA 2 - https://test-emerald-ca-2.pre.swissdigicert.ch Swisscom Root CA 1 - Swisscom Rubin CA 1 - https://www.swissdigicert.ch/sdcs/portal/page =================== CA Hierarchy information for each root certificate Externally Operated SubCAs (Swisscom Root CA 2): None Cross---Signing (Swisscom Root CA 2): None Technical Constraints on Third-party Issuers (Swisscom Root CA 2): contract between Swisscom (Schweiz) AG and the contract taking organisation, NDA and background check of RA officer of the contract taking organisation, workflow system for certificate issuance with personal accont based on strong authentication account (smart card), control and monitoring of the issuance activities, audit of the contract taking organisation and RA officer by internal and external audit. =================== EV Audit Statement: - Management Assertion - Final KPMG Audit Report - EV / Cover sheet see attachment ====================== - Translation of the verification processes to English - https://wiki.mozilla.org/CA:Information_checklist#Verification_Policies_and_Practices - Email Address Verification Procedures If you are requesting to enable the Email Trust Bit, then provide (In English and in publicly available documentation) all the information requested in #4 of https://wiki.mozilla.org/CA:Information_checklist#Verification_Policies_and_Practices http://www.swissdigicert.ch/sdcs/portal/open_pdf?file=deutsch%2F008_CP_Quartz_EV_SDCS_2_16_756_1_83_4_V2_0_de.pdf 3.2.9 Checking the e-mail address of the applicant - Code Signing Subscriber Verification Procedures If you are requesting to enable the Code Signing Trust Bit, then provide (In English and in publicly available documentation) all the information requested in #5 of https://wiki.mozilla.org/CA:Information_checklist#Verification_Policies_and_Practices http://www.swissdigicert.ch/sdcs/portal/open_pdf?file=deutsch%2F008_CP_Quartz_EV_SDCS_2_16_756_1_83_4_V2_0_de.pdf 3.2.8 Checking the domain name of the applicant - Multi---factor Authentication Confirm that multi---factor authentication is required for all accounts capable of directly causing certificate issuance. See # 6 of https://wiki.mozilla.org/CA:Information_checklist#Verification_Policies_and_Practices http://www.swissdigicert.ch/sdcs/portal/open_pdf?file=english%2F002_CPS_SDCS_2_16_756_83_2_1_V2_0_en.pdf 5.2.3 Identification and authentication of roles - Network Security Confirm that you have performed the actions listed in #7 of https://wiki.mozilla.org/CA:Information_checklist#Verification_Policies_and_Practices http://www.swissdigicert.ch/sdcs/portal/open_pdf?file=english%2F002_CPS_SDCS_2_16_756_83_2_1_V2_0_en.pdf 5.1 Infrastructural security controls ====================== CA Recommended Practice Audit Criteria: WebTrust (Extended Validation): Audit Report Extended Validation SSL Certificate Audit according to Guidelines for the Issuance and Management of Extended Validation (EV) Certificates ZertES: http://www.seco.admin.ch/sas/00229/02208/index.html?lang=de Document Handling of IDNs in CP/CPS http://www.swissdigicert.ch/sdcs/portal/open_pdf?file=deutsch%2F008_CP_Quartz_EV_SDCS_2_16_756_1_83_4_V2_0_de.pdf 3.2.8 Checking the domain name of the applicant Revocation of Compromised Certificates http://www.swissdigicert.ch/sdcs/portal/open_pdf?file=deutsch%2F008_CP_Quartz_EV_SDCS_2_16_756_1_83_4_V2_0_de.pdf 4.9.1 Circumstances for revocation Verifying Domain Name Ownership http://www.swissdigicert.ch/sdcs/portal/open_pdf?file=deutsch%2F008_CP_Quartz_EV_SDCS_2_16_756_1_83_4_V2_0_de.pdf 3.2.8 Checking the domain name of the applicant Verifying Email Address Control http://www.swissdigicert.ch/sdcs/portal/open_pdf?file=deutsch%2F008_CP_Quartz_EV_SDCS_2_16_756_1_83_4_V2_0_de.pdf 3.2.9 Checking the e-mail address of the applicant Verifying Identity of Code Signing Certificate Subscriber http://www.swissdigicert.ch/sdcs/portal/open_pdf?file=deutsch%2F008_CP_Quartz_EV_SDCS_2_16_756_1_83_4_V2_0_de.pdf 3.2.8 Checking the domain name of the applicant DNS names go in SAN http://www.swissdigicert.ch/sdcs/portal/open_pdf?file=deutsch%2F102_CPS_SDCS_EV_2_16_756_1_83_2_2_V2_0_de.pdf 7.1.4 Extended-Validation-Server-Zertifikate „Quartz“ Domain owned by a Natural Person http://www.swissdigicert.ch/sdcs/portal/open_pdf?file=deutsch%2F102_CPS_SDCS_EV_2_16_756_1_83_2_2_V2_0_de.pdf 3.2.5 one-man business not applicable OCSP http://www.swissdigicert.ch/sdcs/portal/open_pdf?file=deutsch%2F102_CPS_SDCS_EV_2_16_756_1_83_2_2_V2_0_de.pdf 7.3 OCSP Profile Potentially Problematic Practices Long-lived DV certificates http://www.swissdigicert.ch/sdcs/portal/open_pdf?file=deutsch%2F102_CPS_SDCS_EV_2_16_756_1_83_2_2_V2_0_de.pdf 6.3.2 Validity of certificates and key pairs http://www.swissdigicert.ch/sdcs/portal/open_pdf?file=english%2F002_CPS_SDCS_2_16_756_83_2_1_V2_0_en.pdf 6.3.2 Validity of certificates and key pairs Wildcard DV SSL certificates n/a Email Address Prefixes for DV Certs n/a Delegation of Domain / Email validation to third parties n/a Issuing end entity certificates directly from roots n/a Allowing external entities to operate subordinate CAs n/a Distributing generated private keys in PKCS#12 files http://www.swissdigicert.ch/sdcs/portal/open_pdf?file=english%2F002_CPS_SDCS_2_16_756_83_2_1_V2_0_en.pdf 4.12 Key escrow and recovery http://www.swissdigicert.ch/sdcs/portal/open_pdf?file=deutsch%2F102_CPS_SDCS_EV_2_16_756_1_83_2_2_V2_0_de.pdf 4.12 Key escrow and recovery Certificates referencing hostnames or private IP addresses http://www.swissdigicert.ch/sdcs/portal/open_pdf?file=deutsch%2F008_CP_Quartz_EV_SDCS_2_16_756_1_83_4_V2_0_de.pdf 3.2.8 Checking the domain name of the applicant Issuing SSL Certificates for Internal Domains http://www.swissdigicert.ch/sdcs/portal/open_pdf?file=deutsch%2F008_CP_Quartz_EV_SDCS_2_16_756_1_83_4_V2_0_de.pdf 3.2.8 Checking the domain name of the applicant OCSP Responses signed by a certificate under a different root n/a CRL with critical CIDP Extension n/a Generic names for CAs n/a Lack of Communication With End Users http://www.swissdigicert.ch/sdcs/contact/send
The items highlighted in yellow indicate where further information or clarification is needed. Please review the full document for accuracy and completeness.
Test-Web Site: Yes, please provide support; could you please provide the "test_ev_roots.txt" file to perform the EV Testing. EV Policy: EV Policy OID:2.16.756.1.83.2.2 Baseline Requirements: Referring to https://www.cabforum.org/forum.html we have joined CAB-Forum. Where is the audit related to SSL certificates chaining up to the “Swisscom Root CA 2” root (e.g. non-­‐EV SSL cert issuance)?: The audit related to SSL certificates chaining up to the “Swisscom Root CA 2” root is part of the Re-Certification Audit "Re-Certification Audit Report for qualified electronic signatures of the CSP according to SR 943.032.1 and ETSI TS 101.456". There is a WebTrust seal audit cover page: Yes, please find enclosed the management assertion by Swisscom (Management_Assertion_2012.pdf) and the unqualified Opinion by KPMG (Unqualified Opinion (Period of Time).pdf and Unqualified Opinion (Point in Time).pdf) SSL Verification Procedures: CPS (English) 1.3.1.2 Level 1 Certification Authorities (CAs) Emerald CA: For issuing Emerald-class user and device/server certificates [...] Device certificates (SSL server/client) and certificates for e-mail security (sign and encrypt) are issued. Emerald (Smaragd) SubCA CP 3.2.3 Authentication of a natural person Identity verification of a natural person or of a legal person, for which the applicant performs a role, to apply for advanced certificates are performed following these steps: 1. The applicant of a certificate sends one or more documents to the RA confirming his identity. 2. An RA employee performs the identity check based on the document provided by the applicant and documents this process. 3. For all attributes to be placed into the certificate are verified. In case the applicant has a valid certificate, additional certificates for that person can be requested by sending a signed and encrypted application unless the identification of the person is still valid. 3.2.4 Checking the domain name of the applicant Swisscom Digital Certificate Services checks the domain name of the applicant based on a Whois query. Applicants applying for a certificate have to submit a letter of confirmation that is signed by the technical contact stated in the Whois extract or by representatives of the company authorized to sign according to the certificate of registration. A letter of confirmation is valid for two years at most. “Swisscom RootEV CA 2” The Code Signing Bit should also be set. “Swisscom Root CA 2” The verification of the ownership and control over an e-Mail address is described in internal process documentation. If necessary we can copy this section into the CPS. This process was part of the passed KPMG audit. Code Signing Subscriber Verification Procedure Code Signing bit should be set to “Swisscom Root EV CA 2” and “Swisscom Root CA 2” root cert. Authentication to certificate subscriber is described in the EV-CPS. Code Signing certificates are handled and issued under Sapphire CA – which are smartcard based and based on the strong identification processes of class sapphire CA. (http://www.swissdigicert.ch/sdcs/portal/open_pdf?file=english%2F002_CPS_SDCS_2_16_756_83_2_1_V2_0_en.pdf http://www.swissdigicert.ch/sdcs/portal/open_pdf?file=deutsch%2F102_CPS_SDCS_EV_2_16_756_1_83_2_2_V2_0_de.pdf) Document Handling of IDNs in CP/CPS Yes. IDNs are allowed and technically supported. Delegation of Domain / Email validation to third parties: As stated in the CPS Enterprise RAs might be able to issue up to any kind of certificates. If they want to issue qualified certificates the Enterprise RA has to pass the KPMG audit prior to this. For all other kind of certificate classes the Enterprise RA has beforehand to pass the Swisscom audit. All referred processes are audited by KPMG.
Attached file test_ev_roots.txt
(In reply to patrick.graber from comment #11) > Test-Web Site: > Yes, please provide support; could you please provide the > "test_ev_roots.txt" file to perform the EV Testing. Done. Comment #12. > > EV Policy: > EV Policy OID:2.16.756.1.83.2.2 The Policy OID in the SSL cert of the test website that you provided (https://test-quarz-ev-ca-2.pre.swissdigicert.ch) was 2.16.756.1.83.21.0. So that's what I used in the test_ev_roots.txt file. If you use a different OID for EV, then you'll have to change the file, and also provide a new test website with a cert that has the correct EV info. > > Baseline Requirements: > Referring to https://www.cabforum.org/forum.html we have joined CAB-Forum. As per the CAB Forum Baseline Requirement # 8.3, where is the “Commitment to Comply” statement that should be in your CP or CPS? > There is a WebTrust seal audit cover page: > Yes, please find enclosed the management assertion by Swisscom > (Management_Assertion_2012.pdf) and the unqualified Opinion by KPMG > (Unqualified Opinion (Period of Time).pdf and Unqualified Opinion (Point in > Time).pdf) Since this is not posted on cert.webtrust.org, I have to contact KPMG directly to confirm the authenticity of the audit statement. Whom do you recommend that I contact? Please provide their KPMG email address. > > “Swisscom Root CA 2” > The verification of the ownership and control over an e-Mail address is > described in internal process documentation. If necessary we can copy this > section into the CPS. Yes, please. https://wiki.mozilla.org/CA:Recommended_Practices#Verifying_Email_Address_Control > Code Signing certificates are handled and issued under Sapphire CA – which > are smartcard based and based on the strong identification processes of > class sapphire CA. Please translate the main parts of the Sapphire CP that describe verification of the subscriber’s identity and authorization, as per https://wiki.mozilla.org/CA:Recommended_Practices#Verifying_Identity_of_Code_Signing_Certificate_Subscriber > > Document Handling of IDNs in CP/CPS > Yes. IDNs are allowed and technically supported. Which sections of the CP/CPS address this? https://wiki.mozilla.org/CA:Recommended_Practices#Document_Handling_of_IDNs_in_CP.2FCPS > > Delegation of Domain / Email validation to third parties: > As stated in the CPS Enterprise RAs might be able to issue up to any kind of > certificates. If they want to issue qualified certificates the Enterprise RA > has to pass the KPMG audit prior to this. For all other kind of certificate > classes the Enterprise RA has beforehand to pass the Swisscom audit. All > referred processes are audited by KPMG. What technical controls do you have in place to ensure that an Enterprise RA only issues certs within their pre-approved domains and uses?
The attached documents haven't been published by now. I will inform you as soon as the are published.
(In reply to patrick.graber from comment #14) > The attached documents haven't been published by now. I will inform you as > soon as the are published. Please update this bug when the new documents have all be published on your website. I see that you are updating the EV CP to reference the CAB Forum Baseline Requirements. Please also update the other CP documents that are relevant to SSL certs, because the BRs apply to all SSL cert issuance (not just EV). I have sent email to KPMG to confirm the authenticity of the audit statements that were attached to this bug.
(In reply to Kathleen Wilson from comment #15) > I have sent email to KPMG to confirm the authenticity of the audit > statements that were attached to this bug. The KPMG representative responded to my email to confirm the authenticity of the "Point In Time" and "Period of Time" EV audit statements that were attached to this bug.
(In reply to Kathleen Wilson from comment #15) > > I see that you are updating the EV CP to reference the CAB Forum Baseline > Requirements. Please also update the other CP documents that are relevant to > SSL certs, because the BRs apply to all SSL cert issuance (not just EV). > Can SSL certs be issued under Sapphire, Emerald, and Ruby? The CAB Forum's Baseline Requirements apply to all SSL certs, not just EV. But I'm not finding reference to the BRs in the other documents. Regarding the test websites: https://test-emerald-ca-2.pre.swissdigicert.ch https://test-quarz-ev-ca-2.pre.swissdigicert.ch I'm getting (Error code: sec_error_ocsp_unknown_cert) Please test in Firefox with OCSP enforced, as described here: https://wiki.mozilla.org/CA:Recommended_Practices#OCSP Be sure to clear your cache, restore the default user root settings, and then import the new root certs using the Certificate Manager. https://wiki.mozilla.org/CA:UserCertDB#Importing_a_Root_Certificate https://wiki.mozilla.org/CA:UserCertDB#How_To_Restore_Default_Root_Certificate_Settings
(In reply to Kathleen Wilson from comment #18) > Regarding the test websites: > https://test-emerald-ca-2.pre.swissdigicert.ch > https://test-quarz-ev-ca-2.pre.swissdigicert.ch I'm able to browse to both of these test sites now without error today. So just need answer to my question about the BRs.
Beneath the "Swisscom Root CA 2" only the Emerald CA "Swisscom Smaragd CA 2" can issue SSL cert. The CAB Forum's Baseline Requirements have been included in the emerald CP. The CP hasn't been published by now. I will inform you when published.
This request has been added to the queue for discussion. https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion
Whiteboard: EV - Information incomplete → EV - Information confirmed complete
I am now opening the first public discussion period for this request from Swisscom to add the “Swisscom Root CA 2” and “Swisscom Root EV CA 2” root certificates, turn on all three trust bits for the “Swisscom Root CA 2” certificate, turn on the websites and code signing trust bits for the “Swisscom Root EV CA 2” certificate, and enable EV for the “Swisscom Root EV CA 2” certificate. For a description of the public discussion phase, see https://wiki.mozilla.org/CA:How_to_apply#Public_discussion Public discussion will be in the mozilla.dev.security.policy newsgroup and the corresponding dev-security-policy@lists.mozilla.org mailing list. The discussion thread is called “Swisscom Request to include Renewed Roots” Please actively review, respond, and contribute to the discussion. A representative of Swisscom must promptly respond directly in the discussion thread to all questions that are posted.
Whiteboard: EV - Information confirmed complete → EV - In public discussion
The public comment period for this request is now over. This request has been evaluated as per Mozilla’s CA Certificate Policy at http://www.mozilla.org/projects/security/certs/policy/ Here follows a summary of the assessment. If anyone sees any factual errors, please point them out. To summarize, this assessment is for the request to add the “Swisscom Root CA 2” and “Swisscom Root EV CA 2” root certificates, turn on all three trust bits for the “Swisscom Root CA 2” certificate, turn on the websites and code signing trust bits for the “Swisscom Root EV CA 2” certificate, and enable EV for the “Swisscom Root EV CA 2” certificate. Section 4 [Technical]. I am not aware of instances where Swisscom has knowingly issued certificates for fraudulent use. If anyone knows of any such issues or instances, please note them in this bug. Section 6 [Relevance and Policy]. Swisscom appears to provide a service relevant to Mozilla users. It is a commercial CSP that provides certification services for individual and corporate customers. Swisscom operates a certificate authority and registration authority. Customers may choose to use the registration services of Swisscom and purchase single certificates. Customers may also choose to operate their own registration authority (managed PKI). Policies are documented in the documents published on their website and listed in the entry on the pending applications list; the main documents of interest are the CPS and the CP for each verification level. The CPS has been translated into English. The CP documents are in German, and some sections have been translated into English. Document Repository: http://www.swissdigicert.ch/sdcs/portal/page?node=download_docs CPS (English): http://www.swissdigicert.ch/sdcs/portal/download_file?file=english%2F002_CPS_Swisscom_Digital_Certificate_Services_2_16_756_83_2_1_V2_2_en.pdf Emerald CP (German): http://www.swissdigicert.ch/sdcs/portal/download_file?file=deutsch%2F007_CP_Smaragd_SDCS_2_16_756_1_83_3_V2_2b_de.pdf EV CPS (German): http://www.swissdigicert.ch/sdcs/portal/download_file?file=deutsch%2F102_CPS_SDCS_EV_2_16_756_1_83_2_2_V2_1_de.pdf EV CP (German, English Translations of certain sections provided in Appendix): http://www.swissdigicert.ch/sdcs/portal/download_file?file=deutsch%2F008_CP_Quartz_EV_SDCS_2_16_756_1_83_4_V2_3_de_en.pdf Sapphire CP (German): http://www.swissdigicert.ch/sdcs/portal/download_file?file=deutsch%2F006_CP_Saphir_SDCS_2_16_756_1_83_3_V2_0_de.pdf Ruby CP (German): http://www.swissdigicert.ch/sdcs/portal/open_pdf?file=deutsch%2F009_CP_Rubin_SDCS_2_16_756_1_83_4_V2_0_de.pdf Section 7 [Validation]. Swisscom appears to meet the minimum requirements for subscriber verification, as follows: * SSL: The Emerald CA, "Swisscom Smaragd CA 2", is the only subCA of "Swisscom Root CA 2" that can issue SSL certs. According to Emerald CP section 3.2.4, a Whois query is used to check the domain name of the applicant. Applicants applying for a certificate have to submit a letter of confirmation that is signed by the technical contact stated in the Whois extract or by representatives of the company authorized to sign according to the certificate of registration. A letter of confirmation is valid for two years at most. * Email: According to CPS section 3.2.3, the requester must prove that he has access to the mailbox and that he can use it to receive mail. An organization may contractually define that all certificates using the name of the organization in the O-field may only contain e-mail addresses in the email-field that are in the domain of the organization. * Code: Code Signing certificates are handled and issued under Sapphire CA – which are smartcard based and based on the strong identification processes of class sapphire CA. Sapphire CP section 3.2.2 describes the process for verifying the organization, identity of the applicant, and entitlement to apply for a certificate on behalf of the organization. * EV CP section 3.2 describes the process for verifying the organization, applicant identity and authorization, and domain name ownership. Section 15 [Certificate Hierarchy]. Both the “Swisscom Root CA 2” and “Swisscom Root EV CA 2” root certificates sign internally-operated intermediate certificates that sign entity certificates. * EV Policy OID: 2.16.756.1.83.21.0 * CRL http://crl.swissdigicert.ch/sdcs-root2.crl http://crl.swissdigicert.ch/sdcs-saphir2.crl http://crl.swissdigicert.ch/sdcs-smaragd2.crl http://crl.swissdigicert.ch/sdcs-root2-ev.crl http://crl.swissdigicert.ch/sdcs-quarz2-ev.crl CPS section 4.9: CRLs published at least once a day. * OCSP http://ocsp.swissdigicert.ch/sdcs-saphir2 http://ocsp.swissdigicert.ch/sdcs-smaragd2 http://ocsp.swissdigicert.ch/root2-ev http://ocsp.swissdigicert.ch/quartz2 Sections 9-11 [Audit]. Swisscom is audited by KPMG according to the ETSI 101 456 and WebTrust EV criteria. The WebTrust EV audit statement was attached to the bug: https://bugzilla.mozilla.org/attachment.cgi?id=667939 I confirmed the audit statements by exchanging email with a representative of KPMG. Swisscom is also listed on the SECO website: http://www.seco.admin.ch/sas/00229/00251/index.html?lang=en ZertES is granted by the Swiss Accreditation Service (SAS) and the Swiss Federal Office of Communications (BAKOM) based on an audit by KPMG. It is based on Swiss law and on ETSI standards for Qualified Certification Service Providers (CSP) and Time Stamping Authorities. It requires an annual audit. Based on this assessment I intend to approve this request to add the “Swisscom Root CA 2” and “Swisscom Root EV CA 2” root certificates, turn on all three trust bits for the “Swisscom Root CA 2” certificate, turn on the websites and code signing trust bits for the “Swisscom Root EV CA 2” certificate, and enable EV for the “Swisscom Root EV CA 2” certificate. Note that EV-enablement will be on hold until Swisscom has commented in this bug to confirm completion of EV-testing (https://wiki.mozilla.org/PSM:EV_Testing_Easy_Version).
Whiteboard: EV - In public discussion → EV - Pending Approval
Attached image EV Testing Screenshot
EV Testing could be completed successfully according to https://wiki.mozilla.org/PSM:EV_Testing_Easy_Version
As per the summary in Comment #25, and on behalf of Mozilla I approve this request from Swisscom to include the following root certificates: ** “Swisscom Root CA 2” (websites, email, code signing) ** “Swisscom Root EV CA 2” (websites, code signing), enable EV I will file the NSS and PSM bugs for the approved changes.
Whiteboard: EV - Pending Approval → EV - Approved - awaiting NSS and PSM
Depends on: 856695
Depends on: 856710
I have filed bug #856695 against NSS and bug #856710 against PSM for the actual changes.
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Whiteboard: EV - Approved - awaiting NSS and PSM → In NSS 3.15, Firefox 23, EV in Firefox 26
Product: mozilla.org → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: