810133 - Add one more Root Certificate of TWCA in Mozilla software

Status: RESOLVED FIXED

(CA Program :: CA Certificate Root Program, task)

Description

[Robin Lin]

Attachment: TWCA Global Root CA_4096.cer

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
Build ID: 20121024073032

Steps to reproduce:

This request is to add one more TWCA Root certificate to NSS.
Request trust bits: SSL, SMIME, Object Signing, EV
CA Name: TWCA Global Root CA
Root Certificate sha1 finger print is:
9c bb 48 53 f6 a4 f6 d3 52 a4 e8 32 52 55 60 13 f5 ad af 65

CRL is published on:
http://RootCA.twca.com.tw/TWCARCA/global_revoke_4096.crl

OCSP:
http://RootOcsp.twca.com.tw

The WebTrust for CA/EV audit report can be download from:
1.	The WebTrust for CA audit report and seal of the both Root CA and EVSSL issuing CA link is “https://cert.webtrust.org/ViewSeal?id=1322”.
2.	The WebTrust EV audit report and seal link is “https://cert.webtrust.org/ViewSeal?id=1323”.

The CA policy documents URL are:
1. CP: 
http://www.twca.com.tw/picture/file/10121213-Public%20Key%20Infrastructure%20Policy.pdf

2. Root CA CPS:
http://www.twca.com.tw/picture/file/10121215-RootCA%20Certification%20Practice%20Statement.pdf

3. EVSSL sub-CA CPS:
http://www.twca.com.tw/picture/file/10121216-EV%20SSL%20CA%20Certification%20Practice%20Statement.pdf

4. SSL, SMIME, code signing sub-CA CPS:
http://www.twca.com.tw/picture/file/10121217-Global%20CA%20Certification%20Practice%20Statement.pdf

The SSL test server are:
1. Normal: https://evssldemo3.twca.com.tw/index.html
2. Revoked: https://evssldemo4.twca.com.tw/index.html
3. Expired: https://evssldemo5.twca.com.tw/index.html

Comment 1

[Kathleen Wilson]

I am waiting until the TWCA request that is currently under discussion (bug #745671) comes to a conclusion before starting work on this request.

Comment 2

[Kathleen Wilson]

Attachment: Initial CA Information Document

The attached document summarizes the information that has been verified.

The items highlighted in yellow indicate where further information or
clarification is needed. Please review the full document for accuracy and
completeness.

Comment 3

[Robin Lin]

About the questions in CA Information Document, our current status as below:

1. In Section 1.4.1 of the Global CA CPS there is Testing Certificates. Can Testing Certificates be issued for SSL? For Code Signing? For S/MIME?
SSL, Code Signing, S/MIME is not allow to issue the test certificate.
SSL, Code Signing are class 3 certifcate.
S/MIME is class 2 certificate.

2. IDN handling: Revoke all IDN certificate before 2012/9/30
We have been revoke all IDN certificate in last year. We also do not issue any IDN certificate for compliant with Baseline Requirement. Currently, we are doing the external audit to assure that we have do this job.

3. About 3rd party external RA
We have no external RA and no plan to allow 3rd party to act as RA.

I use following content in test_ev_roots.txt, but may not display the EV status in test version of browser. Did I do anything wrong?

1_fingerprint 9C:BB:48:53:F6:A4:F6:D3:52:A4:E8:32:52:55:60:13:F5:AD:AF:65
2_readable_oid 1.3.6.1.4.1.40869.1.1.22.3
3_issuer MFExCzAJBgNVBAYTAlRXMRIwEAYDVQQKDAlUQUlXQU4tQ0ExEDAOBgNVBAsMB1Jvb3QgQ0ExHDAaBgNVBAMME1RXQ0EgR2xvYmFsIFJvb3QgQ0E=
4_serial DL4=

Comment 4

[Kathleen Wilson]

Attachment: test_ev_roots.txt

Comment 5

[Kathleen Wilson]

Attachment: Screenshot showing EV treatment

Comment 6

[Kathleen Wilson]

(In reply to Robin Lin from comment #3)
> I use following content in test_ev_roots.txt, but may not display the EV
> status in test version of browser. Did I do anything wrong?

I didn't see any obvious issues, so I went ahead and tested, and got the EV treatment. I attached the test file and screenshot.

Maybe you didn't have the ENABLE_TEST_EV_ROOTS_FILE=1 environment variable set -- that messed me up when I installed OS X version 10.8.3.

Comment 7

[Kathleen Wilson]

Attachment: Completed CA Information Document

Comment 8

[Kathleen Wilson]

I'll try to start the discussion soon.

When do you expect to have your 2013 audit statements?

Comment 9

[Robin Lin]

We are doing the WebTrust annual audit now, so the renew audit statement may be done in next month.
The audit scope covers all sub-CA under the trusted root CA in Mozilla software.
Once we get the renewed seal, I will update the seal link here.

Comment 10

[Kathleen Wilson]

I am now opening the first public discussion period for this request from TWCA to include the “TWCA Global Root CA” root certificate, turn on all three trust bits, and enable EV treatment.

For a description of the public discussion phase, see https://wiki.mozilla.org/CA:How_to_apply#Public_discussion

Public discussion will be in the mozilla.dev.security.policy newsgroup and the corresponding dev-security-policy@lists.mozilla.org mailing list.

The discussion thread is called “TWCA Request to include Renewed Root”.

Please actively review, respond, and contribute to the discussion.

A representative of TWCA must promptly respond directly in the discussion thread to all questions that are posted.

Comment 11

[Kathleen Wilson]

The public comment period for this request is now over. 

This request has been evaluated as per Mozilla’s CA Certificate Policy at

 http://www.mozilla.org/projects/security/certs/policy/

Here follows a summary of the assessment. If anyone sees any factual errors, please point them out.

To summarize, this assessment is for the request to include the “TWCA Global Root CA” root certificate, turn on all three trust bits, and enable EV treatment. This SHA-256 root will eventually replace the SHA-1 “TWCA Root Certification Authority” root certificate that was included in NSS per bug #518503.

Section 4 [Technical]. I am not aware of instances where TWCA has knowingly issued certificates for fraudulent use. If anyone knows of any such issues or instances, please note them in this bug.

Section 6 [Relevance and Policy]. TWCA appears to provide a service relevant to Mozilla users. It is a commercial CA that provides a consolidated on-line financial security certificate service and a sound financial security environment, to ensure the security of online finance and electronic commercial trade in Taiwan. 

Policies are documented in the documents published on their website and listed in the entry on the pending applications list; the main documents of interest are the CP and CPS documents, which are translated into English.

Repository (English): http://www.twca.com.tw/Portal/english/coporate_profile/Repository.html
On this page there are links to: CPS, CP, Root CA CPS, EV SSL CPS, and Global CA CPS.

Section 7 [Validation]. TWCA appears to meet the minimum requirements for subscriber verification, as follows:

* SSL: According to section 1.4.1 of the Global CA CPS, SSL certificates are issued under assurance level class 3. TWCA verifies the legal existence of the organization requesting the certificate, the identity and authorization of the certificate subscriber, and that the certificate subscriber has the exclusive right to use the domain name(s) to be listed in the certificate. This is documented in sections 2.2.1.1 and 5.1 of the CPS. According to the Executive Summary of the EV CPS, EV certificates are class 3 certificates, and are issued in accordance with Assurance Level 4 specified in the TWCA PKI CP.

* Email: S/MIME certificates are issued under assurance level class 1, 2, or 3. TWCA verifies the identity of the subscriber, verifies the domain name ownership of the email address to be listed in the certificate, and exchanges email with the subscriber to confirm the application request. This is documented in sections 2.2.1.1 and 5.1 of the CPS, and in section 1.4.1 of the GlobalCA CPS.

* Code: According to the Executive Summary of the Global CA CPS, only InfoSec Certificates of Level of Assurance Class 3 can be used for code signing. Section 1.4.1 of the Global CA CPS explains that TWCA verifies the organization and the identity and authority of the certificate subscriber to request the code signing certificate on the organization’s behalf.

Section 15 [Certificate Hierarchy]. 
Eventually this SHA-256 root will have internally-operated subordinate CAs corresponding to the “TWCA Root Certification Authority” root certificate:
1. CN=TaiCA Secure CA, OU=SSL Certification Service Provider  -- Issues SSL certificates.
2. CN=TaiCA Secure CA, OU=Certification Service Provider – Issues identity certificates for on-line commerce transactions, such as the stock trading, or email.
3. CN=TaiCA Information Policy CA;  CN=TaiCA Information User CA – Issue identity certificates for on-line taxation, e-Government or e-Commerce transactions. 
4. CN=TaiCA Finance CA;  CN=TaiCA Finance User CA – Issue identity certificates for on-line fund transfer, e-Finance or e-Banking transactions. 
5. CN = TWCA EVSSL Certification Authority -- Issues EV SSL certs.

* EV Policy OID: 1.3.6.1.4.1.40869.1.1.22.3

* CRL 
http://RootCA.twca.com.tw/TWCARCA/global_revoke_4096.crl
http://sslserver.twca.com.tw/sslserver/GlobalEVSSL_Revoke_2012.crl  
CPS section 5.4.9: CRL issuance frequency shall be 24 hours.

* OCSP
http://RootOcsp.twca.com.tw/ 
http://evsslocsp.twca.com.tw 

Sections 9-11 [Audit]. 
Annual audits are performed by SunRise CPAs’ Firm, a member firm of DFK, according to the WebTrust CA and WebTrust EV criteria and posted on the webtrust.org website.
https://cert.webtrust.org/SealFile?seal=1405&file=pdf 
https://cert.webtrust.org/SealFile?seal=1323&file=pdf

Based on this assessment I intend to approve this request to include the “TWCA Global Root CA” root certificate, turn on all three trust bits, and enable EV treatment

Comment 12

[Kathleen Wilson]

As per the summary in Comment #11, and on behalf of Mozilla I approve this request from TWCA to include the following root certificate:

** "TWCA Global Root CA" (websites, email, code signing), enable EV.

I will file the NSS and PSM bugs for the approved changes.

Comment 13

[Kathleen Wilson]

I have filed bug #901605 against NSS and bug #901608 against PSM for the actual changes.