Add Entrust G2 and EC1 root certificates

RESOLVED FIXED

Status

task
RESOLVED FIXED
7 years ago
2 years ago

People

(Reporter: kwilson, Assigned: kwilson)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: In NSS 3.18, Firefox 38 -- EV treatment enabled in Firefox 40)

Attachments

(10 attachments)

CA Details
----------

CA Name:  Entrust
Website:  www.entrust.net

Entrust is a commercial CA serving the global market for SSL web certificates. Entrust also issues certificates to subordinate CAs for enterprise and commercial use. Currently Entrust has eight (8) enterprise subordinate CAs that issue certificates for SSL and S/MIME internal use. There are also six (6) commercial subordinate CAs that issue SSL certificates and one that issues S/MIME certificates to the public.

Audit Type (WebTrust, ETSI etc.):  WebTrust for CA and WebTrust for EV
Auditor:  Deloitte and Touche LLP
Auditor Website:  www.deloitte.ca
Audit Document URL(s):  https://entrust.webtrust.org/ViewSeal?id=328

Certificate Details

Certificate Name:  Entrust Root Certification Authority - G2

Summary:  This is a new root which has been signed with the SHA-256 algorithm. This root is intended to eventually replace Entrust's SHA-1 signed roots. This root is intended to be used for commercially issuing SSL, S/MIME, and Code Signing certificates.

Certificate HTTP download URL (on CA website):  http://www.entrust.net/developer/index.cfm

Version:  V3
SHA1 Fingerprint:  8CF4 27FD 790C 3AD1 6606 8DE8 1E57 EFBB 9322 72D4
Modulus Length (a.k.a. "key length"):  RSA (2048 bits)
Valid From (YYYY-MM-DD):  2009-07-07
Valid To (YYYY-MM-DD):  2030-12-07

CRL HTTP URL:  not applicable for the root; issuing CA CRL can be found at http://crl.entrust.net/g2ca.crl
CRL issuing frequency for end-entity certificates:  CRL is issued every 24 hrs, valid for 7 days
OCSP URL:  http://ocsp.entrust.net

Class (domain-validated, identity/organisationally-validated or EV):  OV and EV
EV policy OID(s) (if applicable):  2.16.840.1.114028.10.1.2
Certificate Policy URL:  http://www.entrust.net/CPS
CPS URL:  http://www.entrust.net/CPS

Requested Trust Indicators (email and/or SSL and/or code): email, SSL and code signing URL of website using certificate chained to this root (if applying for SSL):  https://validg2.entrust.net/
This request was split out from bug #694536.

Status from that bug:
The G2 root is still not in production, has not issued an intermediate certificate, and does not have CRL/OCSP support. If any of the above are requirements for inclusion, please let me know and I will get them addressed.

Regarding EV for the roots:
- EV Audit report, https://entrust.webtrust.org/ViewSeal?id=328
- 2048 test site, https://2048test.entrust.net/
- G2 test site, https://validg2.entrust.net/
- We will work on completion of the PSM:EV Testing Easy Version.
Whiteboard: EV - Information incomplete
Status: NEW → ASSIGNED
The attached document summarizes the information that has been verified.

The items highlighted in yellow indicate where further information or
clarification is needed. Please review the full document for accuracy and
completeness.
Summary: Add Entrust G2 root certificate → Add Entrust G2 and EC1 root certificates
Please see the items highlighted in yellow -- regarding CA Hierarchy.
Posted image G2 EV Test.png
Posted image EC1 EV Test.png
Hey Bruce; I saw your comments on October 8th 2014 for the entrust G2 EV test and EC1 EV test. We are starting to order certificates from entrust that are relying upon the following sha256 based root and intermediate non-ev certificate chain and that is still failing using the latest version of Mozilla Firefox v 32.0.3 as of October 11th 2014.

==================================

ENTRUST SHA2 BASED ROOT CERTIFICATE:
Subject:                    CN = Entrust Root Certification Authority - G2
Serial Number:              4a 53 8c 28
Issuer:                     CN = Entrust Root Certification Authority - G2
Valid from:                 Tuesday, July 07, 2009 12:25:54 PM
Valid to:                   Saturday, December 07, 2030 12:55:54 PM
Signature algorithm:        sha256RSA
Signature hash algorithm: sha256
thumprint:                 8c f4 27 fd 79 0c 3a d1 66 06 8d e8 1e 57 ef bb 93 22 72 d4

==================================

ENTRUST SHA2 BASED INTERMEDIATE CERTIFICATE:
Subject:                   CN = Entrust Certification Authority - L1K
Serial Number:             51 d3 60 cf
Issuer:                    CN = Entrust Root Certification Authority - G2
Valid from:                Tuesday, August 26, 2014 12:14:49 PM
Valid to:                  Tuesday, August 27, 2024 3:34:47 AM
Signature algorithm:       sha256RSA
Signature hash algorithm: sha256
thumprint:                 c3 d9 87 c4 59 e1 e4 5e cd 2c ca 05 35 fa d0 74 d0 8e 69 cd
==================================


Do we have any timeline when the above mentioned non-ev "Entrust Root Certification Authority - G2" rootca certificate will be included in the Mozilla trust store?

It seems this is becoming more urgent given the recent decision by Google Chrome to deprecate support for SHA1 based certificates expiring beyond 2015.

Does anyone know of an entrust test page similar to https://validec.entrust.net and https://validg2.entrust.net that can confirm whether a browser at hand has the necessary root cert in its trust store to support the sha2 based G2 rootca cert mentioned above?

Thanks and kind regards.
Flags: needinfo?(bruce.morton)
See also https://community.qualys.com/thread/13848 where this issue is noted as also being a problem for the Qualsys SSL test page when testing sites that are relying upon the "Entrust Root Certification Authority - G2" root and "Entrust Certification Authority - L1K" intermediate certificates.
Hi Tocoro,

We are working with Mozilla to clear up the embedding issue. If you are finding issues, I recommend that you contact our Support group, ssl@entrust.net, who will work you through any problems.

Thanks, Bruce.
Flags: needinfo?(bruce.morton)
This request has been added to the queue for public discussion. 
https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion
Whiteboard: EV - Information incomplete → EV - Information confirmed complete
I am now opening the first public discussion period for this request from Entrust to include the “Entrust Root Certification Authority - G2” and “Entrust Root Certification Authority - EC1” root certificates, turn on all three trust bits for both, and enable EV treatment for both. These new root certificates are intended to eventually replace Entrust's currently included SHA-1 root certificates.

For a description of the public discussion phase, see https://wiki.mozilla.org/CA:How_to_apply#Public_discussion

Public discussion will be in the mozilla.dev.security.policy forum.
https://www.mozilla.org/en-US/about/forums/#dev-security-policy

The discussion thread is called “Entrust Root Renewal Request”.

Please actively review, respond, and contribute to the discussion.

A representative of Entrust must promptly respond directly in the discussion thread to all questions that are posted.
Whiteboard: EV - Information confirmed complete → EV - In Public Discussion
I entered the data for this request into SalesForce, and printed the Case summary for comparison with the old format.
The public comment period for this request is now over.

This request has been evaluated as per Mozilla’s CA Certificate Inclusion Policy at

https://www.mozilla.org/about/governance/policies/security-group/certs/policy/inclusion/

Here follows a summary of the assessment. If anyone sees any factual errors, please point them out.

Inclusion Policy Section 4 [Technical].
I am not aware of instances where Entrust has knowingly issued certificates for fraudulent use. If anyone knows of any such issues or instances, please note them in this bug.

Inclusion Policy Section 6 [Relevance and Policy]. 
Entrust appears to provide a service relevant to Mozilla users. It is a commercial CA serving the global market for SSL web certificates. Entrust also issues certificates to subordinate CAs for enterprise and commercial use. 
	
CPS: http://www.entrust.net/CPS
EV CPS: http://www.entrust.net/CPS/pdf/EV-SSL-CPS-English-20140304-v1-6.pdf

Inclusion Policy Section 7 [Validation]. 
* SSL Verification Procedures: Entrust RAs verify that the certificate applicant owns/controls the domain name to be included in the certificate as described in section 3.1.10 of the CPS.
* Email Verification Procedures: Entrust RAs verify that the certificate applicant has control of the e-mail address to be included in the certificate as described in section 3.1.11 of the CPS.
* Code Signing Subscriber Verification Procedure: 	Entrust only issues Code Signing certificates to organizations. Organization identity information and authorization is verified the same as with Entrust EV SSL certificates less, of course, the domain information.

Certificate Revocation
CPS section 4.4.3: CRLs updated within 24 hours of revocation request.
CPS section 4.4.9: CRLs for end entities shall be issued at least once every seven days.
CPS section 4.4.11: OCSP responses for end-entities issued at least every 4 days, with max expiration time of 10 days.

Inclusion Policy Sections 11-14 [Audit]. 
Annual audits are performed by Deloitte LLP, according to the WebTrust criteria.
https://entrust.webtrust.org/SealFile?seal=328&file=pdf

Root Certificate 1 of 2

Root Certificate Name: Entrust Root Certification Authority - G2
Trust Bits: Code; Email; Websites
EV Policy OID: 2.16.840.1.114028.10.1.2
Root Cert: https://bugzilla.mozilla.org/attachment.cgi?id=567059
CRL URL: http://crl.entrust.net/g2ca.crl
OCSP URL: http://ocsp.entrust.net/

CA Hierarchy: This G2 root will have internally-operated subordinate CAs, and will eventually have externally-operated subordinate CAs. This G2 root is intended to eventually replace Entrust's SHA-1 root certificates, so the externally-operated subordinate CAs will eventually be migrated to the new G2 CA hierarchy.
For the currently included Entrust root certificates, Entrust’s Third Party Subordinate CA Disclosure:
http://www.entrust.net/about/third-party-sub-ca.htm
According to Entrust’s CPS, all subordinate CAs are required to be audited annually, whether they are technically constrained or not.
CPS Appendix B: Third Party Subordinate CAs are assessed to meet the requirements of the CP and/or CPS on an annual basis using one of the audit criteria specified in the Baseline Requirements.

Cross Signing: The G2 root has signed 2 Entrust issuing CAs.


Root Certificate 2 of 2
	 
Root Certificate Name: Entrust Root Certification Authority - EC1
Trust Bits: Code; Email; Websites
EV Policy OID: 2.16.840.1.114028.10.1.2
Root Cert: https://bugzilla.mozilla.org/attachment.cgi?id=813664
CRL URL: http://crl.entrust.net/ec1root.crl
OCSP URL: http://ocsp.entrust.net/

CA Hierarchy: This EC1 root will have internally-operated subordinate CAs, and will eventually have externally-operated subordinate CAs.

Cross Signing: The EC1 root has signed 1 Entrust issuing CA.

CA’s Response to Mozilla’s list of Potentially Problematic Practices
* SSL certs are OV or EV 
* Entrust only issues OV wildcard certificates 
* Entrust allows third party domain/email verification. All third party certificate requests are reviewed by Entrust before issuance. Third Party RAs are also audited annually by a third party auditor. 
* Entrust generates keys for Subscribers only for Class 2 Client certificates. The P12 files are encrypted using a password provided by the applicant at time of enrollment. 
* Entrust does issue SSL certificates with internal host names and reserved IP addresses. We will be phasing this practice out in accordance with the Baseline Requirements. 
* Entrust is issuing SHA-2 end entity certificates. The default signing algorithm uses SHA-2. We do allow the certificate Subscriber to choose SHA-1 and we provide a warning that in the future it will have trust issues with some browsers. In December 2014, we will limit the SHA-1 validity period to 31 December 2016. As of 1 January 2016, we will stop issuing SHA-1 signed publicly trusted certificates.

Based on this assessment, I intend to approve this request from Entrust to include the “Entrust Root Certification Authority - G2” and “Entrust Root Certification Authority - EC1” root certificates, turn on all three trust bits for both, and enable EV treatment for both.
Whiteboard: EV - In Public Discussion → EV - Pending Approval
As per the summary in Comment #17, and on behalf of Mozilla I approve this request from Entrust to include the following root certificates:

** “Entrust Root Certification Authority - G2” (websites, email, code signing), enable EV
** “Entrust Root Certification Authority - EC1” (websites, email, code signing), enable EV

I will file the NSS and PSM bugs for the approved changes.
Whiteboard: EV - Pending Approval → EV - Approved - awaiting NSS and PSM changes
Depends on: 1120604
Depends on: 1120608
I have filed bug #1120604 against NSS and bug #1120608 against PSM for the actual changes.
Any idea when this will be included?  Please make sure it hits the ESR branch as well.
(In reply to Marc Meltzer from comment #20)
> Any idea when this will be included?  Please make sure it hits the ESR
> branch as well.

Root inclusions are usually grouped and done as a batch when there is either a large enough set of changes or about every 3 months.

We are planning to do the next batch of root changes soon, and are planning for the changes to be in Firefox 38. https://wiki.mozilla.org/RapidRelease/Calendar
Whiteboard: EV - Approved - awaiting NSS and PSM changes → In NSS 3.18, Firefox 38 -- Pending PSM changes for EV
Just a comment: I just tried to access MasterCard's site for corporate credit card reconciliations, https://sdg2.mastercard.com. I wouldn't have found this bug myself - hat tip to @sleevi_ - but it seems that site has bought from this root and is actively using it. Both FF and Chrome throw cert invalid errors.
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Whiteboard: In NSS 3.18, Firefox 38 -- Pending PSM changes for EV → In NSS 3.18, Firefox 38 -- EV treatment enabled in Firefox 40
Product: mozilla.org → NSS
You need to log in before you can comment on or make changes to this bug.