Unless anyone has strong and principled objections I'm going to approve
this request. Note that this doesn't constitute final approval of
VeriSign for Extended Validation purposes, since we don't yet have a
final version of the new Mozilla CA certificate policy that addresses EV
certificates. However the general changes to be made to the policy are
clear, even if the language is final, and to my knowledge VeriSign comes
as close to satisfying the proposed revised policy as any other CA. This
includes updating practices to conform to the final 1.0 version of the
CAB Forum guidelines, as noted in the most recent relevant CPS:
http://www.verisign.com/repository/CPS/VeriSignCPSv3.5.pdf
(See Appendices B1 through B4.)
Note that I don't want to unfairly put VeriSign at an advantage
vis-a-vis other CAs in terms of EV support in the Firefox 3.0 final
release. Therefore my priority is to get the 1.1 revision of the Mozilla
CA certificate policy in place as soon as possible and proceed
immediately to consider other CAs who have EV roots they'd like to include.
Frank
--
Frank Hecker
hec...@mozillafoundation.org
s/final/not final/
I believe this is a new root entirely. If it is chained to an existing root in
NSS, we don't need to add it to NSS.
Wan-Teh
--
Regards
Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: star...@startcom.org <xmpp:star...@startcom.org>
Blog: Join the Revolution! <http://blog.startcom.org>
Phone: +1.213.341.0390
In this case the answer is "a root which ... is chained to an existing
root in NSS". Bob Lord explained it all to me a while back, and I'll try
to convey the situation accurately; if I get the details wrong I'm sure
someone will correct me.
If you look at the VeriSign CA hierarchy
http://www.verisign.com/repository/hierarchy/hierarchy.pdf
then the CA we're concerned with here is in the upper right of the
diagram, "VeriSign Class 3 Public Primary Certification Authority - G5".
This CA (which I'll call "PCA3 G5" for short) has under it the two
subordinate CAs ("VeriSign Class 3 Extended Validation SSL CA" and
"VeriSign Class 3 Extended Validation SSL SGC CA") by which VeriSign is
issuing EV certificates.
As noted in the diagram, the certificate for PCA3 G5 is not a true
self-signed root CA cert, but is issued from the existing VeriSign
Public Primary CA ("PCA3 G1"), which has a self-signed root already in
NSS. That means that today (i.e., in Firefox 2 and current Firefox 3
builds) VeriSign's EV SSL certs are recognized as valid SSL certs
(because a chain exists up to a recognized root), but are not given EV
treatment. In this context PCA3 G5 is treated as just another
intermediate CA. (You can see this by going to <https://www.fnac.com/>
with Firefox 2 and looking at the cert details.)
The proposal for EV testing, as I understand it, is to add the CA
certificate for PCA3 G5 to the NSS root list, and to mark it with the
associated EV metadata. Then when the Firefox 3 beta releases encounter
a certificate issued from either of the two VeriSign EV subordinate CAs,
the chain processing will stop at PCA G5 (instead of continuing on to
PCA G1). The EV metadata stored for PCA G5 will then cause NSS and PSM
to treat the end-entity cert in question as an EV cert, and Firefox will
present the EV UI.
Note that I think that at least some other CAs are planning to take a
similar approach to incorporating EV certs into their hierarchy, i.e.,
introducing a new EV "root" signed by an existing root. My understanding
is that the certificate path processing in these cases can get tricky
because there two valid paths (up to the existing root and up to the new
EV "root"); hence the need to get some good testing of these scenarios
well before Firefox 3 final release.
Does this answer your question?
Not so, as I understand it. See my message I just posted, and blame
blord if I have it wrong :-)
I can confirm that it is an entirely new root. The CN is 'VeriSign Class
3 Public Primary Certification Authority - G5'.
-Rick Andrews
The Mozilla CA policy states clearly under section 14 that a CA should
submit a formal request by submitting a bug report
<https://bugzilla.mozilla.org/enter_bug.cgi?product=mozilla.org&component=CA%20Certificates>
into the mozilla.org Bugzilla system, filed against the "CA
Certificates" component of the "mozilla.org" product. The request should
include the following....etc..etc...
In addition to that, a practice and process has been developed which
includes the involvement of the community for the acceptance of a CA
root. This gives the community members the chance to validate the
information and raise eventual issues and concerns. In this, as in any
other case I think it's appropriate to follow the same rules for all. It
is even more important when we are talking about the market leader!
Additionally without Mozilla having formal request which indicates that
the CA in question wants to have the root published in this software at
all, there might be legal concerns as well. Otherwise why not include
this CA root: http://www.verisign.com/repository/roots/pca_certificate.html
CA roots are first of all the property of the CA and by making a formal
request the CA indicates the interest in having the root included in the
software. It also implies to some extend that the CA in question wants
to adhere to the Mozilla CA policy...There are more factors and legalese
involved, but I guess I'm making the point here....
If there is a need to test EV-related functionality in NSS and Firefox 3
beta releases, than there are other CAs which have been admitted
recently which would conform to the "to-be-published" updated Mozilla CA
policy. Should the CA certificate in question be chained to an existing
root nevertheless, than this should be only a minor and formal issue and
you can disregard the said above. In such a case, I'd only have some
technical and practical questions.
I think the issue is that the CA cert in question (VeriSign PCA3 G5)
needs to be both specifically known to NSS (i.e., preloaded) and also
marked with EV metadata (i.e., the associated EV policy OID). Otherwise
the CA cert will be unknown to NSS, and NSS will treat it as an
intermediate CA cert chaining up to a separate known root (PCA3 G1).
Note that the VeriSign case is distinct from the case where an existing
root CA cert is simply marked with EV metadata. I don't know which (if
any) CAs plan to take this approach.
I gave an example already in my previous message:
<https://www.fnac.com/>. <https://www.paypal.com/> shows this as well.
Also, you can try these in Vista/IE7 to see how they're handled there
vs. XP/IE6.
Yes, those are CAs that indicated to Gerv that they would be issuing EV
certs. I haven't yet checked these to confirm that the roots in question
actually have associated EV policy OIDs and are otherwise ready for EV
treatment from a technical standpoint (leaving the policy issues aside
for now).
Note that my goal here is *not* to bump VeriSign to the front of the
line and show them favoritism. My goal is simply to help the NSS team
out with their testing efforts, for a particular EV-related scenario
that needs good testing. I would be glad to entertain requests from
other CAs that want EV treatment for their certs as well, and will do my
best to process those requests in a timely manner.
There appears to be some confusion around this root. Let me try to
clarify:
Microsoft made a significant change in Windows Vista regarding embedded
root certificates: the OS ships with only a small handful of
certificates deemed essential to Windows. That does not include
VeriSign's roots. Instead, Microsoft has built into Vista the ability to
obtain trusted root certificates silently, on demand from Windows
Update. This ability is part of Windows XP as well, although XP shipped
with a large number of roots. On XP or Vista, if the OS ever encounters
a root certificate that it does not have in its cached root store, it
will check with Windows Update to see if it can obtain the root there.
If Windows Update knows about the root, it will return the root
certificate along with any meta-data that goes along with it. For
example, roots that can sign EV certificates are marked with special
meta data, not with any special indication in the certificate itself.
It's important to note that if Windows XP or Vista encounters a root
that is already in its cached root store, it will not check with Windows
Update to see if the meta-data has changed. And if a root is downloaded
from Windows Update, it will remain in the computer's root cache until
it expires.
When VeriSign planned to create a new certificate hierarchy from which
to issue EV SSL certificates, we naturally wanted to use our existing
root as the root of that hierarchy. That root is widely deployed in a
large number of browsers, both on desktops and handheld devices such as
cell phones. These older browsers know nothing of EV and cannot display
green toolbars, yet it is a firm requirement that they should be able to
establish a secure SSL session with EV-protected web sites. They should
not display any warning dialog, such as they might if the web site's
certificate chained up to an unknown, untrusted root.
We needed Microsoft to create the meta-data for our root that would
indicate that it is a root that can issue EV certificates. However,
there was a problem: Microsoft pointed out that Vista, since it did not
ship with our root, would retrieve our root and the associated EV
meta-data; but XP, since it shipped with our root, would not fetch the
EV meta-data from Windows Update. XP users would not be able to see the
green toolbar.
We investigated many ways of getting the root meta-data into Windows XP
systems. Microsoft suggested creating a new root that would carry the EV
meta-data, and cross-sign the new root with our old root. This is the
solution we implemented.
Web servers with a VeriSign EV cert are configured with the end entity
cert and two intermediate CAs: the EV CA and a cross-signed cert. The
chain looks like this:
end-entity int. CA cross-cert
issuer: EV CA -> PCA3-G5 -> PCA3-G5
subject: <www.foo.com> -> EV CA -> PCA3
Hence, old browsers will see this end-entity cert as chaining up to
PCA3, our old root that is already in their browsers. They will accept
it as a trusted chain.
If the IE7 on Vista user has our PCA3-G5 root and then hits this site,
the browser will see that the end-entity cert appears to chain up to two
roots: the old PCA3 root, and the new EV root called PCA3-G5. The path
to the old root is 4 levels deep, and the path to the new root is 3
levels deep. IE7 favors the shorter chain, and thus accepts this cert as
a trusted cert that chains up to an EV-capable root.
I'm sure I've confused a lot of people with this. I can try to go into
more detail if necessary.
-Rick Andrews
--
Rick Andrews __o Phone: 650-426-3401
VeriSign, Inc. _ \>,_ Fax: 650-426-5195
487 E. Middlefield Rd. ...(_)/ (_) URL: www.verisign.com
Mountain View, CA 94043 email: rand...@verisign.com
Excellent, I'll go ahead and tell the NSS guys to proceed as requested.
> I still own you
> an answer concerning the policy update and intend to this soon.
OK, looking forward to your comments.
Andrews, Rick wrote:
> Web servers with a VeriSign EV cert are configured with the end entity
> cert and two intermediate CAs: the EV CA and a cross-signed cert.
If so, wouldn't it be better to formally include the new (EV) root in
NSS in its own right instead of using the cross signed and chained to
the old root?
________________________________
From: Eddy Nigg (StartCom Ltd.) [mailto:eddy...@startcom.org]
Sent: Wednesday, November 07, 2007 1:42 PM
To: Andrews, Rick
Cc: dev-tec...@lists.mozilla.org
Subject: Re: Inclusion of VeriSign EV root in Firefox 3 betas
for testing
Hi Andrews,
Andrews, Rick wrote:
Web servers with a VeriSign EV cert are configured with
the end entity
cert and two intermediate CAs: the EV CA and a
cross-signed cert.
If so, wouldn't it be better to formally include the new (EV)
root in NSS in its own right instead of using the cross signed and
chained to the old root?
--
Regards
Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: star...@startcom.org
Will this be done only for testing purposes? Or will the certificate be
included in an end-user release without further analysis? Or will the
certificate be subjected to analysis per the final policy revision
before end-user release?
You have indicated that there is no intent to give VeriSign any
advantage over other CAs. If the certificate is included in an end-user
release without further analysis, will other EV certificates also be
included with the same pre-policy analysis?
In the meantime, I second Nigg's concern that a bug report is required.
The same process as already used for other certificates should be
followed, including a review of the CA's audit and a two-week comment
period. All this should be done before any end-user release. However,
testing could be conducted in parallel on an installation from which the
certificate could be removed prior to end-user release if the formal
process is not yet completed.
--
David E. Ross
<http://www.rossde.com/>
Natural foods can be harmful: Look at all the
people who die of natural causes.
My intention is to go back and evaluate VeriSign conformance to the
(revised) Mozilla policy as it relates to EV, same as I would for any
other CA that wants EV treatment. My short-term goal is just to get the
VeriSign cert into NSS for testing with Firefox 3 beta versions. Once I
get agreement on the revised policy then I'll solicit requests from
VeriSign and everyone else who'll be issuing EV certs, and those
requests will be handled in the normal way.
Would there be any problem with Verisign making a formal inclusion
request for the root(s) in question?
Andrews, Rick wrote:
> Eddy,
>
> Yes, I think we need to include the new EV root in NSS, as well as our
> older PCA3 root. Web servers still need to be configured with the
> intermediate and cross-signed certs so that older browsers that only
> know about the older PCA3 root see the EV cert as chaining up to that
> trusted root. FF3, if it has the new root in it, should ignore the
> cross-cert and conclude that the intermediate CA chains up to the new
> EV root.
>
> -Rick
--
Regards
Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: star...@startcom.org <xmpp:star...@startcom.org>
________________________________
From: Eddy Nigg (StartCom Ltd.) [mailto:eddy...@startcom.org]
Sent: Wednesday, November 07, 2007 2:54 PM
To: Andrews, Rick
Cc: dev-tec...@lists.mozilla.org
Subject: Re: Inclusion of VeriSign EV root in Firefox 3 betas
for testing
Hi Rick,
Would there be any problem with Verisign making a formal
inclusion request for the root(s) in question?
Andrews, Rick wrote:
Eddy,
Yes, I think we need to include the new EV root in NSS,
as well as our older PCA3 root. Web servers still need to be configured
with the intermediate and cross-signed certs so that older browsers that
only know about the older PCA3 root see the EV cert as chaining up to
that trusted root. FF3, if it has the new root in it, should ignore the
cross-cert and conclude that the intermediate CA chains up to the new EV
root.
-Rick
--
Regards
Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: star...@startcom.org
--
Regards
Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: star...@startcom.org <xmpp:star...@startcom.org>
This CA is currently used to sign certificates for SSL-enabled servers,
and may
in the future be used to sign certificates for digitally-signed
executable code
objects.
The CP is at http://www.verisign.com/repository/CPS/VeriSignCPv2.5.pdf
The CPS is at http://www.verisign.com/repository/CPS/VeriSignCPSv3.5.pdf
Attestation of our conformance to the stated verification requirements
can be
found here: http://www.verisign.com/repository/index.html (Click on the
"AICPA/CICA WebTrust for Certification Authorities Audit Report" link)
-Rick
--
Rick Andrews __o Phone: 650-426-3401
VeriSign, Inc. _ \>,_ Fax: 650-426-5195
487 E. Middlefield Rd. ...(_)/ (_) URL: www.verisign.com
Mountain View, CA 94043 email: rand...@verisign.com
________________________________
From: Eddy Nigg (StartCom Ltd.) [mailto:eddy...@startcom.org]
Sent: Wednesday, November 07, 2007 2:54 PM
To: Andrews, Rick
Cc: dev-tec...@lists.mozilla.org
Subject: Re: Inclusion of VeriSign EV root in Firefox 3 betas
for testing
Hi Rick,
Would there be any problem with Verisign making a formal
inclusion request for the root(s) in question?
Andrews, Rick wrote:
Eddy,
Yes, I think we need to include the new EV root in NSS,
as well as our older PCA3 root. Web servers still need to be configured
with the intermediate and cross-signed certs so that older browsers that
only know about the older PCA3 root see the EV cert as chaining up to
that trusted root. FF3, if it has the new root in it, should ignore the
cross-cert and conclude that the intermediate CA chains up to the new EV
root.
-Rick
--
Regards
Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: star...@startcom.org
There does not appear to be any "CA Certificates" entry in the
"Component" popup, so I used "General".
In any case it's great that you submitted the request!
Andrews, Rick wrote:
> BTW, Step 14 on the CA certificate policy page
> (http://www.mozilla.org/projects/security/certs/policy/) says 'a CA
> should submit a formal request by submitting a bug report into the
> mozilla.org Bugzilla system, filed against the "CA Certificates"
> component of the "mozilla.org" product.'
>
> There does not appear to be any "CA Certificates" entry in the
> "Component" popup, so I used "General".
>
> -Rick
>
>
--
Regards
Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: star...@startcom.org <xmpp:star...@startcom.org>
> I would like to raise a few questions here. As Wan-Teh indicated, this
> is an entirely new root and not the flagging of an existing root as EV.
>
> The Mozilla CA policy states clearly under section 14 that a CA should
> submit a formal request by submitting a bug report
> <https://bugzilla.mozilla.org/enter_bug.cgi?product=mozilla.org&component=CA%20Certificates>
> into the mozilla.org Bugzilla system, filed against the "CA
> Certificates" component of the "mozilla.org" product. The request should
> include the following....etc..etc...
>
> In addition to that, a practice and process has been developed which
> includes the involvement of the community for the acceptance of a CA
> root. This gives the community members the chance to validate the
> information and raise eventual issues and concerns. In this, as in any
> other case I think it's appropriate to follow the same rules for all. It
> is even more important when we are talking about the market leader!
>
> Additionally without Mozilla having formal request which indicates that
> the CA in question wants to have the root published in this software at
> all, there might be legal concerns as well. [snip]
Frank, In the past, Gerv rejected all CA cert requests that did not
originate from a representative of the CA itself, citing the policy.
By honoring a request to include the Verisign CA cert, which request did
not originate with a representative of the CA, this is an implicit change
in practice regarding the policy.
I think we should be absolutely consistent with regard to this aspect of
the policy. If we decide, now, that we ARE willing to accept requests
from third parties, then I think we should go back to the recently
rejected requests (in bugzilla) and reopen them and reconsider them.
Note that several requests have been sent to the members of the CABForum,
inviting them (begging them? :) to submit their new root CA requests to
mozilla (through bugzilla), and those requests for requests have been
largely ignored. Most of the CABForum CAs have not yet filed requests
for inclusion of their root CA certs in bugzilla.
I mention this because it may come to pass that, in order for EV to be
perceived by users as working in Firefox, it will be necessary for
mozilla to consider adding certs for CAs that have NOT requested the
addition of their certs. So, I think we should be prepared for the
possibility that the requests simply will not have arrived by the time
FF3 is ready to ship.
Perhaps you should consider asking the CABForum members, again, to apply
for inclusion of their EV roots in mozilla products.
/Nelson
The "FireFox" product does not have a "CA Certificates" component, but
the mozilla.org product does. I moved the bug to the right product and
component. Thanks for filing the request. I hope that more CABForum
members will do likewise soon.
/Nelson
I think this is a moot point now, at least with regard to VeriSign,
since Rick Andrews has now submitted bug 402947.
> Note that several requests have been sent to the members of the CABForum,
> inviting them (begging them? :) to submit their new root CA requests to
> mozilla (through bugzilla), and those requests for requests have been
> largely ignored. Most of the CABForum CAs have not yet filed requests
> for inclusion of their root CA certs in bugzilla.
<snip>
> Perhaps you should consider asking the CABForum members, again, to apply
> for inclusion of their EV roots in mozilla products.
I will do that, once the 1.1 policy is finished. (I hope I can declare
that done very soon, by the end of this week if possible.) Goodness
knows I have more than enough work to do evaluating inclusion requests
from CAs that have explicitly asked to be included. If I invite a CA to
have their EV root be included (or an existing root be marked as
EV-capable), and they don't respond to that invitation, then I likely
won't feel any obligation to do anything about their EV root.
Who decided and why that EV meta data can only be added to trust anchors?
Ciao, Michael.
I'm not sure exactly what you mean here. The particular technical
details of how "EV-ness" is represented in certificates and via
associated metadata were worked out by the various members of the CAB
Forum, and documented in (e.g.) section 7 of the EV guidelines.
I'm not an expert in this by any means, but I think this is addressed by
the section 7 text I referenced earlier: If a root has two subordinates,
one of which issues EV certs and one of which doesn't, then the CA cert
for the first subordinate includes the EV policy OID assigned to that
subordinate (or, as a special case for "in house" subordinates, the
"anyPolicy" OID), and NSS keeps a record of that EV policy OID as
metadata with the root CA cert.
So for subordinate 1 the process looks like this AFAIK:
1. NSS finds that the end entity cert has a policy OID.
2. NSS verifies that the subordinate 1 CA cert has that same policy OID
(or the anyPolicy OID).
3. NSS verifies that the same policy OID is stored as (pre-loaded)
metadata with the (pre-loaded) root CA cert.
4. NSS recognizes the policy OID as indicating "EV-ness" and does
whatever it does to accord EV treatment to the EE cert.
For subordinate 2, even though the end entity cert may have a policy OID
meant to indicate EV-ness, the subordinate 2 CA lacks that policy OID
(or the anyPolicy OID) and so the EE cert will fail the "EV test".
So AFAICT there's no need for NSS to pre-load the subordinate 1 CA cert.
I'd like to make some of you aware of the latest entry by Rick from
Verisign of the bug 402947. Rick writes, that their EV audit is under
way...meaning that Verisign hasn't finished the process of the first
audit yet. This might give us an indication about why some/many of the
potential issuers of EV certificates haven't yet requested to have their
root(s) marked as such since auditing is still under way.
The inclusion request by Verisign confirms the Mozilla CA policy and
Mozilla's firm commitment to it. I'm very glad to see this happening
now, which sets an example for all CAs with legacy roots in NSS. There
will be no excuse by anybody, being it developer or CA not to undergo
the formal process Mozilla requires.
--
Yes. Just to be clear on this: Since we now have a formal policy
relating to EV, and the policy requires completion of an EV audit per
the guidelines, I will not be approving any CA requests for permanent
upgrades to EV status until/unless the CAs in question finish their
audits and publish the accompanying auditor letters.
However in the meantime as I previously noted I will approve requests
from the NSS team for temporary EV upgrades and related changes in order
to do testing of the NSS EV code (e.g., for Firefox 3 beta). Such
approval does not constitute approval for permanent upgrades, which will
be handled per policy as discussed above.