Comodo request for EV root inclusion (COMODO Certification Authority)
Frank Hecker
certificate for the COMODO Certification Authority to the Mozilla root
store, as documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=401587
and in the pending certificates list:
http://www.mozilla.org/projects/security/certs/pending/#Comodo
I have evaluated this request, as per the mozilla.org CA certificate policy:
http://www.mozilla.org/projects/security/certs/policy/
and plan to officially approve the request after a public comment period.
Note that this request specifically refers to the COMODO Certification
Authority root CA certificate referenced in comment #16 to bug 401587:
https://bugzilla.mozilla.org/show_bug.cgi?id=401587#c16
To simplify the process I am doing this particular root first, and then
I will consider Comodo's requests related to the other Comodo roots.
Frank
--
Frank Hecker
hec...@mozillafoundation.org
Eddy Nigg (StartCom Ltd.)
to. If you also know which and how many sub roots are already issued
from this root it would be helpful information.
--
Regards
Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: star...@startcom.org <xmpp:star...@startcom.org>
Blog: Join the Revolution! <http://blog.startcom.org>
Phone: +1.213.341.0390
Frank Hecker
> Sorry Frank, but I can't figure which root *exactly* you are referring
> to.
It's in the subject line and the message body: The name of the root is
in fact "COMODO Certification Authority". My apologies if that wasn't
clear. It's the last root certificate listed in the Comodo entry in the
pending list:
http://www.mozilla.org/projects/security/certs/pending/#Comodo
There are 11 other roots listed in that entry and included in the
overall set of Comodo requests in bug 401587, but the "COMODO
Certification Authority" root is the only new root. (As I mentioned in
my previous message, I'll discuss the other roots in due course.)
> If you also know which and how many sub roots are already issued
> from this root it would be helpful information.
By "sub roots" I presume you mean subordinate CAs. At present there are
two subordinate CAs under the "COMODO Certification Authority" root:
"COMODO EV SSL CA" and "COMODO EV SGC CA". These two subordinates are
the issuing CAs for end entity certs.
Eddy Nigg (StartCom Ltd.)
> It's in the subject line and the message body: The name of the root is
> in fact "COMODO Certification Authority".
thought this to be the name of the CA root certificate ;-)
> There are 11 other roots listed in that entry and included in the
> overall set of Comodo requests in bug 401587, but the "COMODO
> Certification Authority" root is the only new root. (As I mentioned in
> my previous message, I'll discuss the other roots in due course.)
>
+1 I like this approach.
>
> By "sub roots" I presume you mean subordinate CAs. At present there are
> two subordinate CAs under the "COMODO Certification Authority" root:
> "COMODO EV SSL CA" and "COMODO EV SGC CA". These two subordinates are
> the issuing CAs for end entity certs.
>
Exactly what I meant, thanks!
Eddy Nigg (StartCom Ltd.)
> Comodo has applied to (among other things) add a new EV root CA
> Authority root CA certificate referenced in comment #16 to bug 401587:
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=401587#c16
>
The details at the "Pending" page have been updated by Frank concerning
this CA root. There are no objections to adding this root, but please
note that this root will only issue EV certificates * and should be
enabled for EV only, provided if and when we have that capability in
NSS. Perhaps we want to open a catch-all bug for such roots which are
added under this condition.
* Confirmed by Rob Stradling from Comodo.
Rob Stradling
COMODO Certification Authority root certificate "will only issue EV
certificates and should be enabled for EV only".
What I actually said was:
"I can assure you that Comodo never issue DV and EV certs from the same
*Intermediate* CA".
I did not mention Root CAs in this statement.
On reflection, it occurs to me that "Intermediate" and "Root" are perhaps not
the best words to use, since the now widespread use of cross-certification
blurs the distinction somewhat. Perhaps the following statement is clearer:
I can assure you that Comodo never issue End-Entity DV and EV certs from the
same Issuing CA.
In the same message, I also said "...we really need to have generic (rather
than purpose-specific) trust anchors".
So, please change the details on the "Pending" page back to how they were. As
per Bug #401587 Comment #0, we still really do want the COMODO Certification
Authority to be enabled for "All 3" purposes: DV, IV/OV and EV.
Now, Frank has said "At present there are two subordinate CAs under
the "COMODO Certification Authority" root: "COMODO EV SSL CA" and "COMODO EV
SGC CA". These two subordinates are the issuing CAs for end entity certs."
This statement is correct, as long as you don't interpret "...there are
two..." as "...there are only two and will only ever be two...".
As it happens, we also have a further subordinate CA under COMODO
Certification Authority, which we already use for issuing one of our brands
of DV certificate. We also have plans to issue an IV/OV subordinate at some
point. As before, I'll defer to Robin Alden to answer any CPS-related
questions you may have about this. I apologize on behalf of Comodo if we
have inadvertently omitted to draw your attention to some of this information
sooner.
I spoke to Robin Alden earlier today. He hopes to be able to reply to at
least some of your questions today.
On Tuesday 18 March 2008, Eddy Nigg (StartCom Ltd.) wrote:
> Frank Hecker:
> > Comodo has applied to (among other things) add a new EV root CA
> > certificate for the *COMODO Certification Authority* to the Mozilla root
> > store, as documented in the following bug:
> >
> > https://bugzilla.mozilla.org/show_bug.cgi?id=401587
> >
> > Note that this request specifically refers to the COMODO Certification
> > Authority root CA certificate referenced in comment #16 to bug 401587:
> >
> > https://bugzilla.mozilla.org/show_bug.cgi?id=401587#c16
>
> The details at the "Pending" page have been updated by Frank concerning
> this CA root. There are no objections to adding this root, but please
> note that this root will only issue EV certificates * and should be
> enabled for EV only, provided if and when we have that capability in
> NSS. Perhaps we want to open a catch-all bug for such roots which are
> added under this condition.
>
> * Confirmed by Rob Stradling from Comodo.
--
Rob Stradling
Senior Research & Development Scientist
Comodo - Creating Trust Online
Office Tel: +44.(0)1274.730505
Fax Europe: +44.(0)1274.730909
www.comodo.com
Comodo CA Limited, Registered in England No. 04058690
Registered Office:
3rd Floor, 26 Office Village, Exchange Quay,
Trafford Road, Salford, Manchester M5 3EQ
This e-mail and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the sender by replying
to the e-mail containing this attachment. Replies to this email may be
monitored by Comodo for operational or business reasons. Whilst every
endeavour is taken to ensure that e-mails are free from viruses, no liability
can be accepted and the recipient is requested to use their own virus checking
software.
Frank Hecker
> So, please change the details on the "Pending" page back to how they were. As
> per Bug #401587 Comment #0, we still really do want the COMODO Certification
> Authority to be enabled for "All 3" purposes: DV, IV/OV and EV.
I've changed the pending list entry for COMODO Certificate Authority
back. Note that from a technical perspective (i.e., in terms of the NSS
"trust bits") this makes no difference. As I've noted earlier, we have
no technical means to permit the use of EV certs but not DV or IV/OV roots.
> As it happens, we also have a further subordinate CA under COMODO
> Certification Authority, which we already use for issuing one of our brands
> of DV certificate.
Could you identify the subordinate CA in question and the Comodo brand
it's being used in conjunction with? This is information I'd like to add
the pending list entry.
Eddy Nigg (StartCom Ltd.)
> Now, Frank has said "At present there are two subordinate CAs under
> the "COMODO Certification Authority" root: "COMODO EV SSL CA" and "COMODO EV
> SGC CA". These two subordinates are the issuing CAs for end entity certs."
>
(only) EV certificates. I'm sorry that I misunderstood that.
> This statement is correct, as long as you don't interpret "...there are
> two..." as "...there are only two and will only ever be two...".
>
> Certification Authority, which we already use for issuing one of our brands
> of DV certificate.
mentioned above? Or are there other intermediate CA certificates
operating under this root besides the two mentioned above?
>
> I spoke to Robin Alden earlier today. He hopes to be able to reply to at
> least some of your questions today.
Rob Stradling
> Rob Stradling:
> > Now, Frank has said "At present there are two subordinate CAs under
> > the "COMODO Certification Authority" root: "COMODO EV SSL CA" and "COMODO
> > EV SGC CA". These two subordinates are the issuing CAs for end entity
> > certs."
>
> The naming convention suggest that these intermediate CAs will issue
> (only) EV certificates. I'm sorry that I misunderstood that.
Sorry, I fear I've confused you even further.
Those two intermediate CAs will issue only EV Certificates. The naming
convention is correct to imply that this is the case.
> > This statement is correct, as long as you don't interpret "...there are
> > two..." as "...there are only two and will only ever be two...".
> >
> > As it happens, we also have a further subordinate CA under COMODO
> > Certification Authority, which we already use for issuing one of our
> > brands of DV certificate.
>
> Are you issuing DV certificates from the intermediate CA certificates
> mentioned above?
No. Absolutely not.
> Or are there other intermediate CA certificates
> operating under this root besides the two mentioned above?
Yes. To repeat what I said...
"As it happens, we also have a further subordinate CA under COMODO
Certification Authority, which we already use for issuing one of our brands
of DV certificate. We also have plans to issue an IV/OV subordinate at some
point. As before, I'll defer to Robin Alden to answer any CPS-related
questions you may have about this. I apologize on behalf of Comodo if we
have inadvertently omitted to draw your attention to some of this information
sooner."
> > I spoke to Robin Alden earlier today. He hopes to be able to reply to at
> > least some of your questions today.
>
> Great, looking forward to that. Thanks!
--
Frank Hecker
> Comodo has applied to (among other things) add a new EV root CA
> certificate for the COMODO Certification Authority to the Mozilla root
> store, as documented in the following bug:
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=401587
> I have evaluated this request, as per the mozilla.org CA certificate
> policy:
>
> http://www.mozilla.org/projects/security/certs/policy/
>
> and plan to officially approve the request after a public comment period.
The public comment period ended last week, but we had some additional
discussions around various Comodo-related issues, most notably the
wildcard DV cert issue and the long-lived DV cert issue. Although I
acknowledge that there were/are valid concerns associated with those
issues, in the end I made a judgment call that they didn't rise to a
level that would justify my rejecting Comodo's request or delaying
approval. I've therefore given my final approval to this request and
filed bugs 426568 and 426572 against NSS and PSM respectively:
https://bugzilla.mozilla.org/show_bug.cgi?id=426568
https://bugzilla.mozilla.org/show_bug.cgi?id=426572