Re: Issue 69557 in chromium: Add Baltimore CyberTrust Root to EV trust list

[chro...@googlecode.com]

Updates:
Cc: w...@chromium.org
Labels: -Area-Undefined Area-Internals Internals-Network

Comment #1 on issue 69557 by van...@chromium.org: Add Baltimore CyberTrust
Root to EV trust list
http://code.google.com/p/chromium/issues/detail?id=69557

(No comment was entered for this change.)

[chro...@googlecode.com]

Updates:
Status: Assigned
Owner: i...@chromium.org
Labels: Mstone-11

Comment #2 on issue 69557 by w...@chromium.org: Add Baltimore CyberTrust

Root to EV trust list
http://code.google.com/p/chromium/issues/detail?id=69557

Ian, could you review this EV root CA application? Thanks.

[chro...@googlecode.com]

Updates:
Labels: -MovedFrom-12 -MovedFrom-13 -MovedFrom-14 -MovedFrom15 -bukmove
-MovedFrom-16 -MovedFrom-17 -MovedFrom18 -MovedFrom-19 -MovedFrom-20

Comment #15 on issue 69557 by rsl...@chromium.org: Add Baltimore

CyberTrust Root to EV trust list
http://code.google.com/p/chromium/issues/detail?id=69557

Confirmed that the above WebTrust CA Audit covers the "Baltimore Cybertrust
Root" in addition to the previously accepted "GTE Cybertrust Global Root
CA" and "Cybertrust Global Root CA". Likewise, the EV audit covers the
previously accepted root "Cybertrust Extended Validation Certificate
Services"

However, this audit was complete September 3, 2010, and is the most recent
from https://cybertrust.omniroot.com/repository/ .

Similar to other root and EV programs requiring annual audits, I don't see
any links to more recent audits. Based on the timeframe the audit covered
(May 1, 2009 to April 30, 2010), it would seem that there would/should be a
more recent audit.

Steve, do you happen to have any recent documents regarding your WebTrust
audits?

Additionally, could you also provide copies of both the root certificate
and the EV CA certificate to this bug? Additionally, can you attach both
the OCSP and CRL profiles, as documented in Section 7 of the CPS v5.4, so
that we can confirm technical compatibility?

[chro...@googlecode.com]

Comment #16 on issue 69557 by steve.me...@gmail.com: Add Baltimore

CyberTrust Root to EV trust list
http://code.google.com/p/chromium/issues/detail?id=69557

Our audit links and seal images at the /repository will be updated in the
next few business days, they were queued in an application software release
when it was noted that they were outdated. Our current seals are already
on display at verizon.com/ssl, and for reference they are:

WT/CA: https://cert.webtrust.org/ViewSeal?id=1285
WT/CA EV: https://cert.webtrust.org/ViewSeal?id=1286

The Baltimore CyberTrust Root is located at:

http://cacert.omniroot.com/bc2025.crt
http://cacert.omniroot.com/bc2025.pem

We have multiple, frequently changing, and frequently expanding
intermediate issuing CAs. The primary chain requires:

Baltimore root (above)
Baltimore to CT cross certificate:
http://cacert.omniroot.com/CybertrustGlobalRoot_rs.crt
Issuer: http://cacert.omniroot.com/PublicSureServerSV.crt
(http://cacert.omniroot.com/PublicSureServerSV.pem)

That issuer's CRL is located at:
http://crl.omniroot.com/PublicSureServerEV.crl

We do not operate an OCSP responder for our EV SSL server certificates at
this time. We are anticipating adoption of OCSP stapling that would lead
to predictable infrastructure loads similar to hosting CRL DPs.

[chro...@googlecode.com]

Updates:
Owner: rsl...@chromium.org
Labels: -Pri-2 -Cr-Internals -Cr-Internals-Network Pri-3

Comment #18 on issue 69557 by rsl...@chromium.org: Add Baltimore

CyberTrust Root to EV trust list
http://code.google.com/p/chromium/issues/detail?id=69557

(No comment was entered for this change.)

--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings

[chro...@googlecode.com]

Comment #19 on issue 69557 by igor.ani...@gmail.com: Add Baltimore

CyberTrust Root to EV trust list
http://code.google.com/p/chromium/issues/detail?id=69557

Just FYI everyone, it's June 2014. The request was submitted Jan 13, 2011.
We the end users NEED this!

[chro...@googlecode.com]

Comment #20 on issue 69557 by rsl...@chromium.org: Add Baltimore

CyberTrust Root to EV trust list
http://code.google.com/p/chromium/issues/detail?id=69557

More follow-up questions:

- Again, the /repository is out of date with respect to the most recent
audits. It still links to seals 1457/1458, although the current seals are
1635 and 1637
- The CPS details a policy v5.5, except the previous version linked in
/repository is 5.4
- Your CPS states that the "GTE CyberTrust Global Root" only applies to
this CPS until Dec 31, 2013. If so, we may consider removing EV enablement
in a future release for this root - please clarify.
- You have a typo in Section 1.6.7.2 of CPS 5.6 ("this is still valid"
should be "that is still valid")
- In Section 1.10.2.2, the set of controls over Enterprise RAs are
described as contractual controls, rather than technical controls. Can you
please confirm that technical controls are in place to prevent the
(un-audited) Enterprise RA from performing RA-relevant duties outside the
scope of authority, as validated by the (audited) Cybertrust infrastructure?

Further confirmations:
Can you confirm this is a request to enable the "Baltimore CyberTrust
Root", fingerprint
D4:DE:20:D0:5E:66:FC:53:FE:1A:50:88:2C:78:DB:28:52:CA:E4:74 , for EV
Policy "1.3.6.1.4.1.6334.1.100.1", documented as the "SureServer EV" policy
in Section 7.1 of CP 2.5?

From comment #15
- My request was for a sample site that demonstrates such a chain, and
which will continue to, for ongoing testing.
- The CRL and OCSP profile, listed as "independent technical document" in
Section 7.2/7.3 of CPS 5.6, is still an outstanding as a request.

[chro...@googlecode.com]

Comment #23 on issue 69557 by rsl...@chromium.org: Add Baltimore

CyberTrust Root to EV trust list
http://code.google.com/p/chromium/issues/detail?id=69557

Oh, and finally,

- Please confirm you're aware of the plans for Certificate Transparency (
http://dev.chromium.org/Home/chromium-security/certificate-transparency ).
Discussions about the policies related to CT - including log operation and
the expectations upon CAs recognized as EV within Chrome - can be found on
the list linked to from that page.

[chro...@googlecode.com]

Comment #25 on issue 69557 by bugdro...@chromium.org: Add Baltimore

CyberTrust Root to EV trust list

https://code.google.com/p/chromium/issues/detail?id=69557#c25

The following revision refers to this bug:

https://chromium.googlesource.com/chromium/src.git/+/95c6d684b9d11941c990b64eec6f5131316bb44d

commit 95c6d684b9d11941c990b64eec6f5131316bb44d
Author: Ryan Sleevi <rsl...@chromium.org>
Date: Thu Jan 29 00:40:01 2015

Update EV root metadata for a new batch of CAs

BUG=69557, 147116, 156816, 371734, 436102, 439948, 444504
TEST=Test each of the URLs listed in the diff (Linux or Windows) and ensure
EV status is granted.
R=davi...@chromium.org

Review URL: https://codereview.chromium.org/879183002

Cr-Commit-Position: refs/heads/master@{#313641}

[modify]
http://crrev.com/95c6d684b9d11941c990b64eec6f5131316bb44d/net/cert/ev_root_ca_metadata.cc

[chro...@googlecode.com]

Updates:
Status: Verified
Labels: M-42

Comment #26 on issue 69557 by rsl...@chromium.org: Add Baltimore

CyberTrust Root to EV trust list

https://code.google.com/p/chromium/issues/detail?id=69557

(No comment was entered for this change.)