This request is for inclusion of the Microsoft RSA Root Certificate
Authority 2017, Microsoft ECC Root Certificate Authority 2017, Microsoft EV
RSA Root Certificate Authority 2017, and Microsoft EV ECC Root Certificate
Authority 2017 trust anchors as documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=1448093
* BR Self Assessment is
https://bugzilla.mozilla.org/attachment.cgi?id=8989260
* Summary of Information Gathered and Verified:
https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000275
* Root Certificate Download URL:
https://www.microsoft.com/pkiops/docs/repository.htm
* CP/CPS:
** CP:
https://www.microsoft.com/pkiops/Docs/Content/policy/Microsoft_PKI_Services_CP_v3.1.2.pdf
** CPS:
https://www.microsoft.com/pkiops/Docs/Content/policy/Microsoft_PKI_Services_CPS_v3.1.3.pdf
* This request is to include the roots with the websites trust bit enabled,
and with EV treatment.
* Test Websites
** Valid:
https://actrsaevroot2017.pki.microsoft.com/,
https://actrsaroot2017.pki.microsoft.com/,
https://acteccevroot2017.pki.microsoft.com/,
https://acteccroot2017.pki.microsoft.com/
** Expired:
https://exprsaevroot2017.pki.microsoft.com/,
https://exprsaroot2017.pki.microsoft.com/,
https://expeccevroot2017.pki.microsoft.com/,
https://expeccroot2017.pki.microsoft.com/
** Revoked:
https://rvkrsaevroot2017.pki.microsoft.com/,
https://rvkrsaroot2017.pki.microsoft.com/,
https://rvkeccevroot2017.pki.microsoft.com/,
https://rvkeccroot2017.pki.microsoft.com/
* CRL URLs:
** ECC:
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Root%20Certificate%20Authority%202017.crl
** RSA:
http://www.microsoft.com/pkiops/crl/Microsoft%20RSA%20Root%20Certificate%20Authority%202017.crl
** EV ECC:
http://www.microsoft.com/pkiops/crl/Microsoft%20EV%20ECC%20Root%20Certificate%20Authority%202017.crl
** EV RSA:
http://www.microsoft.com/pkiops/crl/Microsoft%20EV%20RSA%20Root%20Certificate%20Authority%202017.crl
* OCSP URL:
http://ocsp.msocsp.com
* Audit: Annual audits are performed by BDO according to the WebTrust for
CA, BR, and EV audit criteria.
** WebTrust for CA:
https://bugzilla.mozilla.org/attachment.cgi?id=9083810
** BR:
https://bugzilla.mozilla.org/attachment.cgi?id=9083812
** EV:
https://bugzilla.mozilla.org/attachment.cgi?id=9083813
I’ve reviewed the CP, CPS, BR Self Assessment, and related information for
inclusion of the Microsoft roots that are being tracked in this bug and
have the following comments:
==Good==
* A root key generation ceremony audit report has been provided [1].
==Meh==
* CPS section 3.2.4 stated that OU is not verified, however, BR section
7.1.4.2.2(i) does place requirements on this field, and the CPS made it
unclear if these requirements are met. This was clarified in the latest
version of the CPS.
* CPS section 3.2.5 stated that Microsoft PKI Services shall verify
authority for all certificate requests, and that for Domain Validated
requests, this is done using one of the methods described in the BRs.
Section 3.2.5 of the BRs only describes validation of authority for OV
certificates using a reliable method of communication. This was clarified
in the latest version of the CPS.
* CPS section 6.1.5 indicated that P-512 keys may be used, which would
violate Mozilla policy. This was corrected in the latest version of the CPS.
* The content-type header in CRL responses is not set to
'application/pkix-crl' but to 'application/octet-stream' (RFC 5280, section
4.2.1.13). Microsoft explanation: the reason for the content-type being set
to octet-stream is that we use a content upload service at Microsoft that
hosts different types of content. All of the content in the service is
hosted in Azure’s BLOB storage and the content type by default is octet
stream. This has not been an issue because the browsers will resolve the
file type based on the extension in the file name. It should also be noted
that the RFC 5280 shows SHOULD rather than MUST.
==Bad==
* It had been more than a year since the CP was updated when I reviewed
this request. CPS and BR section 2 require annual updates. The CP was
updated on 5-August.
* CP/CPS section 1.5.2 did not meet the BR 4.9.3 requirement to provide
clear problem reporting instructions. This was corrected in the latest
versions of the CP and CPS.
* A number of unrevoked certificates chaining to the Microsoft RSA Root
Certificate Authority 2017 have recently been issued with BR violations [2]
This begins the 3-week comment period for this request [3].
I will greatly appreciate your thoughtful and constructive feedback on the
acceptance of these roots into the Mozilla CA program.
- Wayne
[1]
https://bug1448093.bmoattachments.org/attachment.cgi?id=8986854
[2]
https://crt.sh/?caid=109424&opt=cablint,zlint,x509lint&minNotBefore=2019-05-01
[3]
https://wiki.mozilla.org/CA/Application_Process