Request to enable EV for VeriSign Class 3 G4 ECC root
This request by Symantec is to enable EV treatment for the "VeriSign Class 3 Public Primary Certification Authority - G4" root certificate that was included via bug #409235, and has all three trust bits enabled.
Symantec is a major commercial CA with worldwide operations and customer base.
The request is documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=833974
And in the pending certificates list:
https://wiki.mozilla.org/CA:PendingCAs
Summary of Information Gathered and Verified:
https://bugzilla.mozilla.org/attachment.cgi?id=8734043
Noteworthy points:
* The primary documents are the CP and CPS, which are provided in English.
Document Repository:
https://www.symantec.com/about/profile/policies/repository.jsp
CP:
https://www.symantec.com/content/en/us/about/media/repository/stn-cp.pdf
CPS:
https://www.symantec.com/content/en/us/about/media/repository/stn-cps.pdf
* CA Hierarchy: This root signs internally-operated SubCAs which issue OV and EV SSL certificates, as well as Code Signing certificates. S/MIME certs may also be issued in this CA hierarchy.
* This request is to enable EV treatment. All three trust bits are already enabled for this root ceritificate.
* CPS sections 3.1.1.1, 3.2.2.1, 4.1.2.2, 4.3.3, 4.9.1.1,
4.9.3.2: EV SSL Certificates, EV Code Signing, and domain-validated and organization-validated SSL Certificates conform to the CA / Browser Forum requirements as set forth in the STN Supplemental Procedures, Appendix B1, Appendix C and Appendix D, respectively.
* Appendix B1 and Appendix D just say: The current version of the CA/Browser Forum Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates can be accessed at
https://cabforum.org/baseline-requirements-documents/
* CPS section 3.2.2: At a minimum Symantec shall:
- Determine that the organization exists by using at least one third party identity proofing service or database, or alternatively, organizational documentation issued by or filed with the applicable government agency or competent authority that confirms the existence of the organization,
- Confirm by telephone, confirmatory postal mail, or comparable procedure to the Certificate Applicant certain information about the organization, that the organization has authorized the Certificate Application, and that the person submitting the Certificate Application on behalf of the Certificate Applicant is authorized to do so. When a certificate includes the name of an individual as an authorized representative of the Organization, the employment of that individual and his/her authority to act on behalf of the Organization shall also be confirmed.
Where a domain name or e-mail address is included in the certificate Symantec authenticates the Organization's right to use that domain name either as a fully qualified Domain name or an e-mail domain. For Organization Validated (OV) and Extended Validation (EV) Certificates domain validation is completed in all cases along with Organizational validation.
...
Extended Validation (EV) Certificates: Symantec's procedures for issuing EV SSL Certificates are described in Appendix B1 to this CPS.
* CPS section
3.2.2.3: Symantec uses the following methods of vetting a domain name, with option 1 being the primary method:
1. Confirm the Applicant as the Domain Name Registrant directly with the Domain Name Registrar by performing a whois look up.
2. Communicate directly with the Domain Name Registrant using an address, email, or telephone number provided by the Domain Name Registrar;
3. Rely upon a Domain Authorization Document;
4. Communicate directly with the Domain Name Registrant using the contact information listed in the WHOIS record's "registrant", "technical", or "administrative" field;
5. Communicate with the Domain's administrator using an email address created by pre-pending 'admin', 'administrator', 'webmaster', 'hostmaster', or 'postmaster' in the local part, followed by the at-sign ("@"), followed by the Domain Name, which may be formed by pruning zero or more components from the requested FQDN;
6. Having the Applicant demonstrate practical control over the FQDN by making an agreed-upon change to information found on an online Web page identified by a uniform resource identifier containing the FQDN.
* Email certs can be issued for Class 1, 2, and 3 verification levels, for both individuals and organizations.
The absolute minimum verification is for Class 1 individual.
STN-CPS section 3.2.3
Class 1: No identity authentication. Email address validation - Limited confirmation that the certificate subscriber has access to the email address.
Symantec performs a challenge-response type of procedure in which Symantec sends email to the email address to be included in the certificate, containing unpredictable information such as a randomly generated PIN/Password unique to the owner of the email address. The owner of the email address (the subscriber of the certificate) demonstrates control over the email address by using the information within the email, to then proceed with accessing a portal with the unique information sent in the email, to download and install the certificate.
Class 2: Authenticate identity by:
- Manual check performed by the enterprise administrator customer for each subscriber requesting a certificate, "in which the subscriber receives the certificate via an email sent to the address provided during enrollment" or
- Passcode-based authentication where a randomly-generated passcode is delivered out-of-band by the enterprise administrator customer to the subscriber entitled to enroll for the certificate, and the subscriber provides this passcode at enrollment time or
- Comparing information provided by the subscriber to information contained in business records or databases (customer directories such as Active Directory or LDAP.
Class 3: For Class 3 Organizational Email certificates, Symantec verifies that the subscriber owns the base domain using methods 1 or 3 from Section 3.2.2.4, and allows the subscriber to put in the certificate any email address from that verified domain.
EV Policy OIDs: (2 requested)
2.16.840.1.113733.1.7.23.6
2.23.140.1.1
* Test Website:
https://ssltest35.ssl.symclab.com/
* CRL URLs:
http://crl.ws.symantec.com/pca3-g4.crl
http://EV256SecureECC-crl.ws.symantec.com/EV256SecureECC.crl
* OCSP URL(s)
http://ocsp.ws.symantec.com
http://EV256SecureECC-ocsp.ws.symantec.com
* Audit: Annual audits are performed by KPMG, according to the WebTrust criteria.
Standard Audit:
https://cert.webtrust.org/SealFile?seal=1565&file=pdf
BR Audit:
https://cert.webtrust.org/SealFile?seal=1565&file=pdf
EV Audit:
https://cert.webtrust.org/SealFile?seal=1565&file=pdf
*Potentially Problematic Practices:
(
http://wiki.mozilla.org/CA:Problematic_Practices)
** Delegation of Domain / Email validation to third parties - CPS section 1.3.2: Third parties, who enter into a contractual relationship with Symantec, may operate their own RA and authorize the issuance of certificates by a STN CA. Third party RAs must abide by all the requirements of the STN CP, the STN CPS and the terms of their enterprise services agreement with Symantec. RAs may, however implement more restrictive practices based on their internal requirements.
RAs who perform domain validation functions are covered as part of Symantec's WebTrust audits.
** Allowing external entities to operate subordinate CAs -- CPS section 1.3.1: Symantec enterprise customers may operate their own CAs as subordinate CAs to a public STN PCA. Such a customer enters into a contractual relationship with Symantec to abide by all the requirements of the STN CP and the STN CPS. These subordinate CAs may, however implement a more restrictive practices based on their internal requirements.
This begins the discussion of this request from Symantec is to enable EV treatment for the "VeriSign Class 3 Public Primary Certification Authority - G4" root certificate. At the conclusion of this discussion I will provide a summary of issues noted and action items. If there are outstanding issues, then an additional discussion may be needed as follow-up. If there are no outstanding issues, then I will recommend approval of this request in the bug.
Kathleen