Wells Fargo CA inclusion/EV request
Frank Hecker
Wells Fargo to add the WellsSecure Public Root Certificate Authority
root certificate to Mozilla and enable it for EV use. This is bug
428390, and Kathleen has produced an information document attached to
the bug.
https://bugzilla.mozilla.org/show_bug.cgi?id=428390
There's a summary of the information also available at
http://www.mozilla.org/projects/security/certs/pending/#Wells%20Fargo
Some points worth mentioning about this request:
* This is a new root (though note that Wells Fargo has an older root
already in Mozilla). Initially it will have a subordinate CA used for
issuing EV SSL certs, but as I understand it Wells Fargo will
potentially use the hierarchy under this root for other types of certs
(both EV and non-EV).
* The "flag problematic practices" section at the end of the info
document has the sentence fragment "Issuing end entity certs directly
from root rather than using an offline root and issuing certs through a
subordinate CA". That's just the reference to checking for the practice.
Kathleen forgot to add "(no)" or "(not an issue)" afterwards; Wells
Fargo issues end entity certs through subordinate CAs.
& The same comment as in the previous item applies to the "Long-Lived
Domain-Validated SSL certs" items; to my knowledge Wells Fargo does not
issue long-lived DV certs.
This first public comment period will be for one week, and then I'll
make a preliminary determination regarding this request.
Frank
--
Frank Hecker
hec...@mozillafoundation.org
Eddy Nigg
Frank, I'd like to know (again) what our policy is in regards of EV
audit requirements. As I understand from the bug report, Wells Fargo
didn't actually absolved the EV audit, but some EV readiness audit. I
think we are past the time where we'd accept such audits?
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: star...@startcom.org
Blog: https://blog.startcom.org
Frank Hecker
> Frank, I'd like to know (again) what our policy is in regards of EV
> audit requirements. As I understand from the bug report, Wells Fargo
> didn't actually absolved the EV audit, but some EV readiness audit. I
> think we are past the time where we'd accept such audits?
A quick answer, I can research more later...
We had a discussion about EV audits against the draft EV guidelines, and
decided we would stop accepting such audits after a certain date (June
30, 2008?).
But I think EV readiness audits are a different issue. IIRC readiness
audits are done when a CA has implemented the infrastructure for EV but
has not yet accumulated a significant operational history of EV
issuance. So any CA that is new to EV will likely do a readiness audit
first.
IIRC this was true of some other CAs we've dealt with -- they started
out with readiness audits, started issuing EV certs, and then by the
time we were able to consider their requests in some cases they were
still covered by the readiness audit and in other cases had advanced to
a regular audit.
Bruce
Not my issue, but I would like to add some clarification. Its a
chicken or the egg problem. A CA cannot start issuing EV certificates
without first passing an EV Pre-Issuance Readiness Audit (see 35a of
the Guidelines). On the other hand, a CA cannot have an WebTrust Audit
for EV until they have been in operation for a minimum of two months.
The pre-issuance readiness audit was put in place to bootstrap the
process.
From the Mozilla point of view, you might not be running into this
issue with very many CAs. Most EV CAs had their pre-issuance readiness
audit completed at the end of 2006 in order to be included in
Microsoft Vista/IE7 releases of Jan 2007. The subsequent WebTrust for
EV audits were completed later in 2007 at the time of their annual
WebTrust for CA audits. As Mozilla was just considering CAs for EV
status in 2008, most EV CAs would already have had a WebTrust for EV
audit report in hand.
Hope this helps.
Regards, Bruce.
Eddy Nigg
> Not my issue, but I would like to add some clarification. Its a
> chicken or the egg problem. A CA cannot start issuing EV certificates
> without first passing an EV Pre-Issuance Readiness Audit (see 35a of
> the Guidelines). On the other hand, a CA cannot have an WebTrust Audit
> for EV until they have been in operation for a minimum of two months.
> The pre-issuance readiness audit was put in place to bootstrap the
> process.
Yes, apparently you are right and I have to check a few things on my
side I think ;-)
This closes the issue I've raised!
Frank Hecker
> Not my issue, but I would like to add some clarification. Its a
> chicken or the egg problem. A CA cannot start issuing EV certificates
> without first passing an EV Pre-Issuance Readiness Audit (see 35a of
> the Guidelines). On the other hand, a CA cannot have an WebTrust Audit
> for EV until they have been in operation for a minimum of two months.
> The pre-issuance readiness audit was put in place to bootstrap the
> process.
Bruce, thanks much for the info. This confirms what I thought.
Frank Hecker
> I am now opening the first public discussion period for a request from
> Wells Fargo to add the WellsSecure Public Root Certificate Authority
> root certificate to Mozilla and enable it for EV use. This is bug
> 428390, and Kathleen has produced an information document attached to
> the bug.
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=428390
>
> There's a summary of the information also available at
>
> http://www.mozilla.org/projects/security/certs/pending/#Wells%20Fargo
The first comment period has closed, and I've made a preliminary
decision to approve this request, per comment #13 in bug 428390. The
second public coment period now begins, after which I'll make a final
decision.
Frank Hecker
The second comment period is now over. Based on my evaluation and the
comments received thus far, I am officially approving this request to
add the WellsSecure Public Root Certificate Authority root certificate
to NSS and to enable it in PSM for EV use.
I have filed bug 449393 against NSS and bug 449394 against PSM for the
actual changes:
https://bugzilla.mozilla.org/show_bug.cgi?id=449393
https://bugzilla.mozilla.org/show_bug.cgi?id=449394