Closed
Bug 403915
Opened 17 years ago
Closed 16 years ago
Add Network Solutions EV root cert
Categories
(CA Program :: CA Certificate Root Program, task)
CA Program
CA Certificate Root Program
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: cbuckley, Assigned: hecker)
References
Details
(Whiteboard: EV - inclusion approved)
Attachments
(9 files)
(deleted),
application/pdf
|
Details | |
(deleted),
application/pdf
|
Details | |
(deleted),
application/pdf
|
Details | |
(deleted),
application/pdf
|
Details | |
(deleted),
application/pdf
|
Details | |
(deleted),
application/pdf
|
Details | |
(deleted),
application/pdf
|
Details | |
(deleted),
application/pdf
|
Details | |
(deleted),
application/pdf
|
Details |
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; InfoPath.1)
Build Identifier: Other
CA Details
----------
CA Name: Network Solutions, LLC
Website: www.networksolutions.com
One Paragraph Summary of CA, including the following:
- General nature (e.g., commercial, government, academic/research, nonprofit)
- Primary geographical area(s) served
- Number and type of subordinate CAs
Network Solutions, LLC is a commercial CA based in the United States of America offering SSL Certificates to customers around the world. Currently, Network Solutions has no subordinate CAs.
Audit Type (WebTrust, ETSI etc.): WebTrust
Auditor: KPMG
Auditor Website: www.kpmg.com
Audit Document URL(s): https://cert.webtrust.org/SealFile?seal=601&file=pdf
Certificate Details
-------------------
(To be completed once for each certificate)
Certificate Name: Network Solutions Certificate Authority
Summary Paragraph, including the following:
- End entity certificate issuance policy
This is the Network Solutions EV Root Certificate. The end entity certificate issuance policy is available at: https://www.networksolutions.com/legal/SSL-legal-repository-ev-cps.jsp
Certificate URL (on CA website): http://customersupport.networksolutions.com/category.php?id=118
Version: V3
SHA1 Fingerprint: e2 34 2a ab 84 88 eb b0 88 90 1c c5 d1 11 65 be d9 e4 1d 1e
MD5 Fingerprint: D3:F3:A6:16:C0:FA:6B:1D:59:B1:2D:96:4D:0E:11:2E
Modulus Length (a.k.a. "key length"): 2048 bits
Valid From (YYYY-MM-DD): Thursday, November 30, 2006 7:00:00 PM
Valid To (YYYY-MM-DD): Saturday, May 30, 2020 5:48:38 AM
CRL URL: http://crl.usertrust.com/UTN-USERFirst-Hardware.crl
OCSP URL: NA
Class (domain-validated, identity-validated or EV): EV
EV OID: 1.3.6.1.4.1.782.1.2.1.8.1
Certificate Policy URL: http://www.networksolutions.com/legal/SSL-legal-repository-ev-cps.jsp
CPS URL: http://www.networksolutions.com/legal/SSL-legal-repository-ev-cps.jsp
Requested Trust Indicators (email and/or SSL and/or code): All 3
URL of website using certificate chained to this root (if applying for SSL): https://www.networksolutions.com
Reproducible: Always
Steps to Reproduce:
1.
2.
3.
Comment 1•17 years ago
|
||
moving to the right component
Assignee: nobody → hecker
Component: General → CA Certificates
Product: Firefox → mozilla.org
QA Contact: general → ca-certificates
Version: unspecified → other
Assignee | ||
Comment 2•17 years ago
|
||
I'm a bit confused: Is this a new root CA certificate not already included in Mozilla products, or is it an existing root CA certificate that you want enabled for EV use? The CRL URL led me to believe that it was one of the existing UTN UserFirst root certs, but the SHA-1 fingerprint doesn't match any of the UTN UserFirst certs in my copy of Firefox 2.0.
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Updated•17 years ago
|
Whiteboard: EV
Reporter | ||
Comment 3•17 years ago
|
||
I am revising the submission above for Network Solutions EV Root submission for inclusion in Firefox 3.0 after some errors in my application were brought to my attention. Please replace the inoformation in the application above with that which is provided below:
Certificate Details
-------------------
(To be completed once for each certificate)
Certificate Name: Network Solutions Certificate Authority
Summary Paragraph, including the following:
- End entity certificate issuance policy
This is the Network Solutions EV Root Certificate. The end entity certificate
issuance policy is available at:
https://www.networksolutions.com/legal/SSL-legal-repository-ev-cps.jsp
Certificate URL (on CA website):
http://www.netsolssl.com/NetworkSolutionsCertificateAuthority.crt
Version: V3
SHA1 Fingerprint: 74 f8 a3 c3 ef e7 b3 90 06 4b 83 90 3c 21 64 60 20 e5 df ce
MD5 Fingerprint: D3:F3:A6:16:C0:FA:6B:1D:59:B1:2D:96:4D:0E:11:2E
Modulus Length (a.k.a. "key length"): 2048 bits
Valid From (YYYY-MM-DD): 01 December 2006 00:00:00 UTC
Valid To (YYYY-MM-DD): 31 December 2029 23:59:59 UTC
CRL URL: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl
OCSP URL: NA
Class (domain-validated, identity-validated or EV): EV
EV OID: 1.3.6.1.4.1.782.1.2.1.8.1
Certificate Policy URL:
http://www.networksolutions.com/legal/SSL-legal-repository-ev-cps.jsp
CPS URL: http://www.networksolutions.com/legal/SSL-legal-repository-ev-cps.jsp
Requested Trust Indicators (email and/or SSL and/or code): All 3
URL of website using certificate chained to this root (if applying for SSL):
https://www.networksolutions.com
Comment 4•17 years ago
|
||
Independent of approval process, for technical testing purposes: Could you please supply an https:// URL to an example SSL server (customer or demo) that uses a server cert issued (directly or through intermediates) by this root? Should you request multiple roots to be enabled for EV, please provide one example URL for each root. Thank you.
Reporter | ||
Comment 5•17 years ago
|
||
Here is an example SSL server using a cert issued from our EV root:
https://www.networksolutions.com
Comment 6•17 years ago
|
||
Making EV root cert requests have uniform summaries.
Summary: EV Root Submission for Network Solutions → Add Network Solutions EV root cert
Reporter | ||
Comment 7•17 years ago
|
||
Could you please verify that Network Solutions EV Root will be included in the Firefox 3.0 release. I am concerned that this bug fix does not seem to have progressed. Thank you.
Reporter | ||
Comment 8•17 years ago
|
||
I am looking at the Beta 3.0 current version and EV is not working for Network Solutions although it is working for other CA's. Could someone please contact me about this?
Severity: enhancement → critical
Comment 9•17 years ago
|
||
Charlie, if I understand correctly, Frank has not yet approved your request. That's why we have not yet started adding it technically.
Reporter | ||
Comment 10•17 years ago
|
||
I understand from conversations I was told about that Mozilla plans to launch 3.0 without the functioning EV Roots for Network Solutions, Entrust, and GlobalSign to name a few. According to NetCraft, Network Solutions is the third largest provider of EV Certs in the world. Combined with Entrust and GlobalSign, this group of three represent the second largest share of EV Certs in the world. Far larger than other CA's whose EV Roots appear to be included in 3.0 and functioning correctly (e.g., GoDaddy, DigiCert, etc.). The commercial impact of this exclusion will be far reaching as it will harm not only the businesses of these CA's but also extend to each of our hundreds of high-end EV Cert customers who expect their sites to receive the green bar upon release of 3.0. Mozilla must either include all submitted EV Roots in 3.0 or delay the introduction of EV functionality for all CA's until such time as a 3.0 update can include all submitted EV Roots. This issue has the full attention of my Executive Board so your prompt attention to this matter will be greatly appreciated. Thank you.
Comment 11•17 years ago
|
||
Changing the "severity" of root CA bugs to something other than "enhancement" causes them to disappear from the radar, so I'm changing this back to
enhancement.
Severity: critical → enhancement
Assignee | ||
Comment 12•17 years ago
|
||
OK, I'm actively working on this request, and I have some open questions. First, the URL
http://www.netsolssl.com/NetworkSolutionsCertificateAuthority.crt
doesn't work for me; it just redirects to a Network Solutions login page, and I don't have a Network Solutions SSL account. Is there an alternate URL that doesn't require authentication? Or, could you just attach the certificate as an attachment to this bug, or send a copy to me via email?
Second, in looking at <https://www.networksolutions.com/> using Firefox 3 I see a cert chain as follows:
AddTrust External CA Root -> UTN-USERFirst-Hardware -> Network Solutions Certificate Authority -> Network Solutions EV SSL CA -> www.networksolutions.com
From the comments above, it appears that "Network Solutions Certificate Authority" is the root that you wish to have marked for EV, and (unless I'm missing something) that root is not currently included in Mozilla. So the request at present is to 1) include the Network Solutions Certificate Authority root, and 2) mark it for EV use.
Is that correct? Or, is it the Network Solutions EV SSL CA that you want to have a root cert added for? (This would be consistent with the approach taken by other CAs who created new EV-specific roots.)
Assignee | ||
Comment 13•17 years ago
|
||
Per email from Network Solutions, the request is indeed to add the Network Solutions Certificate Authority root and mark it for EV. The correct (publicly-accessible) URL for the Network Solutions Certificate is
ftp://ftp.networksolutions.com/certs/netsolevroot.crt
with SHA-1 fingerprint of:
74 F8 A3 C3 EF E7 B3 90 06 4B 83 90 3C 21 64 60 20 E5 DF CE
Assignee | ||
Comment 14•17 years ago
|
||
(In reply to comment #13)
> Per email from Network Solutions, the request is indeed to add the Network
> Solutions Certificate Authority root and mark it for EV. The correct
> (publicly-accessible) URL for the Network Solutions Certificate is
That should of course be "the Network Solutions Certificate Authority root CA certificate is"
Reporter | ||
Comment 15•17 years ago
|
||
That is correct. To confirm, you are able to download all NetSol Roots publicly from this address: http://customersupport.networksolutions.com/article.php?id=940.
And we are specifically requesting that we would like to submit 1) the Network Solutions Certificate Authority root, and 2) mark it for EV use in Firefox 3.0.
Assignee | ||
Comment 16•17 years ago
|
||
Another question, relating to the applicable WebTrust documents: Above you referenced
https://cert.webtrust.org/SealFile?seal=601&file=pdf
as the WebTrust audit document. Based on my investigation it appears that the relevant documents are instead
https://cert.webtrust.org/SealFile?seal=705&file=pdf
(which appears to be more recent than the document you referenced) and
http://www.networksolutions.com/SSL-certificates/kpmg-ev.pdf
(which is the WebTrust EV report).
Is this correct?
Reporter | ||
Comment 17•17 years ago
|
||
To confirm, these are the latest WebTrust documents for Network Solutions:
https://cert.webtrust.org/SealFile?seal=705&file=pdf
http://www.networksolutions.com/SSL-certificates/kpmg-ev.pdf
Assignee | ||
Comment 18•17 years ago
|
||
I have added an entry for Network Solutions to the pending list; it should show up in an hour or so at
http://www.mozilla.org/projects/security/certs/pending/
Please check the information in the entry and confirm that it is complete and correct.
Also, I have one further question, mainly for informational purposes: I presume that non-EV certificates (e.g., SiteSafe Basic, Pro, and Wildcard certs) are issued under the hierarchy rooted at the Network Solutions Certificate Authority. Are these non-EV certificates issued directly from the Network Solutions Certificate Authority root, or from a subordinate CA under that root?
Assignee | ||
Comment 19•17 years ago
|
||
Based on information received via email from NS, non-EV certs are issued directly from the Network Solutions Certificate Authority root.
Assignee | ||
Comment 20•17 years ago
|
||
Per request from Network Solutions, I am modifying this request to be for SSL only (no email or code signing trust bits), and am revising the pending list accordingly.
Assignee | ||
Comment 21•17 years ago
|
||
I have now completed my review of Network Solution's application for adding the Network Solutions Certificate Authority root CA certificate and enabling it for EV use, per the official Mozilla CA certificate policy at:
http://www.mozilla.org/projects/security/certs/policy/
I apologize for the delays on my part in doing the review.
Here follows my final assessment. If anyone sees any factual errors, please
point them out.
Note that the root referenced in this request (Network Solutions Certificate Authority) is not currently included in the default Mozilla root list; however (non-EV) certificates issued by Network Solutions are currently recognized due to a cross-signing arrangement with other roots.
Section 4 [Technical]. I'm not aware of any technical issues with certificates
issued by Network Solutions, or of instances where Network Solutions has knowingly issued certificates for fraudulent use. If anyone knows of any such issues or instances, please note them in this bug report.
Section 6 [Relevancy and Policy]. Network Solutions appears to provide a service
relevant to Mozilla users; it is a commercial CA operating in the United States
and serving customers worldwide, and issues SSL certificates under the SiteSafe brand. Its policies are documented in its CPS documents:
http://www.networksolutions.com/legal/SSL-legal-repository-cps.jsp
https://www.networksolutions.com/legal/SSL-legal-repository-ev-cps.jsp
* Email: Network Solutions has not requested that the email trust bit be turned on for the Network Solutions Certificate Authority.
* SSL: SSL certificates are issued under the Network Solutions Certificate Authority root, with identity of certificate applicants validated according to multiple steps both automated and manual. (See section 4.2.1 of the main Network Solutions CPS.)
EV SSL certificates are also issued under the hierarchy rooted at the
Network Solutions Certificate Authority root (specifically by the Network Solutions EV SSL CA), with verification procedures per the EV guidelines. (See section 4.2 of the Network Solutions EV CPS.)
* Code: Network Solutions has not requested that the code signing trust bit be turned on for the Network Solutions Certificate Authority.
Section 8-10 [Audit]. Network Solutions has successfully completed an independent audit using the WebTrust for CAs criteria and the WebTrust EV criteria. The audit was done by KPMG. Attestation of the successful completion of the WebTrust for CAs audit is in the form of a standard WebTrust for CAs report available at
https://cert.webtrust.org/SealFile?seal=705&file=pdf
Attestation of the successful completion of the WebTrust EV audit is in the form of a standard WebTrust EV report available at
http://www.networksolutions.com/SSL-certificates/kpmg-ev.pdf
Note that although it's not explicitly stated in the report, the dates of the WebTrust EV audit imply that it was done against the final 1.0 version of the
EV guidelines using the final WebTrust EV criteria. Also note that since the EV report was provided by the CA itself, final approval of this request is contingent upon verifying with KPMG that the report in question was indeed issued by them.
Audits are done annually (section 1.5 of the main CPS).
Section 13 [Certificate Hierarchy]. The Network Solutions Certificate Authority has only one subordinate CA, the Network Solutions EV SSL CA, which issues the end entity EV certificates.
Other: Network Solutions issues CRLs at least every 24 hours. (See section 2.3 of the main CPS.) Network Solutions does not currently operate an OCSP responder.
Based on the above information, I am minded to approve the inclusion of the
Network Solutions Certificate Authority root in NSS (and thence in Firefox and
other Mozilla-based products), with the trust bit for SSL set, and the root's
enabling for EV with policy OID 1.3.6.1.4.1.782.1.2.1.8.1. Before I issue my final approval, I'm opening up a period of public discussion of this request in the mozilla.dev.tech.crypto newsgroup [1].
[1] The mozilla.dev.tech.crypto newsgroup is accessible via NNTP-capable newsreaders at:
news://news.mozilla.org/mozilla.dev.tech.crypto
via email by subscribing to the associated mailing list:
https://lists.mozilla.org/listinfo/dev-tech-crypto
and via the web at:
http://groups.google.com/group/mozilla.dev.tech.crypto/topics
Assignee | ||
Updated•17 years ago
|
Whiteboard: EV → EV Public Discussion
Assignee | ||
Comment 22•17 years ago
|
||
(In reply to comment #21)
> I have now completed my review of Network Solution's application for adding
> the Network Solutions Certificate Authority root CA certificate and enabling
> it for EV use, per the official Mozilla CA certificate policy at:
>
> http://www.mozilla.org/projects/security/certs/policy/
I have a couple of corrections to add. These don't affect my preliminary approval, but I do want to note them for the record.
> Note that the root referenced in this request (Network Solutions Certificate
> Authority) is not currently included in the default Mozilla root list; however
> (non-EV) certificates issued by Network Solutions are currently recognized due
> to a cross-signing arrangement with other roots.
This is not quite correct. Network Solutions non-EV certs are issued through a separate hierarchy, independent of this root. There is in fact a cross-signing arrangement in place for this new root, but it is for the purpose of recognizing Network Solutions EV certificates as valid SSL certificates in legacy browsers. (This is a similar scheme to what other CAs have done for EV.)
> * SSL: SSL certificates are issued under the Network Solutions Certificate
> Authority root, with identity of certificate applicants validated according to
> multiple steps both automated and manual. (See section 4.2.1 of the main
> Network Solutions CPS.)
>
> EV SSL certificates are also issued under the hierarchy rooted at the
> Network Solutions Certificate Authority root (specifically by the Network
> Solutions EV SSL CA), with verification procedures per the EV guidelines.
> (See section 4.2 of the Network Solutions EV CPS.)
At present Network Solutions issues only EV certificates from the hierarchy rooted at the new Network Solutions Certificate Authority root referenced in this application.
Assignee | ||
Comment 23•17 years ago
|
||
(In reply to comment #21)
> Also note that since the EV
> report was provided by the CA itself, final approval of this request is
> contingent upon verifying with KPMG that the report in question was indeed
> issued by them.
I contacted KPMG by telephone and confirmed that the Network Solutions EV report is indeed genuine. I'm therefore removing this contingency.
Assignee | ||
Comment 24•17 years ago
|
||
The public comment period has now ended. All outstanding issues with the application have been addressed to my satisfaction, and the remaining contingency (verifying genuineness of the EV audit report) has been removed. I'm therefore formally approving the Network Solutions request to add the Network Solutions Certificate Authority root to NSS and to mark it as suitable for EV use. I've filed bug 431381 against NSS and bug 431384 against PSM to make the actual code changes required.
Whiteboard: EV Public Discussion → EV Approved
Assignee | ||
Comment 25•17 years ago
|
||
Just cleaning up the platform and hardware fields, and fixing the whiteboard comment to be consistent with other bugs.
OS: Other → All
Hardware: Other → All
Whiteboard: EV Approved → EV - inclusion approved
Assignee | ||
Comment 26•16 years ago
|
||
Marking this as fixed since the NSS and PSM bugs are fixed and the certificate is included in Firefox 3.0.2.
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Comment 27•10 years ago
|
||
Comment 28•10 years ago
|
||
Comment 29•10 years ago
|
||
Just posting the audit statements here as in interim measure until they are published on the webtrust.org site.
Comment 30•9 years ago
|
||
Comment 31•9 years ago
|
||
Comment 32•9 years ago
|
||
Comment 33•8 years ago
|
||
Comment 34•8 years ago
|
||
Comment 35•8 years ago
|
||
Updated•8 years ago
|
Product: mozilla.org → NSS
Updated•2 years ago
|
Product: NSS → CA Program
You need to log in
before you can comment on or make changes to this bug.
Description
•