User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; InfoPath.1) Build Identifier: Other CA Details ---------- CA Name: Network Solutions, LLC Website: www.networksolutions.com One Paragraph Summary of CA, including the following: - General nature (e.g., commercial, government, academic/research, nonprofit) - Primary geographical area(s) served - Number and type of subordinate CAs Network Solutions, LLC is a commercial CA based in the United States of America offering SSL Certificates to customers around the world. Currently, Network Solutions has no subordinate CAs. Audit Type (WebTrust, ETSI etc.): WebTrust Auditor: KPMG Auditor Website: www.kpmg.com Audit Document URL(s): https://cert.webtrust.org/SealFile?seal=601&file=pdf Certificate Details ------------------- (To be completed once for each certificate) Certificate Name: Network Solutions Certificate Authority Summary Paragraph, including the following: - End entity certificate issuance policy This is the Network Solutions EV Root Certificate. The end entity certificate issuance policy is available at: https://www.networksolutions.com/legal/SSL-legal-repository-ev-cps.jsp Certificate URL (on CA website): http://customersupport.networksolutions.com/category.php?id=118 Version: V3 SHA1 Fingerprint: e2 34 2a ab 84 88 eb b0 88 90 1c c5 d1 11 65 be d9 e4 1d 1e MD5 Fingerprint: D3:F3:A6:16:C0:FA:6B:1D:59:B1:2D:96:4D:0E:11:2E Modulus Length (a.k.a. "key length"): 2048 bits Valid From (YYYY-MM-DD): Thursday, November 30, 2006 7:00:00 PM Valid To (YYYY-MM-DD): Saturday, May 30, 2020 5:48:38 AM CRL URL: http://crl.usertrust.com/UTN-USERFirst-Hardware.crl OCSP URL: NA Class (domain-validated, identity-validated or EV): EV EV OID: 1.3.6.1.4.1.782.1.2.1.8.1 Certificate Policy URL: http://www.networksolutions.com/legal/SSL-legal-repository-ev-cps.jsp CPS URL: http://www.networksolutions.com/legal/SSL-legal-repository-ev-cps.jsp Requested Trust Indicators (email and/or SSL and/or code): All 3 URL of website using certificate chained to this root (if applying for SSL): https://www.networksolutions.com Reproducible: Always Steps to Reproduce: 1. 2. 3.

moving to the right component

I'm a bit confused: Is this a new root CA certificate not already included in Mozilla products, or is it an existing root CA certificate that you want enabled for EV use? The CRL URL led me to believe that it was one of the existing UTN UserFirst root certs, but the SHA-1 fingerprint doesn't match any of the UTN UserFirst certs in my copy of Firefox 2.0.

I am revising the submission above for Network Solutions EV Root submission for inclusion in Firefox 3.0 after some errors in my application were brought to my attention. Please replace the inoformation in the application above with that which is provided below: Certificate Details ------------------- (To be completed once for each certificate) Certificate Name: Network Solutions Certificate Authority Summary Paragraph, including the following: - End entity certificate issuance policy This is the Network Solutions EV Root Certificate. The end entity certificate issuance policy is available at: https://www.networksolutions.com/legal/SSL-legal-repository-ev-cps.jsp Certificate URL (on CA website): http://www.netsolssl.com/NetworkSolutionsCertificateAuthority.crt Version: V3 SHA1 Fingerprint: 74 f8 a3 c3 ef e7 b3 90 06 4b 83 90 3c 21 64 60 20 e5 df ce MD5 Fingerprint: D3:F3:A6:16:C0:FA:6B:1D:59:B1:2D:96:4D:0E:11:2E Modulus Length (a.k.a. "key length"): 2048 bits Valid From (YYYY-MM-DD): 01 December 2006 00:00:00 UTC Valid To (YYYY-MM-DD): 31 December 2029 23:59:59 UTC CRL URL: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl OCSP URL: NA Class (domain-validated, identity-validated or EV): EV EV OID: 1.3.6.1.4.1.782.1.2.1.8.1 Certificate Policy URL: http://www.networksolutions.com/legal/SSL-legal-repository-ev-cps.jsp CPS URL: http://www.networksolutions.com/legal/SSL-legal-repository-ev-cps.jsp Requested Trust Indicators (email and/or SSL and/or code): All 3 URL of website using certificate chained to this root (if applying for SSL): https://www.networksolutions.com

Independent of approval process, for technical testing purposes: Could you please supply an https:// URL to an example SSL server (customer or demo) that uses a server cert issued (directly or through intermediates) by this root? Should you request multiple roots to be enabled for EV, please provide one example URL for each root. Thank you.

Here is an example SSL server using a cert issued from our EV root: https://www.networksolutions.com

Making EV root cert requests have uniform summaries.

Could you please verify that Network Solutions EV Root will be included in the Firefox 3.0 release. I am concerned that this bug fix does not seem to have progressed. Thank you.

I am looking at the Beta 3.0 current version and EV is not working for Network Solutions although it is working for other CA's. Could someone please contact me about this?

Charlie, if I understand correctly, Frank has not yet approved your request. That's why we have not yet started adding it technically.

I understand from conversations I was told about that Mozilla plans to launch 3.0 without the functioning EV Roots for Network Solutions, Entrust, and GlobalSign to name a few. According to NetCraft, Network Solutions is the third largest provider of EV Certs in the world. Combined with Entrust and GlobalSign, this group of three represent the second largest share of EV Certs in the world. Far larger than other CA's whose EV Roots appear to be included in 3.0 and functioning correctly (e.g., GoDaddy, DigiCert, etc.). The commercial impact of this exclusion will be far reaching as it will harm not only the businesses of these CA's but also extend to each of our hundreds of high-end EV Cert customers who expect their sites to receive the green bar upon release of 3.0. Mozilla must either include all submitted EV Roots in 3.0 or delay the introduction of EV functionality for all CA's until such time as a 3.0 update can include all submitted EV Roots. This issue has the full attention of my Executive Board so your prompt attention to this matter will be greatly appreciated. Thank you.

Changing the "severity" of root CA bugs to something other than "enhancement" causes them to disappear from the radar, so I'm changing this back to enhancement.

OK, I'm actively working on this request, and I have some open questions. First, the URL http://www.netsolssl.com/NetworkSolutionsCertificateAuthority.crt doesn't work for me; it just redirects to a Network Solutions login page, and I don't have a Network Solutions SSL account. Is there an alternate URL that doesn't require authentication? Or, could you just attach the certificate as an attachment to this bug, or send a copy to me via email? Second, in looking at <https://www.networksolutions.com/> using Firefox 3 I see a cert chain as follows: AddTrust External CA Root -> UTN-USERFirst-Hardware -> Network Solutions Certificate Authority -> Network Solutions EV SSL CA -> www.networksolutions.com From the comments above, it appears that "Network Solutions Certificate Authority" is the root that you wish to have marked for EV, and (unless I'm missing something) that root is not currently included in Mozilla. So the request at present is to 1) include the Network Solutions Certificate Authority root, and 2) mark it for EV use. Is that correct? Or, is it the Network Solutions EV SSL CA that you want to have a root cert added for? (This would be consistent with the approach taken by other CAs who created new EV-specific roots.)

Per email from Network Solutions, the request is indeed to add the Network Solutions Certificate Authority root and mark it for EV. The correct (publicly-accessible) URL for the Network Solutions Certificate is ftp://ftp.networksolutions.com/certs/netsolevroot.crt with SHA-1 fingerprint of: 74 F8 A3 C3 EF E7 B3 90 06 4B 83 90 3C 21 64 60 20 E5 DF CE

(In reply to comment #13) > Per email from Network Solutions, the request is indeed to add the Network > Solutions Certificate Authority root and mark it for EV. The correct > (publicly-accessible) URL for the Network Solutions Certificate is That should of course be "the Network Solutions Certificate Authority root CA certificate is"

That is correct. To confirm, you are able to download all NetSol Roots publicly from this address: http://customersupport.networksolutions.com/article.php?id=940. And we are specifically requesting that we would like to submit 1) the Network Solutions Certificate Authority root, and 2) mark it for EV use in Firefox 3.0.

Another question, relating to the applicable WebTrust documents: Above you referenced https://cert.webtrust.org/SealFile?seal=601&file=pdf as the WebTrust audit document. Based on my investigation it appears that the relevant documents are instead https://cert.webtrust.org/SealFile?seal=705&file=pdf (which appears to be more recent than the document you referenced) and http://www.networksolutions.com/SSL-certificates/kpmg-ev.pdf (which is the WebTrust EV report). Is this correct?

To confirm, these are the latest WebTrust documents for Network Solutions: https://cert.webtrust.org/SealFile?seal=705&file=pdf http://www.networksolutions.com/SSL-certificates/kpmg-ev.pdf

I have added an entry for Network Solutions to the pending list; it should show up in an hour or so at http://www.mozilla.org/projects/security/certs/pending/ Please check the information in the entry and confirm that it is complete and correct. Also, I have one further question, mainly for informational purposes: I presume that non-EV certificates (e.g., SiteSafe Basic, Pro, and Wildcard certs) are issued under the hierarchy rooted at the Network Solutions Certificate Authority. Are these non-EV certificates issued directly from the Network Solutions Certificate Authority root, or from a subordinate CA under that root?

Based on information received via email from NS, non-EV certs are issued directly from the Network Solutions Certificate Authority root.

Per request from Network Solutions, I am modifying this request to be for SSL only (no email or code signing trust bits), and am revising the pending list accordingly.

I have now completed my review of Network Solution's application for adding the Network Solutions Certificate Authority root CA certificate and enabling it for EV use, per the official Mozilla CA certificate policy at: http://www.mozilla.org/projects/security/certs/policy/ I apologize for the delays on my part in doing the review. Here follows my final assessment. If anyone sees any factual errors, please point them out. Note that the root referenced in this request (Network Solutions Certificate Authority) is not currently included in the default Mozilla root list; however (non-EV) certificates issued by Network Solutions are currently recognized due to a cross-signing arrangement with other roots. Section 4 [Technical]. I'm not aware of any technical issues with certificates issued by Network Solutions, or of instances where Network Solutions has knowingly issued certificates for fraudulent use. If anyone knows of any such issues or instances, please note them in this bug report. Section 6 [Relevancy and Policy]. Network Solutions appears to provide a service relevant to Mozilla users; it is a commercial CA operating in the United States and serving customers worldwide, and issues SSL certificates under the SiteSafe brand. Its policies are documented in its CPS documents: http://www.networksolutions.com/legal/SSL-legal-repository-cps.jsp https://www.networksolutions.com/legal/SSL-legal-repository-ev-cps.jsp * Email: Network Solutions has not requested that the email trust bit be turned on for the Network Solutions Certificate Authority. * SSL: SSL certificates are issued under the Network Solutions Certificate Authority root, with identity of certificate applicants validated according to multiple steps both automated and manual. (See section 4.2.1 of the main Network Solutions CPS.) EV SSL certificates are also issued under the hierarchy rooted at the Network Solutions Certificate Authority root (specifically by the Network Solutions EV SSL CA), with verification procedures per the EV guidelines. (See section 4.2 of the Network Solutions EV CPS.) * Code: Network Solutions has not requested that the code signing trust bit be turned on for the Network Solutions Certificate Authority. Section 8-10 [Audit]. Network Solutions has successfully completed an independent audit using the WebTrust for CAs criteria and the WebTrust EV criteria. The audit was done by KPMG. Attestation of the successful completion of the WebTrust for CAs audit is in the form of a standard WebTrust for CAs report available at https://cert.webtrust.org/SealFile?seal=705&file=pdf Attestation of the successful completion of the WebTrust EV audit is in the form of a standard WebTrust EV report available at http://www.networksolutions.com/SSL-certificates/kpmg-ev.pdf Note that although it's not explicitly stated in the report, the dates of the WebTrust EV audit imply that it was done against the final 1.0 version of the EV guidelines using the final WebTrust EV criteria. Also note that since the EV report was provided by the CA itself, final approval of this request is contingent upon verifying with KPMG that the report in question was indeed issued by them. Audits are done annually (section 1.5 of the main CPS). Section 13 [Certificate Hierarchy]. The Network Solutions Certificate Authority has only one subordinate CA, the Network Solutions EV SSL CA, which issues the end entity EV certificates. Other: Network Solutions issues CRLs at least every 24 hours. (See section 2.3 of the main CPS.) Network Solutions does not currently operate an OCSP responder. Based on the above information, I am minded to approve the inclusion of the Network Solutions Certificate Authority root in NSS (and thence in Firefox and other Mozilla-based products), with the trust bit for SSL set, and the root's enabling for EV with policy OID 1.3.6.1.4.1.782.1.2.1.8.1. Before I issue my final approval, I'm opening up a period of public discussion of this request in the mozilla.dev.tech.crypto newsgroup [1]. [1] The mozilla.dev.tech.crypto newsgroup is accessible via NNTP-capable newsreaders at: news://news.mozilla.org/mozilla.dev.tech.crypto via email by subscribing to the associated mailing list: https://lists.mozilla.org/listinfo/dev-tech-crypto and via the web at: http://groups.google.com/group/mozilla.dev.tech.crypto/topics

(In reply to comment #21) > I have now completed my review of Network Solution's application for adding > the Network Solutions Certificate Authority root CA certificate and enabling > it for EV use, per the official Mozilla CA certificate policy at: > > http://www.mozilla.org/projects/security/certs/policy/ I have a couple of corrections to add. These don't affect my preliminary approval, but I do want to note them for the record. > Note that the root referenced in this request (Network Solutions Certificate > Authority) is not currently included in the default Mozilla root list; however > (non-EV) certificates issued by Network Solutions are currently recognized due > to a cross-signing arrangement with other roots. This is not quite correct. Network Solutions non-EV certs are issued through a separate hierarchy, independent of this root. There is in fact a cross-signing arrangement in place for this new root, but it is for the purpose of recognizing Network Solutions EV certificates as valid SSL certificates in legacy browsers. (This is a similar scheme to what other CAs have done for EV.) > * SSL: SSL certificates are issued under the Network Solutions Certificate > Authority root, with identity of certificate applicants validated according to > multiple steps both automated and manual. (See section 4.2.1 of the main > Network Solutions CPS.) > > EV SSL certificates are also issued under the hierarchy rooted at the > Network Solutions Certificate Authority root (specifically by the Network > Solutions EV SSL CA), with verification procedures per the EV guidelines. > (See section 4.2 of the Network Solutions EV CPS.) At present Network Solutions issues only EV certificates from the hierarchy rooted at the new Network Solutions Certificate Authority root referenced in this application.

(In reply to comment #21) > Also note that since the EV > report was provided by the CA itself, final approval of this request is > contingent upon verifying with KPMG that the report in question was indeed > issued by them. I contacted KPMG by telephone and confirmed that the Network Solutions EV report is indeed genuine. I'm therefore removing this contingency.

The public comment period has now ended. All outstanding issues with the application have been addressed to my satisfaction, and the remaining contingency (verifying genuineness of the EV audit report) has been removed. I'm therefore formally approving the Network Solutions request to add the Network Solutions Certificate Authority root to NSS and to mark it as suitable for EV use. I've filed bug 431381 against NSS and bug 431384 against PSM to make the actual code changes required.

Just cleaning up the platform and hardware fields, and fixing the whiteboard comment to be consistent with other bugs.

Marking this as fixed since the NSS and PSM bugs are fixed and the certificate is included in Firefox 3.0.2.

Just posting the audit statements here as in interim measure until they are published on the webtrust.org site.