ports/109609: security/ca-roots addition request
PauAmma
pauamma at gundo.com
Tue Feb 27 16:30:05 UTC 2007
>Number: 109609
>Category: ports
>Synopsis: security/ca-roots addition request
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Tue Feb 27 16:30:04 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator: PauAmma
>Release: N/A
>Organization:
Ecdysiasts United For Overdressing
>Environment:
N/A
>Description:
Please consider the following root certificates, issued by Comodo and USERTrust / USERFirst, for addition to port security/ca-roots.
Disclaimer: I don't work for either Comodo or USERTrust / USERFirst, but I'm a frequent user (and soon-to-be employee) of a weblog hosting company using some of their root certificates.
URLs for Comodo root certificates and CRLs:
- http://www.comodo.com/repository/AAACertificateServices.cer or http://www.instantssl.com/ssl-certificate-support/certs/AAACertificateServices.crt CRL: http://crl.comodo.net/AAACertificateServices.crl
- http://www.comodo.com/repository/SecureCertificateServices.cer or http://www.instantssl.com/ssl-certificate-support/certs/SecureCertificateServices.crt CRL: http://crl.comodo.net/SecureCertificateServices.crl
- http://www.comodo.com/repository/TrustedCertificateServices.cer or http://www.instantssl.com/ssl-certificate-support/certs/TrustedCertificateServices.crt CRL: http://crl.comodo.net/TrustedCertificateServices.crl
The certificate URLs ending in .crt are sent as MIME type application/x-x509-ca-cert and the .cer ones (incorrectly) as chemical/x-cerius, but their raw content is the same. The CRLs are application/x-pkcs7-crl, not application/pkix-crl, apparently to placate Mozilla. (I'm not sure whether or how much it matters, but I wanted to mention it in case it does.)
URLs for USERTrust / USERFirst root certificates and CRLs:
- http://www.usertrust.com/cacerts/UTN-USERFirst-ClientAuthenticationandEmail.crt CRL: http://crl.usertrust.com/UTN-USERFirst-ClientAuthenticationandEmail.crl
- http://www.usertrust.com/cacerts/UTN-USERFirst-Hardware.crt CRL: http://crl.usertrust.com/UTN-USERFirst-Hardware.crl
- http://www.usertrust.com/cacerts/UTN-DataCorpSGC.crt CRL: http://crl.usertrust.com/UTN-DATACorpSGC.crl
- http://www.usertrust.com/cacerts/UTN-USERFirst-Object.crt CRL: http://crl.usertrust.com/UTN-USERFirst-Object.crl
The CRLs are application/x-pkcs7-crl, not application/pkix-crl, apparently to placate Mozilla. (I'm not sure whether or how much it matters, but I wanted to mention it in case it does.) Note that the first and last certificates are for other uses than SSL (S/MIME and object signing, respectively). If security/ca-roots is for SSL certificates only, feel free to ignore them.
Comodo and USERTrust / USERFirst policy and practice statements, and audit reports:
- http://www.comodo.com/repository/Comodo_WT_CPS.pdf: Comodo Certification Practice Statement, Version 2.1, 16 April 2003
- http://www.comodo.com/repository/cps_amendments.pdf: Proposed Amendments to CPS Ver. 2.1, 11 May 2004
- http://www.comodo.com/repository/index.html: Other documents
- https://cert.webtrust.org/SealFile?seal=212&file=pdf: WebTrust Audit Report and Management Assertions
- http://www.usertrust.com/Library/USERTrust%20CPS%20November%2001%2C%202000.pdf: Certificate Practices Statement Of Universal Secured Encryption Repository Company ("USERFirst"), A Non-Profit Corporation Serving as the Certification Authority, Recognized Repository, and Repository Archive of the USERTRUST Network L.L.C. Public Key Infrastructure (UTN PKI), Version 5, Amended November 1, 2000
- http://www.usertrust.com/library_legaldocs.aspx: Other documents (also redirected from http://www.usertrust.com/cps)
(Note that USERTrust/USERFirst was acquired by Comodo, and that Comodo audit reports also apply to it.)
In case these are applicable:
- https://bugzilla.mozilla.org/show_bug.cgi?id=242610 (for USERTrust) and https://bugzilla.mozilla.org/show_bug.cgi?id=249710 (for Comodo) are the addition requests they filed with Mozilla a few years ago.
- http://hecker.org/mozilla/ca-certificate-list is the list of standard CAs in Mozilla software, with links to supporting documents.
>How-To-Repeat:
- Install port security/ca-roots
- Attempt to validate certificates used by https://www.livejournal.com/login.bml
>Fix:
Add root certificates listed above
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list