ports/109609: security/ca-roots addition request

PauAmma pauamma at gundo.com
Tue Feb 27 16:30:05 UTC 2007 

>Number:         109609
>Category:       ports
>Synopsis:       security/ca-roots addition request
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Tue Feb 27 16:30:04 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     PauAmma
>Release:        N/A
>Organization:
Ecdysiasts United For Overdressing
>Environment:
N/A
>Description:
Please consider the following root certificates, issued by Comodo and USERTrust / USERFirst, for addition to port security/ca-roots.

Disclaimer: I don't work for either Comodo or USERTrust / USERFirst, but I'm a frequent user (and soon-to-be employee) of a weblog hosting company using some of their root certificates.

URLs for Comodo root certificates and CRLs:

- http://www.comodo.com/repository/AAACertificateServices.cer or http://www.instantssl.com/ssl-certificate-support/certs/AAACertificateServices.crt CRL: http://crl.comodo.net/AAACertificateServices.crl
- http://www.comodo.com/repository/SecureCertificateServices.cer or http://www.instantssl.com/ssl-certificate-support/certs/SecureCertificateServices.crt CRL: http://crl.comodo.net/SecureCertificateServices.crl
- http://www.comodo.com/repository/TrustedCertificateServices.cer or http://www.instantssl.com/ssl-certificate-support/certs/TrustedCertificateServices.crt CRL: http://crl.comodo.net/TrustedCertificateServices.crl

The certificate URLs ending in .crt are sent as MIME type application/x-x509-ca-cert and the .cer ones (incorrectly) as chemical/x-cerius, but their raw content is the same. The CRLs are application/x-pkcs7-crl, not application/pkix-crl, apparently to placate Mozilla. (I'm not sure whether or how much it matters, but I wanted to mention it in case it does.)

URLs for USERTrust / USERFirst root certificates and CRLs:

- http://www.usertrust.com/cacerts/UTN-USERFirst-ClientAuthenticationandEmail.crt CRL:  http://crl.usertrust.com/UTN-USERFirst-ClientAuthenticationandEmail.crl
- http://www.usertrust.com/cacerts/UTN-USERFirst-Hardware.crt CRL: http://crl.usertrust.com/UTN-USERFirst-Hardware.crl
- http://www.usertrust.com/cacerts/UTN-DataCorpSGC.crt CRL: http://crl.usertrust.com/UTN-DATACorpSGC.crl
- http://www.usertrust.com/cacerts/UTN-USERFirst-Object.crt CRL: http://crl.usertrust.com/UTN-USERFirst-Object.crl

The CRLs are application/x-pkcs7-crl, not application/pkix-crl, apparently to placate Mozilla. (I'm not sure whether or how much it matters, but I wanted to mention it in case it does.) Note that the first and last certificates are for other uses than SSL (S/MIME and object signing, respectively). If security/ca-roots is for SSL certificates only, feel free to ignore them.

Comodo and USERTrust / USERFirst policy and practice statements, and audit reports:

- http://www.comodo.com/repository/Comodo_WT_CPS.pdf: Comodo Certification Practice Statement, Version 2.1, 16 April 2003
- http://www.comodo.com/repository/cps_amendments.pdf: Proposed Amendments to CPS Ver. 2.1, 11 May 2004
- http://www.comodo.com/repository/index.html: Other documents
- https://cert.webtrust.org/SealFile?seal=212&file=pdf: WebTrust Audit Report and Management Assertions

- http://www.usertrust.com/Library/USERTrust%20CPS%20November%2001%2C%202000.pdf: Certificate Practices Statement Of Universal Secured Encryption Repository Company ("USERFirst"), A Non-Profit Corporation Serving as the Certification Authority, Recognized Repository, and Repository Archive of the USERTRUST Network L.L.C. Public Key Infrastructure (UTN PKI), Version 5, Amended November 1, 2000
- http://www.usertrust.com/library_legaldocs.aspx: Other documents (also redirected from http://www.usertrust.com/cps)

(Note that USERTrust/USERFirst was acquired by Comodo, and that Comodo audit reports also apply to it.)

In case these are applicable: 
- https://bugzilla.mozilla.org/show_bug.cgi?id=242610 (for USERTrust) and https://bugzilla.mozilla.org/show_bug.cgi?id=249710 (for Comodo) are the addition requests they filed with Mozilla a few years ago.
- http://hecker.org/mozilla/ca-certificate-list is the list of standard CAs in Mozilla software, with links to supporting documents.
>How-To-Repeat:
- Install port security/ca-roots
- Attempt to validate certificates used by https://www.livejournal.com/login.bml
>Fix:
Add root certificates listed above
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list