Mozilla

CA Program

Case Information

Subject
Enable EV for IdenTrust Commercial Root CA 1
Link to Bugzilla Bug
https://bugzilla.mozilla.org/show_bug.cgi?id=1551703
Case Number
00000417
Case Record Type
CA Root Inclusion Request
CA Owner/Certificate Name
IdenTrust Services, LLC
Request Status
In Detailed CP/CPS Review

CA Address Information

Street
6623 Dumbarton Cir.
City
Fremont
State/Province
CALIFORNIA
Zip/Postal Code
94555
Country
United States of America

General information about CA's associated organization

CA Email Alias 1
CA Owner Information Verified?
Data Verified
Company Website
http://www.identrust.com/
Organizational Type
 
Geographic Focus
USA
Primary Market / Customer Base
IdenTrust is a for-profit corporation serving the private, commercial, and government sectors.
Recognized CAA Domains
Problem Reporting Mechanism

CP/CPS and Audit Statements

Policy Documentation
CP/CPS Verified?
Data Verified
Other Relevant Documents
Auditor Verified?
Data Verified
Auditor Location
Standard Audit Verified?
Data Verified
Standard Audit Type
WebTrust
Standard Audit Deviation
false
Standard Audit Statement Date
7/31/2018
Standard Audit Comments
Standard Audit Period Start Date
7/1/2017
Standard Audit ALV Comments
Standard Audit Period End Date
6/30/2018
BR Audit Verified?
Data Verified
BR Audit Type
WebTrust
BR Audit Deviation
false
BR Audit Statement Date
7/31/2018
BR Audit Comments
BR Audit Period Start Date
7/1/2017
BR Audit ALV Comments
BR Audit Period End Date
6/30/2018
EV SSL Audit Verified?
Data Verified
EV SSL Audit Type
WebTrust
EV SSL Audit Deviation
false
EV SSL Audit Statement Date
7/31/2018
EV SSL Audit Comments
EV SSL Audit Period Start Date
7/1/2017
EV SSL Audit ALV Comments
EV SSL Audit Period End Date
6/30/2018

Required and Recommended Practices

Required Practices
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices
Required Practices Verified?
Data Verified
CA's Response to Required Practices
1. Publicly Available CP and CPS: Yes: https://secure.identrust.com/certificates/policy/ts/
1.1 Revision Table, updated annually: CP & CPS Section 1.2
1.2 CAA Domains listed in CP/CPS: CPS Section 4.2.2
1.3 BR Commitment to Comply statement in CP/CPS: CP & CPS Section 1.1.
1.4 CP/CPS Structured According to RFC 3647, appropriate use of 'No Stipulation': Yes, CP & CPS follow RFC3647
2. Audit Criteria: WebTrust
2.1 Complete Audit History: All of the historic audit statements have been attached to the Root Inclusion Case (scroll to the bottom of the page in CCADB)
3. Revocation of Compromised Certificates: CPS Section 4.9.1
4. Verifying Domain Name Ownership: CPS 3.2.10.5
4.1 Baseline Requirements: CPS Section 3.2.10
4.2 WHOIS: CPS Sections 3.2.10.5.1
4.3 Email Challenge-Response: CPS Sections 3.2.8.3
5. Verifying Email Address Control: CPS Sections 3.2.8.1
6. DNS names go in SAN: CPS Section 7.1.2.5 (subjectAltName)
7. OCSP: CPS Section 2.1.1 and 9.18 Appendix A - AIA: accessLocation::= { http://commercial.ocsp.identrust.com}
- OCSP SHALL NOT respond 'Good' for unissued certs: CPS Section 4.9.9
8. Network Security Controls: CPS Section 6.7

Forbidden and Potentially Problematic Practices

Forbidden Practices
https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices
Forbidden Practices Verified?
Data Verified
CA's Response to Forbidden Practices
1. Long-lived Certificates:CPS Section 6.3.2
2. Non-Standard Email Address Prefixes for Domain Ownership Validation: CPS Section 3.2.10.5.1
3. Issuing End Entity Certificates Directly From Roots: Not done by IdenTrust. CPS Section 6.1.7
4. Distributing Generated Private Keys in PKCS#12 Files: CPS Section 3.2.1; 7.1.2.4; 7.1.2.10
5. Certificates Referencing Local Names or Private IP Addresses: CPS Section 3.2.10.6
6. Issuing SSL Certificates for .int Domains:
CPS Section 3.2.10.6
7. OCSP Responses Signed by a Certificate Under a Different Root: Not a practice by IdenTrust
8. Issuance of SHA-1 Certificates: Section 6.1.5.
9. Delegation of Domain / Email Validation to Third Parties: CPS Section 1.3.2
Root Case Record # 1

Root Case Information

Root Certificate Name
IdenTrust Commercial Root CA 1
Root Case No
R00000846
Request Status
In Detailed CP/CPS Review
Case Number
00000417

Certificate Data Extracted from PEM

Subject
CN=IdenTrust Commercial Root CA 1; O=IdenTrust; C=US
Issuer
CN=IdenTrust Commercial Root CA 1; O=IdenTrust; C=US
Valid From
2014 Jan 16
Valid To
2034 Jan 16
Certificate Serial Number
0A0142800000014523C844B500000002
SHA-1 Fingerprint
DF717EAA4AD94EC9558499602D48DE5FBCF03A25
SHA-256 Fingerprint
5D56499BE4D2E08BCFCAD08A3E38723D50503BDE706948E42F55603019E528AE
Signature Hash Algorithm
SHA256WithRSA
Public Key Algorithm
RSA 4096 bits
SPKI SHA256
07E854F26A7CBD389927AA041BFEF1B6CD21DD143818AD947DC655A9E587FE88
Subject + SPKI SHA256
89B8F1171882FB89B23E8779EAC21869AC06C62183619A22340AC14D8BE58EEB

Audits that apply to this Root Certificate

Standard Audit
Checked
Applicable Audits Verified?
Data Verified
BR Audit
Checked
EV SSL Audit
Checked

Application Information

Explanation
Enable EV treatment for the "IdenTrust Commercial Root CA 1" root certificate that was included via Bugzilla Bug #1037590.
Application Information Verified?
Data Verified
Role
Root Certificate Download URL
https://bugzilla.mozilla.org/attachment.cgi?id=8473319

Mozilla Fields

Mozilla Trust Bits
Email; Websites
Mozilla Fields Verified?
Data Verified
SSL Validation Type
OV; EV
Mozilla EV Policy OID(s)
2.23.140.1.1
Mozilla Applied Constraints

CA Hierarchy Information

Cross-Signed by another Root Cert?
Not Checked
PKI Hierarchy Verified?
Data Verified
Has Externally Operated SubCAs?
Not Checked
CP/CPS allows Ext Operated SubCAs?
Not Checked
Has External Registration Authorities?
Checked
CP/CPS allows External RAs?
Checked
Description of PKI Hierarchy
This CA hierarchy has been entered into the CCADB.

The intermediate certs in this CA Hierarchy are internally-operated by IdentTrust.
Constraints on External SubCAs and RAs
External RAs are allowed per CPS sections 1.3.3, 5.2.4; and CP sections 1.3.1.3, 2.1.3, 2.7.4.

BR Self Assessment: "Currently IdenTrust does not have any Delegated Third Parties. Any future appointement of Delegated Third Parties will comply with the referenced sections.

Test Websites or Example Cert

Test Website - Valid
https://ev-valid.identrustssl.com/
Test Websites Verified?
Data Verified
Test Website - Expired
https://ev-expired.identrustssl.com/
Test Website - Revoked
https://ev-revoked.identrustssl.com/
Test Notes

Test Results (When Requesting the SSL/TLS Trust Bit)

Revocation Tested
https://certificate.revocationcheck.com/sha2ssl-trustidvalid.identrustssl.com no errors
Test Results Verified?
Data Verified
CA/Browser Forum Lint Test
https://crt.sh/?caid=1587&opt=cablint,zlint,x509lint&minNotBefore=2016-01-01 OK
Test Website Lint Test
https://crt.sh/?caid=1588&opt=cablint,zlint,x509lint&minNotBefore=2016-01-01 Resolution and explanation of errors: https://bugzilla.mozilla.org/attachment.cgi?id=9069812
EV Tested
https://tls-observatory.services.mozilla.com/static/ev-checker.html https://ev-valid.identrustssl.com/ 2.23.140.1.1 ev-checker exited successfully: Success!