Control: tags -1 wontfix Is there evidence by GlobalSign of tampering, exploit, falsified audits, or something that I have missed from the mozilla-dev-security-policy mailing list?
http://www.mozilla.org/projects/security/certs/included/#GlobalSign GlobalSign Root CA: Root CA with two subordinate CAs. GlobalSign Root CA - R2: Root CA with one subordinate CA. I've attached a quick grep through the full document for all occurrences of subordinate. Shall we blacklist all of them (except maybe the ones that say internal-only)? Any user of the ca-certificates package may disable trust for any or all certificates, if they feel inclined to do so. Unless there is definitive evidence provided, along with an active upstream discussion and possibly a pending security update coming from Mozilla, I won't arbitrarily disable a CA from the Mozilla bundle. Please, do not hesitate to file a bug upstream in Mozilla's bugzilla, if there is evidence that Mozilla needs to be made aware of, or comment on the existing bugzilla report that was linked. -- Kind regards, Michael Shuler
mshuler@mana:~$ w3m -dump http://www.mozilla.org/projects/security/certs/included/ | grep -i -C1 subordinate in order to maintain business continuity. This root CA signs subordinate CAs that sign end-entity certificates. One sub-CA is used by Firmaprofesional, and other sub-CAs are issued for organizations -- <certificate name="GlobalSign Root CA - R2" status="included"> <summary>Root CA with one subordinate CA.</summary> <data url="https://secure.globalsign.net/cacert/root-r2.crt"; -- <certificate name="GlobalSign Root CA" status="included"> <summary>Root CA with two subordinate CAs. </summary> -- serving customers worldwide. Comodo has a total of 12 root CA certs included in Mozilla, and altogether 124 subordinate CAs signed by those root CAs. Some of them exist to differentiate -- re-brand products for its partners. In each case Comodo retains the private key for the subordinate CA within its infrastructure. -- <certificate name="COMODO Certification Authority" status="included"> <summary>Root CA certificate with subordinate CAs issuing SSL certificates, email certificates, and code signing -- <certificate name="COMODO ECC Certification Authority" status="included"> <summary>Root ECC certificate with internal subordinate CA issuing EV SSL certificates, email certificates, and code signing certificates.</summary> -- actively issuing certificates from this root, so they have not yet published a CRL. All subordinated CAs for this root will be internally operated. -- Firefox 2 and earlier) encounter VeriSign EV certificates then they will end up treating this CA as a subordinate CA under the existing VeriSign Class 3 Public Primary CA -- it includes the former SecureTrust and XRamp CAs. At this time there are no subordinate CAs for any of these roots; instead end entity certificates are issued directly from the roots as noted -- <summary>This is the top root, used only to issue CA certificates for five application-specific subordinate CAs: DigiNotar Public CA 2025 (non-qualified personal -- actively issuing certificates from this root, so they have not yet published a CRL. All subordinated CAs for this root will be internally operated. -- <certificate name="GeoTrust Primary Certification Authority" status="included"> <summary>This CA issues a CA certificate to the subordinate CA GeoTrust Extended Validation SSL CA, which in turn issues -- Firefox 2 and earlier) encounter GeoTrust EV certificates then they will end up treating this CA as a subordinate CA under the existing Equifax Secure CA root.</comments> -- currently included in NSS. The “Go Daddy Class 2 CA” root has a single internally-operated subordinate CA issuing SSL certificates (DV, OV and EV), email certificates, and code signing certificates. </summary> -- This new root will eventually replace the “Starfield Class 2 CA” root cert that is currently included in NSS. The “Starfield Class 2 CA” root has a single subordinate CA issuing SSL certificates (DV, OV and EV), email certificates, and code signing certificates. -- <summary> This new self-signed root CA does not yet have subordinate CAs. Before issuing from this root, at least one appropriate, internally-operated subordinate issuing CA will be created. </summary> -- <certificate name="Valicert Class 2 Policy Validation Authority" status="included"> <summary>Root CA certificate with a single subordinate CA issuing SSL certificates (DV, OV and EV), email certificates, -- <certificate name="Go Daddy Class 2 CA" status="included"> <summary>Root CA certificate with a single subordinate CA issuing SSL certificates (DV, OV and EV), email certificates, -- <certificate name="Starfield Class 2 CA" status="included"> <summary>Root CA certificate with a single subordinate CA issuing SSL certificates (DV, OV and EV), email certificates, -- <certificate name="Network Solutions Certificate Authority" status="included"> <summary>This CA has a subordinate CA, Network Solutions EV SSL CA, which issues Extended Validation certificates for SSL-enabled servers. At present there are no other subordinate CAs under this root; however in the future Network Solutions may establish additional subordinate CAs to issue non-EV certificates..</summary> -- actively issuing certificates from this root, so they have not yet published a CRL. All subordinated CAs for this root will be internally operated. -- actively issuing certificates from this root, so they have not yet published a CRL. All subordinated CAs for this root will be internally operated. -- <certificate name="thawte Primary Root CA" status="included"> <summary>This CA issues a CA certificate to the subordinate CAs thawte Extended Validation SSL CA and thawte Extended -- Firefox 2 and earlier) encounter thawte EV certificates then they will end up treating this CA as a subordinate CA under the existing Thawte Premium Server CA root.</comments> -- SSL web certificates. Entrust also issues certificates to subordinate CAs for enterprise and commercial use.</summary> <audit type="WebTrust"> -- certificates. EV certificates are issued using the Entrust Certification Authority - L1A subordinate CA.</summary> <data url="https://bugzilla.mozilla.org/attachment.cgi?id=267983"; -- may be used internationally. The "Platinum G2" Root CA currently has 3 subordinate CAs, the "Gold G2" Root CA has 2 and the "Silver G2" Root CA has 3. -- <summary>The SwissSign Platinum CA - G2 root has three subordinate CAs. The SwissSign Qualified Platinum CA - G2 issues "qualified" certificates according to Swiss digital signature law -- issues the "Postzertifikat", a product of the Swiss Post. (Note that each of the subordinate CAs has its own CP/CPS separate from the CP/CPS of the root.) The Platinum CAs require that keys be generated -- <certificate name="SwissSign Gold CA - G2" status="included"> <summary>The "Gold G2" root CA currently has two subordinate CAs: "Personal" issues certificates for natural persons and -- <certificate name="SwissSign Silver CA - G2" status="included"> <summary>The "Silver G2" root CA currently has three subordinate CAs: "Personal" issues certificates for natural persons and -- This is the root certificate of the French Government CA. The IGC/A root issues a subordinate CA for each organization, which can be only a government or an administrative organization. Each of these subordinate CAs may issue end-entity certificates or additional subordinate CAs to be used for divisions within that organization. Each organization is required to follow the CP and the Government -- the WISeKey Global Root GA CA and containing Policy CAs (subordinate to the root) and Issuing CAs (subordinate to the Policy CAs). Note that all end-entity certificates are issued by -- procedures related to issuance of certificates for its subordinate CAs. Issues related to issuance of end entity certificates are addressed in the other two documents -- code signing will also be created, and the corresponding Sub-CAs will be operated under this Class 3 root. This Class 3 root will only have internally-operated subordinate CAs. T-Systems currently offers certificates with a standard security level (e.g. OV) chaining up -- <summary> This root will have an internally-operated subordinate CA for each registration strength; “Class 1”, “Class 2”, “Class 3” and “Class 4 EV”. This root currently has one Class 4 EV subordinate CA, “TC TrustCenter Class 4 Extended Validation CA I”, which will only issue EV certificates. This new root will co-exist with the “TC TrustCenter Universal CA I” root that is currently included in NSS. -- <summary> This root has two internally-operated subordinate CAs which issue certificates for SSL, email, and code signing. This root also has an externally-operated subordinate CA which is used to issue device certificates and email certificates for internal use only. The device -- <summary> This root has one internally-operated subordinate CA which issues certificates for SSL, email, and code signing. -- in the trusted root stores. This root will have internally-operated subordinate CAs for each registration strength. “Class 1”, “Class 2”, “Class 3” and “Class 4” represent the registration strength. This root currently has one Class 3 subordinate CA. Over time this root will have more “TC Class x” subordinate CA certificates. </summary> -- <summary> The Certigna root has three internally operated subordinated CA’s: Certigna SSL is for SSL-enabled servers, Certigna ID is for -- </data> <crl url="http://www.certigna.fr/crl/certignassl.crl";>CRL for the SSL Subordinate CA</crl> <crl url="http://www.certigna.fr/crl/certignaid.crl";>CRL for the ID Subordinate CA</crl> <type>IV/OV</type> -- <document url="https://bugzilla.mozilla.org/attachment.cgi?id=365278";>Translated Portion of Code Signing CPS</document> <document url="http://www.certigna.fr/documents/pc_certigna_ssl.php";>Certificate Policy for SSL Subordinate CA</document> <document url="http://www.certigna.fr/documents/pc_certigna_id.php";>Certificate Policy for ID Subordinate CA</document> <trust> -- Commerce Department of Colombia, to replace the Certificado Empresarial Clase-A certificate. It has one internally operated subordinate CA. </summary> -- <summary> This root has six internally-operated subordinate CAs that are used for issuing digital IDs to individuals and corporations in accordance with -- <summary> This root has two internally-operated subordinate CAs that are used for issuing certificates for SSL and for code-signing. -- <summary> Root CA with one internal subordinate CA issuing EV SSL certificates. </summary> -- certificates. There is currently only one internally-operated subordinate CA called Cybertrust SureServer EV CA. The CPS allows for this root to have other subordinate CAs in the future. The sub-CAs are required to follow the CPS and to have -- <summary> From this root CA E-TUGRA has issued two internally-operated subordinate CAs. The Qualified Certificate (QC) subordinate CA issues certificates for Digital Signing and Non-Repudiation (document and email signing). The Non Qualified Certificate (NQC) subordinate CA (EBG Web Sunucu Sertifika Hizmet Sağlayıcısı) issues certificates for SSL, email -- <summary> This is the eCA root, which has two subordinate CAs: CHTCA and Public CA. The CHTCA is the internal CA of Chunghwa Telecom (CHT) which signs certificates -- a trust relationship between two CAs. Within the ePKI the cross-certificate is intended to mean subordinate CA. All subordinate CAs are operated by the Data Communication Business Group, which is a division of Chunghwa Telecom. -- <summary> This root issues internally-operated subordinate CAs for different classes of certificates based on use and verification requirements. -- <document url="http://www.certsign.ro/certsign_en/files/certSIGN_CPS_EN.pdf";>Certification Practice Statement in English</document> <document url="https://www.certsign.ro/certificate_digitale/lantul_de_incredere_en.htm";>Download Links of Subordinate CAs</document> <trust> -- certificates and code signing certificates to national government agencies. This root issues end-entity certificates directly, and does not have any subordinate CAs. </summary> -- <summary> This root has one internally-operated subordinate CA named CNNIC SSL, which offers only SSL certificates that may be issued to general public, including -- This root signs end-entity certificates directly, and does not have subordinate CAs. Buypass Class 2 certificates are issued to persons or enterprises and have the -- This root signs end-entity certificates directly, and does not have subordinate CAs. The Buypass Class 3 certificates are either issued to persons or enterprises. -- <summary> This root has only one direct subordinate, Hongkong Post e-Cert CA 1, which is the signer key and is used to issue different types of recognized -- <summary> This root issues three types of internally operated subordinate CAs. The first type of subordinate CA is used to issue electronic ID cards which contain certificates for digital signature and for digital identification. The second type of subordinate CA is used to issue internal ID cards of the Republic of Estonia. The third type of subordinate CA is used to issue device and SSL certificates. </summary> -- This new root will have the same CA hierarchy as the old “Juur-SK” root. The Juur-SK root has three types of internally operated subordinate CAs. The first type of subordinate CA is used to issue electronic ID cards which contain certificates for digital signature and for digital identification. The second type of subordinate CA is used to issue internal ID cards of the Republic of Estonia. The third type of subordinate CA is used to issue device and SSL certificates. </summary> -- is currently in the Mozilla store. The PKIoverheid issues two internally operated subordinate CAs, which issue subordinate CAs to CSPs. The CSPs are commercial and governmental organizations. Each CSP has to prove that -- <summary> This root has no subordinate CAs, issuing end-entity certs for SSL, email, and code signing directly. -- equivalent of these existing roots will be created under this new root. The new root will sign seven internally-operated subordinate CAs. Two of those subordinate CAs will sign sub-CAs that will be externally-operated by MKB (Hungarian Trade Bank) and MNB (National Bank of Hungary). -- <summary> This root has one internally-operated subordinate CA for issuing SSL certificates to the public. In the future, JCSI plans to add other internally-operated subordinate CAs for S/MIME, Time Stamping, and other certificate types. -- <summary> This root has three internally-operated subordinate CAs. The ACEDICOM 01 subordinate CA issues Qualified certificates for identification and advanced electronic signature, for the use of physical persons or legal organisations. The ACEDICOM 02 subordinate CA issues certificates for purposes other than Qualified electronic signature. The ACEDICOM Servidores subordinate CA issues server/client certificates and code signing certificates. -- <summary> This SHA256 root has five internally-operated subordinate CAs. One sub-CA issues EV SSL certs. Two of the sub-CAs are for Qualified certificates, -- <summary> This CA has internally-operated subordinate CAs that issue certificates for Spanish companies and representatives. Chambers of Commerce act as RAs -- <summary> This CA has internally-operated subordinate CAs that issue certificates for general use globally. Other companies act as RAs for end user registration. -- <summary> This root has four internally-operated subordinate CAs which sign end-entity certificates for individuals and organizations. -- <summary> This root has four internally-operated subordinate CAs according to their application and usage. </summary> -- <summary> This root has internally-operated subordinate CAs: “Certinomis AC 1 étoile” (OV verification for SSL), “Certinomis AC 2 étoiles” (EV like verification for SSL), “Certinomis - Autorité de Test” -- <summary> This root has seven internally-operated subordinate CAs. The subordinate CAs are used to distinguish who the certificates are issued to. The EC-IDCAT -- Certificates in this hierarchy may only be used for academic, research, or educational purposes. This root will eventually have the same subordinate CAs as HARICA's current MD5 root, which has several internally-operated sub-CAs, and one externally operated sub-CA. -- This new root certificate will eventually replace the Actalis Authentication CA G1 root certificate. It will sign internally-operated subordinate CAs which will sign end-entity certificates. </summary>
signature.asc
Description: OpenPGP digital signature
