DSV Gruppe has applied to include the SHA-256 "S-TRUST Universal Root
CA" root certificate and enable the Email trust bit. DSV Gruppe’s SHA-1
"S-TRUST Authentication and Encryption Root CA 2005:PN" root certificate
was included in NSS via Bugzilla Bug #370627.
Deutscher Sparkassen Verlag GmbH (DSV Gruppe) is a public corporation
that provides customers of the German Savings Bank Financial Group with
client-certificates for their signature enabled debit card (smartcard).
All German citizens are able to get one of these signature cards which
can be used for secure email communication, web access for online
banking, legally signing transactions, and accessing e-government
applications. S-TRUST is a trademark of DSV Gruppe.
The request is documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=1011182
And in the pending certificates list:
http://www.mozilla.org/projects/security/certs/pending/
Summary of Information Gathered and Verified:
https://bugzilla.mozilla.org/attachment.cgi?id=8506450
Noteworthy points:
* The primary documents are in German.
CPS: https://www.s-trust.de/stn-cps
* CA Hierarchy:
** This root has one internally-operated subordinate CA, "S-TRUST
Authentication and Encryption Class 3 CA"
* This request is to turn on the Email trust bit.
** According to section 2.4.2.2 of the CPS the proof of email ownership
occurs by means of a personal code, which is sent to the applicant via
the email address specified in the certificate. The download process can
only be completed using this email verification code.
** Translation of CPS section 2.4.2.2: Before the ZDA DSV approves a
certificate for a signature-prepared chip card, the applicant has to
prove that the e-mail address - he entered during the application
process - is under his control. This verification happens whilst a
personal code is sent to the applicants related e-mail account by the
ZDA DSV. The download process - the delivery of the personal
certificates - can only be executed by entering this e-mail
verification-code.
* EV Policy OID: Not Applicable.
* Root Cert URL:
https://www.s-trust.de/ablage_download_dokumente/ablage_zertifikate/S-TRUST_Universal_Root_CA1.cer
https://www.s-trust.de/service_support/signaturkarten/download_wurzelzertifikate/qual_angezeigt_akkreditiert/
* Test Cert
Example Cert: https://bugzilla.mozilla.org/attachment.cgi?id=8506014
Intermediate Cert:
https://www.s-trust.de/ablage_download_dokumente/ablage_zertifikate/S-TRUST_Authentication_and_Encryption_Class_3_CA1.cer
* CRL
http://crl.s-trust.de/public/offlineCA/DeutscherSparkassenVerlagGmbHS-TRUSTUniveralRootCA/LatestCRL.crl
* OCSP
None
* Audit: Annual audits are performed by TUVIT according to the ETSI TS
102 042 V2.4.1 criteria.
https://www.tuvit.de/data/content_data/tuevit_en/6744UE_s.pdf
* Potentially Problematic Practices
(http://wiki.mozilla.org/CA:Problematic_Practices)
** None Noted.
This begins the discussion of the request from DSV Gruppe to include the
SHA-256 “S-TRUST Universal Root CA” root certificate and enable the
Email trust bit. At the conclusion of this discussion I will provide a
summary of issues noted and action items. If there are outstanding
issues, then an additional discussion may be needed as follow-up. If
there are no outstanding issues, then I will recommend approval of this
request in the bug.
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
