On Sat, Nov 23, 2019 at 1:08 PM O'Donnell, Derek via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> We have a customer at the VA who uses an Entrust root:
> Issuer   Entrust
> AIA:
> http://nfitestweb.managed.entrust.com/AIA/CertsIssuedToNFIMediumSSPCA.p7c
> They are repeatedly flagged by DHS for not using a trusted certificate and
> using a self-signed certificate.  DHS uses Mozilla Trust Store.
> Taking a look at the following file:
> https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/bu
> iltins/certdata.txt
> <https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt>,
> we can see that everything pertaining to Entrust end in
> .NET.
> The Entrust CA our customer uses ends in .COM.  Both extensions are the
> same
> thing.  How can we have the .COM certificate added Globally to Mozilla's
> Trust Store?  This will resolve the issues being reported by DHS for us.
> Any help on this would be greatly appreciated.

Hi Derek,

Entrust Datacard runs a number of different CAs.  The various CAs are
intended for various purposes.

The CA you are using is intended for government-only applications.  The CAs
that are included in the Mozilla Trust Store are intended for citizen or
business-facing applications.  It sounds like DHS is recommending that you
use a certificate that is designed for citizen or business-facing
applications.  I would talk to Entrust Datacard or another CA in the
Mozilla Trust Store to see about getting a new certificate.

dev-security-policy mailing list

Reply via email to