Hi Peter –

 

Thank you for responding to our inquiry.  Unfortunately, this particular 
customer has specifically chosen to use this type of certificate for a few 
years as they feel it provides better security.  Trying to get them to move to 
a commercial certificate available to the Public would not work for them.

 

The next course of action may be to speak with DHS about this and seeing what 
they say.  Again, thank you for the response on this as it does provide some 
more insight into this situation.  Please enjoy the rest of your weekend.

 

Respectfully,

 

Derek O’Donnell (Contractor)

NOC Gateway Operations – QuarterLine 

Infrastructure Operations (IO)

IT Operations and Services (ITOPS), Office of Information and Technology (OIT)

Office (304) 262-5282 T-S

 

From: Peter Bowen <pzbo...@gmail.com> 
Sent: Saturday, November 23, 2019 7:24 PM
To: O'Donnell, Derek <Derek.O'donn...@va.gov>
Cc: dev-security-policy@lists.mozilla.org; Bowen, James E. <james.bo...@va.gov>
Subject: [EXTERNAL] Re: INC8119596 Other | Entrust Certs and DHS

 

On Sat, Nov 23, 2019 at 1:08 PM O'Donnell, Derek via dev-security-policy 
<dev-security-policy@lists.mozilla.org 
<mailto:dev-security-policy@lists.mozilla.org> > wrote:

We have a customer at the VA who uses an Entrust root:
Issuer   Entrust

AIA:
http://nfitestweb.managed.entrust.com/AIA/CertsIssuedToNFIMediumSSPCA.p7c

They are repeatedly flagged by DHS for not using a trusted certificate and
using a self-signed certificate.  DHS uses Mozilla Trust Store.

Taking a look at the following file:
https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/bu 
<https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt>
 
iltins/certdata.txt, we can see that everything pertaining to Entrust end in
.NET. 

The Entrust CA our customer uses ends in .COM.  Both extensions are the same
thing.  How can we have the .COM certificate added Globally to Mozilla's
Trust Store?  This will resolve the issues being reported by DHS for us.
Any help on this would be greatly appreciated.

 

Hi Derek,

 

Entrust Datacard runs a number of different CAs.  The various CAs are intended 
for various purposes.

 

The CA you are using is intended for government-only applications.  The CAs 
that are included in the Mozilla Trust Store are intended for citizen or 
business-facing applications.  It sounds like DHS is recommending that you use 
a certificate that is designed for citizen or business-facing applications.  I 
would talk to Entrust Datacard or another CA in the Mozilla Trust Store to see 
about getting a new certificate.

 

Thanks,

Peter

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to