Hi Peter –
Thank you for responding to our inquiry. Unfortunately, this particular customer has specifically chosen to use this type of certificate for a few years as they feel it provides better security. Trying to get them to move to a commercial certificate available to the Public would not work for them. The next course of action may be to speak with DHS about this and seeing what they say. Again, thank you for the response on this as it does provide some more insight into this situation. Please enjoy the rest of your weekend. Respectfully, Derek O’Donnell (Contractor) NOC Gateway Operations – QuarterLine Infrastructure Operations (IO) IT Operations and Services (ITOPS), Office of Information and Technology (OIT) Office (304) 262-5282 T-S From: Peter Bowen <pzbo...@gmail.com> Sent: Saturday, November 23, 2019 7:24 PM To: O'Donnell, Derek <Derek.O'donn...@va.gov> Cc: dev-security-policy@lists.mozilla.org; Bowen, James E. <james.bo...@va.gov> Subject: [EXTERNAL] Re: INC8119596 Other | Entrust Certs and DHS On Sat, Nov 23, 2019 at 1:08 PM O'Donnell, Derek via dev-security-policy <dev-security-policy@lists.mozilla.org <mailto:dev-security-policy@lists.mozilla.org> > wrote: We have a customer at the VA who uses an Entrust root: Issuer Entrust AIA: http://nfitestweb.managed.entrust.com/AIA/CertsIssuedToNFIMediumSSPCA.p7c They are repeatedly flagged by DHS for not using a trusted certificate and using a self-signed certificate. DHS uses Mozilla Trust Store. Taking a look at the following file: https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/bu <https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt> iltins/certdata.txt, we can see that everything pertaining to Entrust end in .NET. The Entrust CA our customer uses ends in .COM. Both extensions are the same thing. How can we have the .COM certificate added Globally to Mozilla's Trust Store? This will resolve the issues being reported by DHS for us. Any help on this would be greatly appreciated. Hi Derek, Entrust Datacard runs a number of different CAs. The various CAs are intended for various purposes. The CA you are using is intended for government-only applications. The CAs that are included in the Mozilla Trust Store are intended for citizen or business-facing applications. It sounds like DHS is recommending that you use a certificate that is designed for citizen or business-facing applications. I would talk to Entrust Datacard or another CA in the Mozilla Trust Store to see about getting a new certificate. Thanks, Peter
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
