On Mon, Nov 25, 2019 at 7:10 AM Bowen, James E. <james.bo...@va.gov> wrote:

> DHS is only using Mozilla’s trust store for determining trust.  They are
> not using a government-based trust store.
>
>
>
> We talked to Entrust last week.  Entrust was creating certificates with “
> entrust.net” as the old way.  Recently, Entrust has been generating
> certificates with “entrust.com” as their current and preferred method.
>
>
>
> We want to get the entrust.com domain added to Mozilla’s trust store, so
> DHS scans don’t come back with false positives.  What is the process of
> getting entrust.com added to Mozilla’s trust base??
>

The Mozilla trust list is not based on domains, rather it is based on
specific CAs which is identified by the Issuer Name + Public key.  Mozilla
(and presumably DHS) do follow chains of certificates, so if the direct
issuer is certified by a trusted CA, then the certificate is trusted.

If you provide the full issuer name for the certificate you are referring
to, then it might be possible to determine if you are actually on a
government-only certificate or if you have some other issue.

Thanks,
Peter




>
>
>
>
> *From:* Peter Bowen <pzbo...@gmail.com>
> *Sent:* Saturday, November 23, 2019 7:24 PM
> *To:* O'Donnell, Derek <Derek.O'donn...@va.gov>
> *Cc:* dev-security-policy@lists.mozilla.org; Bowen, James E. <
> james.bo...@va.gov>
> *Subject:* [EXTERNAL] Re: INC8119596 Other | Entrust Certs and DHS
>
>
>
> On Sat, Nov 23, 2019 at 1:08 PM O'Donnell, Derek via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
> We have a customer at the VA who uses an Entrust root:
> Issuer   Entrust
>
> AIA:
> http://nfitestweb.managed.entrust.com/AIA/CertsIssuedToNFIMediumSSPCA.p7c
>
> They are repeatedly flagged by DHS for not using a trusted certificate and
> using a self-signed certificate.  DHS uses Mozilla Trust Store.
>
> Taking a look at the following file:
>
> https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/bu
> iltins/certdata.txt, we can see that everything pertaining to Entrust end
> in
> .NET.
>
> The Entrust CA our customer uses ends in .COM.  Both extensions are the
> same
> thing.  How can we have the .COM certificate added Globally to Mozilla's
> Trust Store?  This will resolve the issues being reported by DHS for us.
> Any help on this would be greatly appreciated.
>
>
>
> Hi Derek,
>
>
>
> Entrust Datacard runs a number of different CAs.  The various CAs are
> intended for various purposes.
>
>
>
> The CA you are using is intended for government-only applications.  The
> CAs that are included in the Mozilla Trust Store are intended for citizen
> or business-facing applications.  It sounds like DHS is recommending that
> you use a certificate that is designed for citizen or business-facing
> applications.  I would talk to Entrust Datacard or another CA in the
> Mozilla Trust Store to see about getting a new certificate.
>
>
>
> Thanks,
>
> Peter
>
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to