On Mon, Nov 25, 2019 at 7:10 AM Bowen, James E. <[email protected]> wrote:
> DHS is only using Mozilla’s trust store for determining trust. They are > not using a government-based trust store. > > > > We talked to Entrust last week. Entrust was creating certificates with “ > entrust.net” as the old way. Recently, Entrust has been generating > certificates with “entrust.com” as their current and preferred method. > > > > We want to get the entrust.com domain added to Mozilla’s trust store, so > DHS scans don’t come back with false positives. What is the process of > getting entrust.com added to Mozilla’s trust base?? > The Mozilla trust list is not based on domains, rather it is based on specific CAs which is identified by the Issuer Name + Public key. Mozilla (and presumably DHS) do follow chains of certificates, so if the direct issuer is certified by a trusted CA, then the certificate is trusted. If you provide the full issuer name for the certificate you are referring to, then it might be possible to determine if you are actually on a government-only certificate or if you have some other issue. Thanks, Peter > > > > > *From:* Peter Bowen <[email protected]> > *Sent:* Saturday, November 23, 2019 7:24 PM > *To:* O'Donnell, Derek <Derek.O'[email protected]> > *Cc:* [email protected]; Bowen, James E. < > [email protected]> > *Subject:* [EXTERNAL] Re: INC8119596 Other | Entrust Certs and DHS > > > > On Sat, Nov 23, 2019 at 1:08 PM O'Donnell, Derek via dev-security-policy < > [email protected]> wrote: > > We have a customer at the VA who uses an Entrust root: > Issuer Entrust > > AIA: > http://nfitestweb.managed.entrust.com/AIA/CertsIssuedToNFIMediumSSPCA.p7c > > They are repeatedly flagged by DHS for not using a trusted certificate and > using a self-signed certificate. DHS uses Mozilla Trust Store. > > Taking a look at the following file: > > https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/bu > iltins/certdata.txt, we can see that everything pertaining to Entrust end > in > .NET. > > The Entrust CA our customer uses ends in .COM. Both extensions are the > same > thing. How can we have the .COM certificate added Globally to Mozilla's > Trust Store? This will resolve the issues being reported by DHS for us. > Any help on this would be greatly appreciated. > > > > Hi Derek, > > > > Entrust Datacard runs a number of different CAs. The various CAs are > intended for various purposes. > > > > The CA you are using is intended for government-only applications. The > CAs that are included in the Mozilla Trust Store are intended for citizen > or business-facing applications. It sounds like DHS is recommending that > you use a certificate that is designed for citizen or business-facing > applications. I would talk to Entrust Datacard or another CA in the > Mozilla Trust Store to see about getting a new certificate. > > > > Thanks, > > Peter > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
