Peter,
DHS is only using Mozilla’s trust store for determining trust. They are not using a government-based trust store. We talked to Entrust last week. Entrust was creating certificates with “entrust.net” as the old way. Recently, Entrust has been generating certificates with “entrust.com” as their current and preferred method. We want to get the entrust.com domain added to Mozilla’s trust store, so DHS scans don’t come back with false positives. What is the process of getting entrust.com added to Mozilla’s trust base?? Regards, Jim Bowen (Contractor) Trusted Internet Connection (TIC) Gateway Operations Lead Veterans Affairs Network Security Operations Center (VA NSOC) 221 Butler Street | Building 511 | Martinsburg, WV 25405 304-262-7745 (Office) | 571-439-4434 (Mobile) Confidentiality Note: This e-mail is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential, or otherwise protected from disclosure. Dissemination, distribution, or copying of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this e-mail in error, please notify the sender by reply e-mail, and destroy the original message and all copies. From: Peter Bowen <pzbo...@gmail.com> Sent: Saturday, November 23, 2019 7:24 PM To: O'Donnell, Derek <Derek.O'donn...@va.gov> Cc: dev-security-policy@lists.mozilla.org; Bowen, James E. <james.bo...@va.gov> Subject: [EXTERNAL] Re: INC8119596 Other | Entrust Certs and DHS On Sat, Nov 23, 2019 at 1:08 PM O'Donnell, Derek via dev-security-policy <dev-security-policy@lists.mozilla.org <mailto:dev-security-policy@lists.mozilla.org> > wrote: We have a customer at the VA who uses an Entrust root: Issuer Entrust AIA: http://nfitestweb.managed.entrust.com/AIA/CertsIssuedToNFIMediumSSPCA.p7c They are repeatedly flagged by DHS for not using a trusted certificate and using a self-signed certificate. DHS uses Mozilla Trust Store. Taking a look at the following file: https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/bu <https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt> iltins/certdata.txt, we can see that everything pertaining to Entrust end in .NET. The Entrust CA our customer uses ends in .COM. Both extensions are the same thing. How can we have the .COM certificate added Globally to Mozilla's Trust Store? This will resolve the issues being reported by DHS for us. Any help on this would be greatly appreciated. Hi Derek, Entrust Datacard runs a number of different CAs. The various CAs are intended for various purposes. The CA you are using is intended for government-only applications. The CAs that are included in the Mozilla Trust Store are intended for citizen or business-facing applications. It sounds like DHS is recommending that you use a certificate that is designed for citizen or business-facing applications. I would talk to Entrust Datacard or another CA in the Mozilla Trust Store to see about getting a new certificate. Thanks, Peter
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
