Date: Tue, 27 Feb 2007 16:22:46 GMT From: PauAmma<pauamma@gundo.com> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/109609: security/ca-roots addition request Message-ID: <200702271622.l1RGMkLO095148@www.freebsd.org> Resent-Message-ID: <200702271630.l1RGU4cg023806@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 109609 >Category: ports >Synopsis: security/ca-roots addition request >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Tue Feb 27 16:30:04 GMT 2007 >Closed-Date: >Last-Modified: >Originator: PauAmma >Release: N/A >Organization: Ecdysiasts United For Overdressing >Environment: N/A >Description: Please consider the following root certificates, issued by Comodo and USERTrust / USERFirst, for addition to port security/ca-roots. Disclaimer: I don't work for either Comodo or USERTrust / USERFirst, but I'm a frequent user (and soon-to-be employee) of a weblog hosting company using some of their root certificates. URLs for Comodo root certificates and CRLs: - http://www.comodo.com/repository/AAACertificateServices.cer or http://www.instantssl.com/ssl-certificate-support/certs/AAACertificateServices.crt CRL: http://crl.comodo.net/AAACertificateServices.crl - http://www.comodo.com/repository/SecureCertificateServices.cer or http://www.instantssl.com/ssl-certificate-support/certs/SecureCertificateServices.crt CRL: http://crl.comodo.net/SecureCertificateServices.crl - http://www.comodo.com/repository/TrustedCertificateServices.cer or http://www.instantssl.com/ssl-certificate-support/certs/TrustedCertificateServices.crt CRL: http://crl.comodo.net/TrustedCertificateServices.crl The certificate URLs ending in .crt are sent as MIME type application/x-x509-ca-cert and the .cer ones (incorrectly) as chemical/x-cerius, but their raw content is the same. The CRLs are application/x-pkcs7-crl, not application/pkix-crl, apparently to placate Mozilla. (I'm not sure whether or how much it matters, but I wanted to mention it in case it does.) URLs for USERTrust / USERFirst root certificates and CRLs: - http://www.usertrust.com/cacerts/UTN-USERFirst-ClientAuthenticationandEmail.crt CRL: http://crl.usertrust.com/UTN-USERFirst-ClientAuthenticationandEmail.crl - http://www.usertrust.com/cacerts/UTN-USERFirst-Hardware.crt CRL: http://crl.usertrust.com/UTN-USERFirst-Hardware.crl - http://www.usertrust.com/cacerts/UTN-DataCorpSGC.crt CRL: http://crl.usertrust.com/UTN-DATACorpSGC.crl - http://www.usertrust.com/cacerts/UTN-USERFirst-Object.crt CRL: http://crl.usertrust.com/UTN-USERFirst-Object.crl The CRLs are application/x-pkcs7-crl, not application/pkix-crl, apparently to placate Mozilla. (I'm not sure whether or how much it matters, but I wanted to mention it in case it does.) Note that the first and last certificates are for other uses than SSL (S/MIME and object signing, respectively). If security/ca-roots is for SSL certificates only, feel free to ignore them. Comodo and USERTrust / USERFirst policy and practice statements, and audit reports: - http://www.comodo.com/repository/Comodo_WT_CPS.pdf: Comodo Certification Practice Statement, Version 2.1, 16 April 2003 - http://www.comodo.com/repository/cps_amendments.pdf: Proposed Amendments to CPS Ver. 2.1, 11 May 2004 - http://www.comodo.com/repository/index.html: Other documents - https://cert.webtrust.org/SealFile?seal=212&file=pdf: WebTrust Audit Report and Management Assertions - http://www.usertrust.com/Library/USERTrust%20CPS%20November%2001%2C%202000.pdf: Certificate Practices Statement Of Universal Secured Encryption Repository Company ("USERFirst"), A Non-Profit Corporation Serving as the Certification Authority, Recognized Repository, and Repository Archive of the USERTRUST Network L.L.C. Public Key Infrastructure (UTN PKI), Version 5, Amended November 1, 2000 - http://www.usertrust.com/library_legaldocs.aspx: Other documents (also redirected from http://www.usertrust.com/cps) (Note that USERTrust/USERFirst was acquired by Comodo, and that Comodo audit reports also apply to it.) In case these are applicable: - https://bugzilla.mozilla.org/show_bug.cgi?id=242610 (for USERTrust) and https://bugzilla.mozilla.org/show_bug.cgi?id=249710 (for Comodo) are the addition requests they filed with Mozilla a few years ago. - http://hecker.org/mozilla/ca-certificate-list is the list of standard CAs in Mozilla software, with links to supporting documents. >How-To-Repeat: - Install port security/ca-roots - Attempt to validate certificates used by https://www.livejournal.com/login.bml >Fix: Add root certificates listed above >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200702271622.l1RGMkLO095148>