From owner-freebsd-ports-bugs@FreeBSD.ORG  Tue Feb 27 16:30:05 2007
Return-Path: <owner-freebsd-ports-bugs@FreeBSD.ORG>
X-Original-To: freebsd-ports-bugs@hub.freebsd.org
Delivered-To: freebsd-ports-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 1ED8916A404
	for <freebsd-ports-bugs@hub.freebsd.org>;
	Tue, 27 Feb 2007 16:30:05 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40])
	by mx1.freebsd.org (Postfix) with ESMTP id EC51C13C491
	for <freebsd-ports-bugs@hub.freebsd.org>;
	Tue, 27 Feb 2007 16:30:04 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l1RGU485023807
	for <freebsd-ports-bugs@freefall.freebsd.org>;
	Tue, 27 Feb 2007 16:30:04 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l1RGU4cg023806;
	Tue, 27 Feb 2007 16:30:04 GMT (envelope-from gnats)
Resent-Date: Tue, 27 Feb 2007 16:30:04 GMT
Resent-Message-Id: <200702271630.l1RGU4cg023806@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-ports-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, PauAmma<pauamma@gundo.com>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 27C5616A404
	for <freebsd-gnats-submit@FreeBSD.org>;
	Tue, 27 Feb 2007 16:22:53 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [69.147.83.33])
	by mx1.freebsd.org (Postfix) with ESMTP id D0B2D13C4A5
	for <freebsd-gnats-submit@FreeBSD.org>;
	Tue, 27 Feb 2007 16:22:48 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id l1RGMkDh095149
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 27 Feb 2007 16:22:46 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id l1RGMkLO095148;
	Tue, 27 Feb 2007 16:22:46 GMT (envelope-from nobody)
Message-Id: <200702271622.l1RGMkLO095148@www.freebsd.org>
Date: Tue, 27 Feb 2007 16:22:46 GMT
From: PauAmma<pauamma@gundo.com>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-3.0
Cc: 
Subject: ports/109609: security/ca-roots addition request
X-BeenThere: freebsd-ports-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Ports bug reports <freebsd-ports-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports-bugs>
List-Post: <mailto:freebsd-ports-bugs@freebsd.org>
List-Help: <mailto:freebsd-ports-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Feb 2007 16:30:05 -0000


>Number:         109609
>Category:       ports
>Synopsis:       security/ca-roots addition request
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Tue Feb 27 16:30:04 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     PauAmma
>Release:        N/A
>Organization:
Ecdysiasts United For Overdressing
>Environment:
N/A
>Description:
Please consider the following root certificates, issued by Comodo and USERTrust / USERFirst, for addition to port security/ca-roots.

Disclaimer: I don't work for either Comodo or USERTrust / USERFirst, but I'm a frequent user (and soon-to-be employee) of a weblog hosting company using some of their root certificates.

URLs for Comodo root certificates and CRLs:

- http://www.comodo.com/repository/AAACertificateServices.cer or http://www.instantssl.com/ssl-certificate-support/certs/AAACertificateServices.crt CRL: http://crl.comodo.net/AAACertificateServices.crl
- http://www.comodo.com/repository/SecureCertificateServices.cer or http://www.instantssl.com/ssl-certificate-support/certs/SecureCertificateServices.crt CRL: http://crl.comodo.net/SecureCertificateServices.crl
- http://www.comodo.com/repository/TrustedCertificateServices.cer or http://www.instantssl.com/ssl-certificate-support/certs/TrustedCertificateServices.crt CRL: http://crl.comodo.net/TrustedCertificateServices.crl

The certificate URLs ending in .crt are sent as MIME type application/x-x509-ca-cert and the .cer ones (incorrectly) as chemical/x-cerius, but their raw content is the same. The CRLs are application/x-pkcs7-crl, not application/pkix-crl, apparently to placate Mozilla. (I'm not sure whether or how much it matters, but I wanted to mention it in case it does.)

URLs for USERTrust / USERFirst root certificates and CRLs:

- http://www.usertrust.com/cacerts/UTN-USERFirst-ClientAuthenticationandEmail.crt CRL:  http://crl.usertrust.com/UTN-USERFirst-ClientAuthenticationandEmail.crl
- http://www.usertrust.com/cacerts/UTN-USERFirst-Hardware.crt CRL: http://crl.usertrust.com/UTN-USERFirst-Hardware.crl
- http://www.usertrust.com/cacerts/UTN-DataCorpSGC.crt CRL: http://crl.usertrust.com/UTN-DATACorpSGC.crl
- http://www.usertrust.com/cacerts/UTN-USERFirst-Object.crt CRL: http://crl.usertrust.com/UTN-USERFirst-Object.crl

The CRLs are application/x-pkcs7-crl, not application/pkix-crl, apparently to placate Mozilla. (I'm not sure whether or how much it matters, but I wanted to mention it in case it does.) Note that the first and last certificates are for other uses than SSL (S/MIME and object signing, respectively). If security/ca-roots is for SSL certificates only, feel free to ignore them.

Comodo and USERTrust / USERFirst policy and practice statements, and audit reports:

- http://www.comodo.com/repository/Comodo_WT_CPS.pdf: Comodo Certification Practice Statement, Version 2.1, 16 April 2003
- http://www.comodo.com/repository/cps_amendments.pdf: Proposed Amendments to CPS Ver. 2.1, 11 May 2004
- http://www.comodo.com/repository/index.html: Other documents
- https://cert.webtrust.org/SealFile?seal=212&file=pdf: WebTrust Audit Report and Management Assertions

- http://www.usertrust.com/Library/USERTrust%20CPS%20November%2001%2C%202000.pdf: Certificate Practices Statement Of Universal Secured Encryption Repository Company ("USERFirst"), A Non-Profit Corporation Serving as the Certification Authority, Recognized Repository, and Repository Archive of the USERTRUST Network L.L.C. Public Key Infrastructure (UTN PKI), Version 5, Amended November 1, 2000
- http://www.usertrust.com/library_legaldocs.aspx: Other documents (also redirected from http://www.usertrust.com/cps)

(Note that USERTrust/USERFirst was acquired by Comodo, and that Comodo audit reports also apply to it.)

In case these are applicable: 
- https://bugzilla.mozilla.org/show_bug.cgi?id=242610 (for USERTrust) and https://bugzilla.mozilla.org/show_bug.cgi?id=249710 (for Comodo) are the addition requests they filed with Mozilla a few years ago.
- http://hecker.org/mozilla/ca-certificate-list is the list of standard CAs in Mozilla software, with links to supporting documents.
>How-To-Repeat:
- Install port security/ca-roots
- Attempt to validate certificates used by https://www.livejournal.com/login.bml
>Fix:
Add root certificates listed above
>Release-Note:
>Audit-Trail:
>Unformatted: