Actalis has applied to enable EV treatment for the “Actalis
Authentication Root CA” root certificate that was included in NSS via
bug #520557.
Actalis is a public CA offering PKI services to a wide number of
customers, mainly banks and local government. Actalis is a Qualified
certification service provider according to the EU Signature Directive
(Directive 1999/93/EC). Actalis designs, develops, delivers and manages
services and solutions for on-line security, digital signatures and
document certification; develops and offers PKI-enabling components,
supplies complete digital signature and strong authentication kits
(including hardware and software), delivers ICT security consultancy and
training.
The request is documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=957548
And in the pending certificates list:
http://www.mozilla.org/projects/security/certs/pending/
Summary of Information Gathered and Verified:
https://bugzilla.mozilla.org/attachment.cgi?id=8382446
Noteworthy points:
* The primary documents are the CPS for SSL and Code Signing Certs
provided in both English and Italian.
http://portal.actalis.it/Info/cmsContent?cmsRef=actalis/Info/Manuali
CPS for SSL and Code Signing Certs (English):
http://portal.actalis.it/cms/translations/en/actalis/Info/Solutions/Documents/CPS_SSLServer_CodeSigning_v2.2.5_EN.pdf
* CA Hierarchy: The Actalis Authentication Root CA currently has one
subordinate CA that is internally-operated.
* The websites and code signing trust bits are enabled for this root.
This request is to enable EV treatment.
** CPS section 1.3.3: Certificate Owners or Subscribers are
organizations or agencies requesting an SSL Server certificate or Code
Signing certificate and holding the corresponding private key. …
Actalis issues certificates to following types of organizations: Private
Organization, Government Entity … In all cases the certificate Owner
shall be an organization, not a natural person.
** CPS section 3.2.2 and 3.2.3 describe authentication of organization
and individual identity.
** CPS section 3.3.1: For SSL Server certificates, the CA verifies that
all Internet domains and IP address to be included in the certificate
are under the direct control of the applicant organization. These checks
are carried out through WHOIS queries and/or reverse DNS lookups, or by
querying the relevant governmental do-main registration agencies, as
appropriate. Should one or more of those domains and/or IP addresses be
managed by an entity other than the applicant, this latter is required
to provide evidence to the CA that they have been formally delegated by
the legitimate owner to manage those domains and/or IP addresses.
** CPS section 3.3.2 For EV-class certificates
For private organizations, the CA also collects and evaluates the
following information:
- address of registered office
- starting date of organization’s activity
- business purpose (objects)
- board members
- proprietor(s) or shareholders
- transfers of property or shares
- powers and representatives
- protests, insolvency or other negative facts
For government entities, the CA also collects and evaluates the
following information:
- address of main office
- names and roles of top managers
In both cases, the CA verifies that the certificate application was
authorized by a manager of the applicant with adequate powers of attorney.
The CA also verifies that all the address components (country,
stateOrProvince, locality, streetAddress) to be included in the
certificate match the address where the registered office of the
applicant organization is actually located.
All the above checks are carried out by querying the relevant chamber of
commerce database (for private organizations) or the appropriate
governmental database (for governmental entities).
* EV Policy OID: 1.3.159.1.17.1
* Test Website: https://ssltest-a.actalis.it:8443
* OCSP
http://portal.actalis.it/VA/AUTH-ROOT
http://ocsp03.actalis.it/VA/AUTH-G2
OCSP responses have an expiration time of 1 day
* Audit: Annual audits are performed by IMQ (http://www.imq.it/)
according to the ETSI TS 102 042 criteria, V2.2.1 with reference to EV
Guidelines v1.3.
http://portal.actalis.it/cms/translations/en/actalis/Info/Solutions/Documents/ActalisCA_Audit_Statement.pdf
(2013.10.18)
In the audit statement: “During the Certification Authority audit it was
also verified that the above-mentioned certification services meet the
requirements of the following specification: “Baseline Requirements for
the Issuance and Management of Publicly-Trusted Certificates”, v.1.1…”
* Potentially Problematic Practices – None Noted
(http://wiki.mozilla.org/CA:Problematic_Practices)
This begins the discussion of the request from Actalis to enable EV
treatment for the “Actalis Authentication Root CA” root certificate. At
the conclusion of this discussion I will provide a summary of issues
noted and action items. If there are outstanding issues, then an
additional discussion may be needed as follow-up. If there are no
outstanding issues, then I will recommend approval of this request in
the bug.
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy