Actalis Request to Enable EV Treatment

Thu, 06 Mar 2014 13:44:23 -0800

Actalis has applied to enable EV treatment for the “Actalis Authentication Root CA” root certificate that was included in NSS via bug #520557.
Actalis is a public CA offering PKI services to a wide number of customers, mainly banks and local government. Actalis is a Qualified certification service provider according to the EU Signature Directive (Directive 1999/93/EC). Actalis designs, develops, delivers and manages services and solutions for on-line security, digital signatures and document certification; develops and offers PKI-enabling components, supplies complete digital signature and strong authentication kits (including hardware and software), delivers ICT security consultancy and training. 

The request is documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=957548

And in the pending certificates list:
http://www.mozilla.org/projects/security/certs/pending/

Summary of Information Gathered and Verified:
https://bugzilla.mozilla.org/attachment.cgi?id=8382446

Noteworthy points:


* The primary documents are the CPS for SSL and Code Signing Certs 
provided in both English and Italian.


http://portal.actalis.it/Info/cmsContent?cmsRef=actalis/Info/Manuali

CPS for SSL and Code Signing Certs (English):

http://portal.actalis.it/cms/translations/en/actalis/Info/Solutions/Documents/CPS_SSLServer_CodeSigning_v2.2.5_EN.pdf 




* CA Hierarchy: The Actalis Authentication Root CA currently has one 
subordinate CA that is internally-operated.



* The websites and code signing trust bits are enabled for this root. 
This request is to enable EV treatment.



** CPS section 1.3.3: Certificate Owners or Subscribers are 
organizations or agencies requesting an SSL Server certificate or Code 
Signing certificate and holding the corresponding private key. … 
Actalis issues certificates to following types of organizations: Private 
Organization, Government Entity … In all cases the certificate Owner 
shall be an organization, not a natural person.



** CPS section 3.2.2 and 3.2.3 describe authentication of organization 
and individual identity.



** CPS section 3.3.1: For SSL Server certificates, the CA verifies that 
all Internet domains and IP address to be included in the certificate 
are under the direct control of the applicant organization. These checks 
are carried out through WHOIS queries and/or reverse DNS lookups, or by 
querying the relevant governmental do-main registration agencies, as 
appropriate. Should one or more of those domains and/or IP addresses be 
managed by an entity other than the applicant, this latter is required 
to provide evidence to the CA that they have been formally delegated by 
the legitimate owner to manage those domains and/or IP addresses.


** CPS section 3.3.2 For EV-class certificates

For private organizations, the CA also collects and evaluates the 
following information:

- address of registered office
- starting date of organization’s activity
- business purpose (objects)
- board members
- proprietor(s) or shareholders
- transfers of property or shares
- powers and representatives
- protests, insolvency or other negative facts

For government entities, the CA also collects and evaluates the 
following information:

- address of main office
- names and roles of top managers

In both cases, the CA verifies that the certificate application was 
authorized by a manager of the applicant with adequate powers of attorney.
The CA also verifies that all the address components (country, 
stateOrProvince, locality, streetAddress) to be included in the 
certificate match the address where the registered office of the 
applicant organization is actually located.
All the above checks are carried out by querying the relevant chamber of 
commerce database (for private organizations) or the appropriate 
governmental database (for governmental entities).


* EV Policy OID: 1.3.159.1.17.1

* Test Website: https://ssltest-a.actalis.it:8443

* OCSP
http://portal.actalis.it/VA/AUTH-ROOT
http://ocsp03.actalis.it/VA/AUTH-G2
OCSP responses have an expiration time of 1 day


* Audit: Annual audits are performed by IMQ (http://www.imq.it/) 
according to the ETSI TS 102 042 criteria, V2.2.1 with reference to EV 
Guidelines v1.3.
http://portal.actalis.it/cms/translations/en/actalis/Info/Solutions/Documents/ActalisCA_Audit_Statement.pdf 
(2013.10.18)
In the audit statement: “During the Certification Authority audit it was 
also verified that the above-mentioned certification services meet the 
requirements of the following specification: “Baseline Requirements for 
the Issuance and Management of Publicly-Trusted Certificates”, v.1.1…”


* Potentially Problematic Practices – None Noted
(http://wiki.mozilla.org/CA:Problematic_Practices)


This begins the discussion of the request from Actalis to enable EV 
treatment for the “Actalis Authentication Root CA” root certificate. At 
the conclusion of this discussion I will provide a summary of issues 
noted and action items. If there are outstanding issues, then an 
additional discussion may be needed as follow-up. If there are no 
outstanding issues, then I will recommend approval of this request in 
the bug.


Kathleen

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy






















					Reply via email to