SECOM has applied to enable EV treatment for the "Security Communication
RootCA2" root certificate that was included in NSS via Bugzilla Bug #527419.
SECOM is a Japanese commercial CA that provides SSL and client
certificates for e-Government and participates in several projects for
financial institutions to ensure the secured on-line transactions.
The request is documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=1096205
And in the pending certificates list:
https://wiki.mozilla.org/CA:PendingCAs
Summary of Information Gathered and Verified:
https://bugzilla.mozilla.org/attachment.cgi?id=8641274
Noteworthy points:
* Documents are in Japanese. Translations of some sections are attached
to the bug.
Document Repository: https://repository.secomtrust.net/SC-Root2/index.html
CP: https://repo1.secomtrust.net/spcpp/pfw/pfwevca/PfWEVCA-CP.pdf
CPS: https://repository.secomtrust.net/SC-Root/SCRootCPS.pdf
SubCA CP: https://repository.secomtrust.net/SC-Root/SCRootCP1.pdf
non-EV SSL CP:
https://repo1.secomtrust.net/spcpp/pfw/pfwsr2ca/PfWSR2CA-CP.pdf
SSL Verification Procedures:
https://www.secomtrust.net/service/pfw/apply/ev/1_3.html
English Translations:
https://bug1096205.bugzilla.mozilla.org/attachment.cgi?id=8573613
* CA Hierarchy
This root certificate has subordinate CAs which sign end-entity
certificates for SSL, EV SSL, email (S/MIME), and code signing.
Intermediate CAs are available here:
https://www.secomtrust.net/service/pfw/apply/sr/3_2.html
https://www.secomtrust.net/service/pfw/apply/ev/3_2.html
There is only one (internally-operated) subordinate CA that can issue EV
certs, namely "SECOM Passport for Web EV 2.0 CA".
Externally-operated subCAs are not allowed to issue EV certs.
There is currently one externally-operated subCA, Fuji Xerox. SECOM is
migrating this subCA to be internally-operated by SECOM and be included
in SECOM's policy documentation and audit.
* All three trust bits are already enabled for this root certificate.
The request is to enable EV treatment.
** The procedure that SECOM follows to verify the domain owner is the
same for EV and non-EV SSL certificates. The only difference is that no
lawyer opinion letter is used for Non-EV SSL. Translations from section
4-2 of SECOM’s Verification Document describe the process by which Whois
is used to verify that the domain owner is the same as the certificate
subscriber company name.
** Translations from Security Communication RootCA Subordinate CA
Certificate Policy (SCRootCP1) and PfWEVCA‐CP
3.2 Initial identification and authentication
3.2.1 Method to prove possession of private key
It is proved that the applicant has the private key as follows.
Certificate Signing Request, "CSR" submitted by the applicant and verify
that the corresponding public key contained in it is signed with private
key. In addition, check the fingerprint of the CSR to identify the owner
of the public key.
3.2.2 Authentication of company
Secom authorize the authentication of the applicant company as follows.
By using the official documents from central or local government,
database provided by QIIS or QGIS, and another ways that the equal level
of authorization possible.
3.2.3 Authentication of individual
Secom authorize the authentication of the applicant individual as
follows. By using the official documents from central or local
government, database provided by QIIS or QGIS, and another ways that the
equal level of authorization possible.
3.2.4 Information of non verified certificate user
Not described.
3.2.5 Confirmation of the authority to apply
Secom confirm that the applicant has proper right to apply the
certificate by the section 3.2 or 3.3 on this CP. In the case if the
application is made by third party, we request to give us the letter of
attorney.
* The third party application means that other than the company using
the host name described on common name of the certificate that is
described on the section 3.1.1.
4.3.1 Procedures to issue certificate by CA
Secom issues the certificate and prepares the certificate download site
only available for the applicant. The applicant uses a client
certificate or one time password along with access key to reach the
download site.
** Notes from the discussion of the inclusion request
*** There are 2 types of organizations. One is the organization
registered in the QIIS, "Tokyo Shoko Research". The applicant
information is obtained from the reliable independent source. This is
much like an organizational credit reporting agency. Tokyo Shoko
Research (TSR) is a member of the D&B Worldwide Network since 2005.
http://www.tsr-net.co.jp/en/outline.html
*** Another type is the organization not registered in the QIIS, "Tokyo
Shoko Rearch". This time, Secom require the organization to submit
"Certificate of seal impression". "Certificate of seal impression" is
the official document issued by the local government and only available
for the representative of the organization. This is the proof of the
real existence of the organization and there is no identity theft.
This is commonly referred to as a "chop". It can be viewed as the same
thing as what was formerly required in the US for corporations before a
lot of the corporate-procedure streamlining went into effect, the
"embossed seal" which was only available to the corporate secretary.
This chop is used for a traditional tool of business contract in Japan.
The proof of the chop is referred as "Certificate of seal impression".
"Certificate of seal impression" is issued by the Legal Affairs Bureaus
of Ministry of Justice. This official document is issued and available
only to the representative of the organization. This means that
possessing this official document is the proof of the representative of
the applicant's organization and there is no identity theft.
*** In order to validate the autority of the representative, make a
phone call to the organization using the telephone number from the
reliable independent source above, and ask switchboard for transfer to
the applicant's representative.
For those organizations not registered in the QIIS..
In stead of getting the information ourselves from QIIS directly,
however we get the Certificate of seal impression that is equally or
more reliable information source from the Legal Affairs Bureaus of
Ministry of Justice. The certificate of seal impression is submitted to
us by the representative because of the only available for the
representative of the organization. Possessing this official document is
the proof of the representative of the applicant's organization. Its
watermarked surface of the official document makes us securely verify
the original one and no copy or fraud made for the document.
** Translations of Secom Passport for Web EV service verification
procedures
4-2 Verification of the domain owner
By using Whois gateway(NIC domain reference function), we verify the
applied company name on domain information (the contents included in
CommonName) and the applicant (if the domain name use consent form is
submitted, it is same as the domain owner).
The two points to check for exclusive right to use.
For example, the applied CN is "WWW.login.secom.co.jp"
(1) Applied company or company that exists in parents/child relation
with the applied company owns "secom.co.jp".
(2) Applied company or company that exists in parents/child relation
with the applied company owns "login.secom.co.jp".
In order to check for parents/child relation, we use QIIS or QGIS(EDINET).
If we cannot find it, we ask the applicant to change the owner as same
as the applicant company name for WHOIS.
If we cannot refer the owner at Whois gateway, ask the applicant for
registration.
JP domain: http://whois.jprs.jp/ COM, NET, ORG domain:
http://www.networksolutions.com/cgi-°©‐bin/whois/whois
4-2-1 For the domain owner is different from the applicant company In
order to verify the exclusive ownership, we check either document below
if the domain owner is third party.
Domain name use consent form
Lawyer opinion letter
Points to be checked on the lawyer opinion letter is below.
(1) It is described that the domain (secondary domain) is exclusively
owned by the applicant company. The domain name is described at item #5
on the lawyer opinion letter.
(2) The lawyer who wrote the lawyer opinion letter is really existing
that is checked with 6. Check for the existence of the lawyer for
supplementation.
** Translation from https://www.secomtrust.net/service/pfw/apply/ev/1_3.html
check whether you are the owner of the domain.
If it ends with ".JP" - JPRS WHOIS (Japan Registry Services Co., Ltd.)
Other - InterNIC Whois Gateway (Network Solutions, Inc.)
And if it is in the old organization information, if there is a mistake
in the registration information of the domain, please change to the
correct information contact the domain management company.
If it is set the domain information in private, please publish the
domain information.
** Translation from
https://www.secomtrust.net/service/pfw/apply/ev/sts_1.html
1. site content / operator confirmation
In SECOM Trust Systems, and because of the certificate to prove the
existence of the web site, will check and review
- The presence of the web site
- The existence of the organization that operates the web site
- Requesting organization information, certificate issuance destination
information (CSR information) and match of the organization that
operates the web site
2. Confirmation of application information / domain information / trade name
Confirmation of domain information
Will make sure the organization that owns the domain.
If a third party (other than the applicant organization) owns the
domain, we will submit the documents in order to confirm or being used
consent with respect to the use of the domain. In addition, will check
the existence of the organization.
** Translations of Mail Authentication Service Verification Procedure
provided by SECOM
6. procedure4. Certificate information
Verify for DN information
Whether or not there is a mistake on DN information.
- Not same for company name
- Spelling mistake
- Domain name mistake
- The certificate was issued with the same DN before except the case of
renewal or reissue.
- Authentication by sending and receiving email.
If it is not possible to send or receive the email, we verify the
applied email address by making phone call or by another ways to the
applicant company.
7. procedure5. Verification of the domain owner
By using Whois gateway(NIC domain reference function), we verify the
applied company name on domain information (the contents included in
CommonName) and the applicant (if the domain name use consent form is
submitted, it is same as the domain owner).
JP domain: http://whois.jprs.jp/
COM, NET, ORG domain: http://www.networksolutions.com/cgi-°©‐
bin/whois/whois
8. procedure6. Verification by phone call
By making phone call to applicant company and make sure that the
applicant belongs to the company and apply for the certificate.
* EV Policy OID: 1.2.392.200091.100.721.1
* Root Cert URL: https://repository.secomtrust.net/SC-Root2/SCRoot2ca.cer
* Test Website: https://pfwtest.secomtrust.net/
CRL: https://repository.secomtrust.net/SC-Root2/SCRoot2CRL.crl
http://repo1.secomtrust.net/spcpp/pfw/pfwev2ca/fullcrl.crl
CRL issuing frequency for subordinate end-entity certificates: 24 hours
From SECOM CA Service Passport for Web SR 2.0 Certificate Policy
(PfWSR2CA-CP.pdf), Section4.9.7: CRL is expired regardless of treatment,
every 24 hours
OCSP: http://ev2.ocsp.secomtrust.net/
* Audit: SECOM is audited annually by PricewaterhouseCoopers Aarata,
according to the WebTrust criteria.
WebTrust CA: https://cert.webtrust.org/SealFile?seal=1717&file=pdf
WebTrust BR: https://bugzilla.mozilla.org/attachment.cgi?id=8519802
WebTrust EV: https://cert.webtrust.org/SealFile?seal=1717&file=pdf
This begins the discussion of the request from SECOM to enable EV
treatment for the "Security Communication RootCA2" root certificate that
is currently included in NSS.
At the conclusion of this discussion I will provide a summary of issues
noted and action items. If there are outstanding issues, then an
additional discussion may be needed as follow-up. If there are no
outstanding issues, then I will recommend approval of this request in
the bug.
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy