Bon jour Erwann. >The problem raised here is that the CPS is the root CPS, and this root CPS >says that all end-entity certificates are valid for 3 years max. That is, the >certificates issued under it should still be limited to 3 years.
I think there is a misunderstanding here. In General Certification Practices Statement (https://www.sede.fnmt.gob.es/documents/11614/67070/dgpc_english.pdf), section 9.3.2, paragraph 139 it's said: "Data Signature Creation and Data Verification Signature of the Electronic Community may be used throughout the lifetime of the certificate that may be up to five years. See each one of the different Particular Certification Practices covered by FNMT-RCM as Certification Services Provider." Then, particular certification practice documents that apply to subCAs issuing "Website" certificates, limit specifically this period. As you can see, at particular CPS of "AC Administracion pública" and "AC Componentes Informáticos", it's said (respectively): - "The electronic venue identification Certificates issued by the FNMT-RCM shall have a validity of three (3) years from the moment the Certificate is issued, provided its validity is not terminated. After this period and if the Certificate is still active, it shall expire and whenever the Subscriber wishes to continue using the services of the Certification Services Provide a new one must be issued." - "The maximum term of validity of Component Certificates is three years as from the time they are issued, provided that their validity does not terminate for the reasons and procedures laid out in the section "Termination of a certificate validity"." >What you're describing is the EV Guidelines, section 9.2.2: "This extension >MUST contain one or more host Domain Name(s) owned or controlled by the >Subject and to be associated with the Subject's server." >From section 3.4.2.1 of >https://cabforum.org/wp-content/uploads/Baseline_Requirements_V1_3_1.pdf "7.1.4.2.1. Subject Alternative Name Extension Certificate Field: extensions:subjectAltName Required/Optional: Required Contents: This extension MUST contain at least one entry. Each.." As we commented, our certificates are compliant with this requirement as we set the Domain Name. Also, in order to comply with regulations related to eGovernment and identification of eOffices, administrative ID info must be set at SAN extension. Again, we are proceeding as several certification service providers that already have their root certificates included in Mozilla. >Do certificates issued under the "AC FNMT Usuarios" CA (for example) also have >this OID? Regarding "AC FNMT Usuarios" subCA, server certificates are not issued. This subCA issues certificate only for natural persons (mainly Spanish citizens). _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
