On 10/21/15 12:17 PM, Kathleen Wilson wrote:
FNMT has applied to include the “AC RAIZ FNMT-RCM” root certificate and
enable the Websites trust bit.
Fábrica Nacional de Moneda y Timbre (FNMT) is a government agency that
provides services to Spain as a national CA.
The request is documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=435736
And in the pending certificates list:
https://wiki.mozilla.org/CA:PendingCAs
Summary of Information Gathered and Verified:
https://bugzilla.mozilla.org/attachment.cgi?id=8677034
Noteworthy points:
* Documents are in Spanish, and some are translated into English.
Document Repository:
https://www.sede.fnmt.gob.es/normativa/declaracion-de-practicas-de-certificacion
CP:
https://www.sede.fnmt.gob.es/documents/11614/67070/dpc_componentes_english.pdf/
CPS: https://www.sede.fnmt.gob.es/documents/11614/137578/dpc_english.pdf/
* CA Hierarchy
** This root has internally-operated subordinate CAs
- “AC Componentes Informáticos” issues certificates for SSL Servers and
code signing.
- "AC Administración Pública" is an updated version of the “APE CA” in
order to meet new requirements from Spanish Government about
certificates of Public Administrations.
- “APE CA” is no longer used.
* This request is to enable the Websites trust bit.
Thanks to all of you who have contributed to this discussion so far. I
believe that some of the concerns that were raised have been resolved,
and that the remaining open concerns are as follows. Please reply if I
missed any other items that still need to be resolved.
1) This root certificate has subordinate certificates that are not
technically constrained and not audited/disclosed according to sections
8-10 of Mozilla’s CA Certificate Policy. The noted subCAs are "AC FNMT
Usuarios" (doesn't issue server certificates) and “ISA CA” (server
certificates are issued exclusively to a very restricted (almost
private) environment). Unless there are technical constraints on the
intermediate CA certificates representing those subCAs which make it
impossible for them to issue TLS or S/MIME certificates, they are
in-scope for this inclusion request, because they are a potential source
of mis-issuance which puts users of the Mozilla trust store at risk.
References:
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/
https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Frequently_Asked_Questions
2) The allowed methods of verifying domain name ownership/control must
be in compliance with section 3.2.2.4 of version 1.3 (or later) of the
Baseline Requirements. Part of what was documented in the translation of
the ISA CA CPS said: “In the event that that such a check is not
possible, __the FNMT-RCM shall accept the Organization or Competent
Body’s ownership over said names or addresses on the basis of the
corresponding application.” It is not clear how this is in compliance
with the allowed domain validation procedures per the Baseline Requirements.
Reference: https://cabforum.org/documents/#Baseline-Requirements
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
