On Wednesday, October 21, 2015 at 12:18:26 PM UTC-7, Kathleen Wilson wrote: > FNMT has applied to include the "AC RAIZ FNMT-RCM" root certificate and > enable the Websites trust bit. > > Fábrica Nacional de Moneda y Timbre (FNMT) is a government agency that > provides services to Spain as a national CA. > > The request is documented in the following bug: > https://bugzilla.mozilla.org/show_bug.cgi?id=435736 > > And in the pending certificates list: > https://wiki.mozilla.org/CA:PendingCAs > > Summary of Information Gathered and Verified: > https://bugzilla.mozilla.org/attachment.cgi?id=8677034 > > Noteworthy points: > > * Documents are in Spanish, and some are translated into English. > > Document Repository: > https://www.sede.fnmt.gob.es/normativa/declaracion-de-practicas-de-certificacion > CP: > https://www.sede.fnmt.gob.es/documents/11614/67070/dpc_componentes_english.pdf/ > > > CPS: https://www.sede.fnmt.gob.es/documents/11614/137578/dpc_english.pdf/ > > * CA Hierarchy > > ** This root has internally-operated subordinate CAs > - "AC Componentes Informáticos" issues certificates for SSL Servers and > code signing. > - "AC Administración Pública" is an updated version of the "APE CA" in > order to meet new requirements from Spanish Government about > certificates of Public Administrations. > - "APE CA" is no longer used. > > * This request is to enable the Websites trust bit. >
All, I've been thinking about this request to included FNMT's root certificate that is valid from 2008, has an intermediate cert to be revoked, has a different intermediate cert that would need to have a special type of audit to confirm non-existence of SSL certs, and concerns have been raised (many resolved) in regards to BR compliance and certlint testing. I am wondering if rather than trying to fit this old cert and CA hierarchy into relatively new requirements, would it be better to ask the CA to create a new, fully BR compliant root certificate? Then we could proceed with the remainder of the root inclusion process for the new root cert and clean CA hierarchy, and the CA would migrate their customers to the new hierarchy as needed. I understand this is asking a lot of the CA, so I will appreciate your thoughtful and constructive input on the best way to proceed with FNMT's root inclusion request. Thanks, Kathleen _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
