On Friday, March 11, 2016 at 5:50:47 AM UTC-8, raf...@gmail.com wrote: > El viernes, 15 de enero de 2016, 13:42:41 (UTC+1), raf...@gmail.com escribió: > > Hi all. > > > > We have developed a solution plan for this issues. > > > > We are going to audit in-scope CAs. Finally our FNMT-RCM CAs hierarchy > > audit scheme will be as follows: > > > > + AC RAIZ FNMT-RCM > > + AC Administración Pública > > - Issues: SSL certs, QCP certs > > - Audits: WebTrust for CAs, WebTrust SSL BRs, ETSI 101 456 > > + AC Componentes Informáticos > > - Issues: SSL certs > > - Audits: WebTrust for CAs, WebTrust SSL BRs > > + AC FNMT Usuarios > > - Issues: issues QCP certs, not restricted by EKU extension > > - Audits: (ETSI 101 456 or WebTrust for CAS) and audit of > > non-existence of SSL certs > > + ISA CA Will be revoked in early 2016 > > + AC APE No longer used. Will be revoked in early 2016 > > > > As we committed, we have been working intensively to follow this plan. > > We migrated all of our ISA CA's customers and last week this subCA was > revoked. > > In the next days, "AC APE" will be revoked. > > Next month we have date with TÜViT for "AC Administración Pública" and "AC > FNMT Usuarios" ETSI auditing. > > Currently, after corresponding audit, WebTrust for CAs seal and WebTrust SSL > BRs audit report are beeing transacted and we hope to have them available in > the coming days. > > We migrated all of our ISA CA's customers and last week this subCA was > revoked. > > In the next days, "AC APE" will be revoked. > > Next month we have date with TÜViT for "AC Administración Pública" and "AC > FNMT Usuarios" ETSI auditing. > > Currently, after corresponding audit, WebTrust for CAs seal and WebTrust SSL > BRs audit report are beeing transacted and we hope to have them available in > the coming days.
I believe there is consensus that we may proceed with the inclusion of the current AC RAIZ FNMT-RCM root certificate as outlined by Rafa. With the following clarifications / action items: 1) FNMT and Mozilla will need to make sure the revoked intermediate certificates get added to OneCRL. 2) The "AC FNMT Usuarios" intermediate certificate will need to be audited annually to ensure that it never issues TLS/SSL certificates. If the audit ever comes back inconclusive or if there is ever any doubt that such an audit could detect any inadvertent issuance, the assumption should be that miss-issuance has occurred and it would be reasonable to act accordingly. 3) FNMT will work with the CAB Forum to resolve the conflicts between the BRs and the requirements that Spanish CAs must follow (i.e. the certlint errors, https://bugzilla.mozilla.org/show_bug.cgi?id=435736#c160). Thanks, Kathleen _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
