On Fri, Aug 5, 2016 at 5:39 AM, Peter Kurrasch <fhw...@gmail.com> wrote:
> Kathleen-- > > As I understand it, the request is for only CA2(Root) to be included in > the trust store. Is that correct? > > The CP/CPS document submitted for the CA2(Root) hardly seems sufficient to > satisfy anyone for one simple reason: there is no detail! I'm surprised the > auditors (KPMG in this case) found this to be acceptable. If the CA2(Sub) > is not to be included in the Mozilla trust store then I don't see how it's > CP/CPS can be reviewed for consideration here. > I've been mulling over this too. While it does say it complies with the BRs and they take priority, it is indeed very under specified. I would refer the Government of Japan, Ministry of Internal Affairs and Communications to the Amazon Trust Services CP/CPS as an example of how to adhere closely to the BRs while still providing sufficient detail. Andrew > My recommendation is to reject this request and ask that the root's > documentation be rewritten to reflect the policies and procedures that > apply to all certs that chain to this root. > > > *From: *Eric Mill > *Sent: *Wednesday, July 20, 2016 8:15 PM > > For some reason, Gmail split up this thread into two for me. In case anyone > else is having similar issues, here's the original detail for this request: > > On Wed, Apr 27, 2016 at 4:56 PM, Kathleen Wilson <kwil...@mozilla.com> > wrote: > > > This request by the Government of Japan, Ministry of Internal Affairs and > > Communications, is to include the GPKI 'ApplicationCA2 Root' certificate > > and enable the Websites trust bit. This new root certificate has been > > created in order to comply with the Baseline Requirements, and will > > eventually replace the 'ApplicationCA - Japanese Government' root > > certificate that was included via Bugzilla Bug #474706. Note that their > > currently-included root certificate expires in 2017, and will be removed > > via Bugzilla Bug #1268219. > > > > The request is documented in the following bug: > > https://bugzilla.mozilla.org/show_bug.cgi?id=870185 > > > > And in the pending certificates list: > > https://wiki.mozilla.org/CA:PendingCAs > > > > Summary of Information Gathered and Verified: > > https://bugzilla.mozilla.org/attachment.cgi?id=8673399 > > > > Noteworthy points: > > > > * The primary documents are the Root and SubCA CP/CPS, provided in > > Japanese and English. > > > > Document Repository (Japanese): > > http://www.gpki.go.jp/apca/cpcps/index.html > > Document Repository (English): > > https://www2.gpki.go.jp/apca2/apca2_eng.html > > Root CP/CPS: > > https://www2.gpki.go.jp/apca2/cpcps/cpcps_root_eng.pdf > > SubCA CP/CPS: > > https://www2.gpki.go.jp/apca2/cpcps/cpcps_sub_eng.pdf > > > > * CA Hierarchy: This root certificate has one internally-operated > > subordinate CA that issues end-entity certificates for SSL and code > signing. > > > > * This request is to turn on the Websites trust bit. > > > > SubCA CP/CPS section 3.2.2, Authentication of organization identity > > As for the application procedure of a server certificate, ... the LRA > > shall verify the authenticity of the organization to which the subscriber > > belongs according to comparing with organizations which were written in > the > > application by directory of government officials that the Independent > > Administrative Agency National Printing Bureau issued. > > > > SubCA CP/CPS section 3.2.3, Authentication of individual identity > > As for the application procedure of a server certificate, ... the LRA > > shall verify the authenticity of the subscriber according to comparing > with > > name, contact, etc. which were written in the application by directory of > > government officials that the Independent Administrative Agency National > > Printing Bureau issued. > > The LRA also check the intention of an application by a telephone or > > meeting. > > > > SubCA CP/CPS section 4.1.2, Enrollment process and responsibilities > > (1) Server certificate > > The subscriber shall apply accurate information on their certificate > > applications to the LRA. > > The LRA shall confirm that the owner of the domain name written as a > > name(cn) of a server certificate in the application form belongs to > > Ministries and Agencies who have jurisdiction over LRA, or its related > > organization with the thirdparty databases and apply accurate information > > to the Application CA2(Sub). > > > > * Mozilla Applied Constraints: This CA has indicated that the CA > hierarchy > > may be constrained to the *.go.jp domain. > > > > * Root Certificate Download URL: > > https://bugzilla.mozilla.org/attachment.cgi?id=8673392 > > https://www.gpki.go.jp/apca2/APCA2Root.der > > > > * EV Policy OID: Not requesting EV treatment > > > > * Test Website: > > https://www2.gpki.go.jp/apca2/apca2_eng.html > > > > * CRL URLs: > > http://dir.gpki.go.jp/ApplicationCA.crl > > http://dir2.gpki.go.jp/ApplicationCA2Root.crl > > http://dir2.gpki.go.jp/ApplicationCA2Sub.crl > > SubCA CPS section 4.9.7: The CRL of 48-hour validity period is issued at > > intervals of 24 hours. > > > > * OCSP URL: > > http://ocsp-sub.gpki.go.jp > > http://ocsp-root.gpki.go.jp > > > > * Audit: Annual audits are performed by KPMG AZSA LLC according to the > > WebTrust criteria. > > WebTrust Audit (Japanese and English in same document): > > https://cert.webtrust.org/SealFile?seal=1793&file=pdf > > BR Readiness Assessment: > > https://bugzilla.mozilla.org/attachment.cgi?id=8667814 > > Response to Audit Findings: > > https://bugzilla.mozilla.org/attachment.cgi?id=8667815 > > We will improve the issues that was pointed out in the pre-audit and > > submit the investigation report by September 2016. > > > > * Potentially Problematic Practices: None Noted > > (http://wiki.mozilla.org/CA:Problematic_Practices) > > > > This begins the discussion of the request from the Government of Japan to > > include the GPKI 'ApplicationCA2 Root' certificate and enable the > Websites > > trust bit. > > > > Please review this CA's request and provide feedback now, so that this CA > > may address any concerns while awaiting the results of their > investigation > > report that is expected to show that the issues found during their BR > audit > > have been addressed. A decision about inclusion will wait until after the > > investigation report has been provided. > > > > Kathleen > > > > _______________________________________________ > > dev-security-policy mailing list > > dev-security-policy@lists.mozilla.org > > https://lists.mozilla.org/listinfo/dev-security-policy > > > > > > -- > konklone.com | @konklone <https://twitter.com/konklone> > > On Wed, Jul 20, 2016 at 7:58 PM, Kathleen Wilson <kwil...@mozilla.com> > wrote: > > > On Friday, May 20, 2016 at 3:33:56 PM UTC-7, Kathleen Wilson wrote: > > > Does anyone have questions, concerns, or feedback on this request from > > the Government of Japan, Ministry of Internal Affairs and Communications, > > to include the GPKI 'ApplicationCA2 Root' certificate and enable the > > Websites trust bit? > > > > > > Kathleen > > > > I will greatly appreciate it if someone will review and comment on this > > request. > > > > As always, I appreciate your thoughtful and constructive feedback. > > > > Kathleen > > _______________________________________________ > > dev-security-policy mailing list > > dev-security-policy@lists.mozilla.org > > https://lists.mozilla.org/listinfo/dev-security-policy > > > > > > -- > konklone.com | @konklone <https://twitter.com/konklone> > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
