I have now reviewed Microsec's updated CPS for OV and DV. I am not going to hold up approval of the inclusion of this root for the following reasons, which I believe are relatively minor, but Microsec should be aware that:
- section 3.1.1 of Microsec's "eIDAS conform Certificate for Website Authentication CPS" ( https://static.e-szigno.hu/docs/szsz--fok--ssl--EN--v2.14.pdf) ("the CPS") appears to allow certain identifiers, allowed for EV, but not yet added to the Baseline Requirements, see https://cabforum.org/2019/05/21/ballot-sc17-version-7-alternative-registration-numbers-for-ev-certificates/. This is something that should be taken up with the CA/Browser Forum (and corrected in Microsec's CPS); and - section 4.9.5 of the CPS, which states, "Emails arriving out of office hours are considered as arrived at the beginning of the next business day." This may put Microsec at risk of a violation of the Baseline Requirements sections 4.9.1 through 4.9.5. While "receipt" (or "arrival") is not yet defined in the Baseline Requirements, there is an expectation of 24x7 availability, which it appears Microsec is providing - "The Trust Service Provider maintains a continuous 24x7 ability to respond internally to a High Piority Certificate Problem Report." This concludes my review of the Microsec CPs/CPSes, and I believe it is now appropriate to begin the process of adding this root CA into NSS (without EV enablement). On Thu, May 28, 2020 at 1:00 PM Ben Wilson <bwil...@mozilla.com> wrote: > In accordance with the CA inclusion process,[1] this is a summary of the > public discussion of Microsec’s application for inclusion of the e-Szigno > Root CA 2017 into the Mozilla root store, and to EV enable it and the > currently-included e-Szigno Root CA 2009. The request is documented in > Bugzilla #1445364.[2] The public discussion began on 9-March-2020.[3] The > email launching the public discussion and comments received during the > public discussion raised a number of issues, not all of which are itemized > here, including: > > * the CPS was unclear about certificate problem reporting and revocation > request processing[4]; and > > * Microsec has had systemic, standards-related non-conformities, e.g. Bug# > 1622539[5], and needs to demonstrate better behavior in keeping up with and > complying with the CABF Baseline Requirements and root store policy.[6] > > Microsec is resolving these concerns by: > > - updating its CPS[7][8]; and > > - committing to engage in better compliance with industry standards[9]. > > In my opinion Microsec has demonstrated sufficient response that we do not > need to remove Microsec from Mozilla’s root store. Therefore, once I am > satisfied after a review of the updated CPS, I am planning to recommend > that we approve the request to include the e-Szigno Root CA 2017 > certificate and enable the websites trust bit. However, I plan to deny > the request for EV treatment for both root certificates. Microsec may > re-apply by filing a new request for EV treatment after they have > demonstrated improved compliance with the BRs and EV Guidelines. > > I appreciate any feedback on this proposed course of action. > > [1] https://wiki.mozilla.org/CA/Application_Process#Process_Overview > > [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1445364 > > [3] > https://groups.google.com/d/msg/mozilla.dev.security.policy/jRKOr4nvOfY/QrhdAWq_AAAJ > > [4] > https://groups.google.com/d/msg/mozilla.dev.security.policy/jRKOr4nvOfY/KN-gnSLLAAAJ > > > [5] https://bugzilla.mozilla.org/show_bug.cgi?id=1622539 > > [6] > https://groups.google.com/d/msg/mozilla.dev.security.policy/jRKOr4nvOfY/T7hcaOYGAQAJ > > > [7] > https://groups.google.com/d/msg/mozilla.dev.security.policy/rHTmKOzspCo/pyZKc40_CQAJ > > > [8] > https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/1L0crAafm30 > > > [9] > https://groups.google.com/d/msg/mozilla.dev.security.policy/jRKOr4nvOfY/mNFZGgXBAgAJ > > > > On Mon, Apr 20, 2020 at 5:44 AM Sándor dr. Szőke via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> >> Dear Ben, >> >> I confirm that Microsec will correct all issues in the CP and CPS >> documents as promised during the public discussion. >> >> Thanks to everyone who took the time to read Microsec CP and CPS and to >> comment on them. >> >> If there are no more comments on the content of our CP and CPS documents >> in the public discussion, we will review the thread again and gather all >> the issues to be resolved. >> As usual, Microsec will review current versions of all applicable >> requirements for changes. >> >> I confirm that the section 1.5.2 will be changed. The High Priority >> Certificate Problem Report will be reviewed and will be moved here from >> section 4.9.3. >> >> Other issues I can see after a brief overview: >> - Preliminary report in case of Certificate problem report in section >> 4.9.5 >> - correct the reference to section 1.3.1 instead of 1.2 in section 4.9.5 >> - review the email address validation rules in case of non-automatic >> validation procedure in section 3.2.7 >> >> I expect that Microsec will be able to do it within one week and will >> prepare the draft version of the public documents by the end of April. >> >> We publish the drafts on our website and send them to the auditor and our >> supervisory authority at the same time. >> >> This is followed by a 30-day commenting period during which anyone can >> comment on the planned changes. >> If significant issues arise during this period, the draft shall be >> amended and the 30 days shall begin again. >> If there are no significant issues, the new document will enter into >> force by the end of May 2020. >> >> Please let us know if you expect us to take any further steps in this >> process. >> >> Best regards, >> >> Sándor >> >> dr. Sándor Szőke >> Microsec deputy director >> _______________________________________________ >> dev-security-policy mailing list >> dev-security-policy@lists.mozilla.org >> https://lists.mozilla.org/listinfo/dev-security-policy >> > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
