Having received no further comments, I have recommended approval of this request in bug 1445364 <https://bugzilla.mozilla.org/show_bug.cgi?id=1445364>
- Ben On Tue, Jun 2, 2020 at 1:57 PM Ben Wilson <bwil...@mozilla.com> wrote: > I have now reviewed Microsec's updated CPS for OV and DV. I am not going > to hold up approval of the inclusion of this root for the following > reasons, which I believe are relatively minor, but Microsec should be aware > that: > > - section 3.1.1 of Microsec's "eIDAS conform Certificate for Website > Authentication CPS" ( > https://static.e-szigno.hu/docs/szsz--fok--ssl--EN--v2.14.pdf) ("the > CPS") appears to allow certain identifiers, allowed for EV, but not yet > added to the Baseline Requirements, see > > https://cabforum.org/2019/05/21/ballot-sc17-version-7-alternative-registration-numbers-for-ev-certificates/. > This is something that should be taken up with the CA/Browser Forum (and > corrected in Microsec's CPS); and > - section 4.9.5 of the CPS, which states, "Emails arriving out of > office hours are considered as arrived at the beginning of the next > business day." This may put Microsec at risk of a violation of the Baseline > Requirements sections 4.9.1 through 4.9.5. While "receipt" (or "arrival") > is not yet defined in the Baseline Requirements, there is an expectation of > 24x7 availability, which it appears Microsec is providing - "The Trust > Service Provider maintains a continuous 24x7 ability to respond internally > to a High Piority Certificate Problem Report." > > This concludes my review of the Microsec CPs/CPSes, and I believe it is > now appropriate to begin the process of adding this root CA into NSS > (without EV enablement). > > On Thu, May 28, 2020 at 1:00 PM Ben Wilson <bwil...@mozilla.com> wrote: > >> In accordance with the CA inclusion process,[1] this is a summary of the >> public discussion of Microsec’s application for inclusion of the e-Szigno >> Root CA 2017 into the Mozilla root store, and to EV enable it and the >> currently-included e-Szigno Root CA 2009. The request is documented in >> Bugzilla #1445364.[2] The public discussion began on 9-March-2020.[3] The >> email launching the public discussion and comments received during the >> public discussion raised a number of issues, not all of which are itemized >> here, including: >> >> * the CPS was unclear about certificate problem reporting and revocation >> request processing[4]; and >> >> * Microsec has had systemic, standards-related non-conformities, e.g. >> Bug# 1622539[5], and needs to demonstrate better behavior in keeping up >> with and complying with the CABF Baseline Requirements and root store >> policy.[6] >> >> Microsec is resolving these concerns by: >> >> - updating its CPS[7][8]; and >> >> - committing to engage in better compliance with industry standards[9]. >> >> In my opinion Microsec has demonstrated sufficient response that we do >> not need to remove Microsec from Mozilla’s root store. Therefore, once I am >> satisfied after a review of the updated CPS, I am planning to recommend >> that we approve the request to include the e-Szigno Root CA 2017 >> certificate and enable the websites trust bit. However, I plan to deny >> the request for EV treatment for both root certificates. Microsec may >> re-apply by filing a new request for EV treatment after they have >> demonstrated improved compliance with the BRs and EV Guidelines. >> >> I appreciate any feedback on this proposed course of action. >> >> [1] https://wiki.mozilla.org/CA/Application_Process#Process_Overview >> >> [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1445364 >> >> [3] >> https://groups.google.com/d/msg/mozilla.dev.security.policy/jRKOr4nvOfY/QrhdAWq_AAAJ >> >> [4] >> https://groups.google.com/d/msg/mozilla.dev.security.policy/jRKOr4nvOfY/KN-gnSLLAAAJ >> >> >> [5] https://bugzilla.mozilla.org/show_bug.cgi?id=1622539 >> >> [6] >> https://groups.google.com/d/msg/mozilla.dev.security.policy/jRKOr4nvOfY/T7hcaOYGAQAJ >> >> >> [7] >> https://groups.google.com/d/msg/mozilla.dev.security.policy/rHTmKOzspCo/pyZKc40_CQAJ >> >> >> [8] >> https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/1L0crAafm30 >> >> >> [9] >> https://groups.google.com/d/msg/mozilla.dev.security.policy/jRKOr4nvOfY/mNFZGgXBAgAJ >> >> >> >> On Mon, Apr 20, 2020 at 5:44 AM Sándor dr. Szőke via dev-security-policy < >> dev-security-policy@lists.mozilla.org> wrote: >> >>> >>> Dear Ben, >>> >>> I confirm that Microsec will correct all issues in the CP and CPS >>> documents as promised during the public discussion. >>> >>> Thanks to everyone who took the time to read Microsec CP and CPS and to >>> comment on them. >>> >>> If there are no more comments on the content of our CP and CPS documents >>> in the public discussion, we will review the thread again and gather all >>> the issues to be resolved. >>> As usual, Microsec will review current versions of all applicable >>> requirements for changes. >>> >>> I confirm that the section 1.5.2 will be changed. The High Priority >>> Certificate Problem Report will be reviewed and will be moved here from >>> section 4.9.3. >>> >>> Other issues I can see after a brief overview: >>> - Preliminary report in case of Certificate problem report in section >>> 4.9.5 >>> - correct the reference to section 1.3.1 instead of 1.2 in section 4.9.5 >>> - review the email address validation rules in case of non-automatic >>> validation procedure in section 3.2.7 >>> >>> I expect that Microsec will be able to do it within one week and will >>> prepare the draft version of the public documents by the end of April. >>> >>> We publish the drafts on our website and send them to the auditor and >>> our supervisory authority at the same time. >>> >>> This is followed by a 30-day commenting period during which anyone can >>> comment on the planned changes. >>> If significant issues arise during this period, the draft shall be >>> amended and the 30 days shall begin again. >>> If there are no significant issues, the new document will enter into >>> force by the end of May 2020. >>> >>> Please let us know if you expect us to take any further steps in this >>> process. >>> >>> Best regards, >>> >>> Sándor >>> >>> dr. Sándor Szőke >>> Microsec deputy director >>> _______________________________________________ >>> dev-security-policy mailing list >>> dev-security-policy@lists.mozilla.org >>> https://lists.mozilla.org/listinfo/dev-security-policy >>> >> _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
