Dear All, This is to announce the beginning of the public discussion phase of the Mozilla root CA inclusion process, https://wiki.mozilla.org/CA/Application_Process#Process_Overview, (Steps 4 through 9). Mozilla is considering approval of NAVER Business Platform Corp.’s request to include the NAVER Global Root Certification Authority as a trust anchor with the websites trust bit enabled, as documented in the following Bugzilla case: https://bugzilla.mozilla.org/show_bug.cgi?id=1404221. I hereby initiate a 3-week comment period, after which if no concerns are raised, we will close the discussion and the request may proceed to the approval phase (Step 10).
*A Summary of Information Gathered and Verified appears here in the CCADB:* https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000261 *NAVER Global Root Certification Authority, *valid from 8/18/2017 to 8/18/2037 SHA2: 88F438DCF8FFD1FA8F429115FFE5F82AE1E06E0C70C375FAAD717B34A49E7265 https://crt.sh/?id=1321953839 *Root Certificate Download:* https://certificate.naver.com/cmmn/fileDown.do?atch_file_path=CERTILIST&atch_file_nm=1c3763b33dbf457d8672371567fd1a12.crt&atch_real_file_nm=naverrca1.crt *CP/CPS:* Comments 29 (https://bugzilla.mozilla.org/show_bug.cgi?id=1404221#c29) through 42 in Bugzilla contain discussion concerning the CPS and revisions thereto. Current CPS is version 1.4.3: https://certificate.naver.com/cmmn/fileDown.do?atch_file_path=POLICY&atch_file_nm=b2daecb6db1846d8aeaf6f41a7aea987.pdf&atch_real_file_nm=NBP%20Certification%20Practice%20Statement%20v1.4.3.pdf Repository location: https://certificate.naver.com/bbs/initCrtfcJob.do *BR Self Assessment* (Excel file) is located here: https://bugzilla.mozilla.org/attachment.cgi?id=9063955 *Audits:* Annual audits are performed by Deloitte according to the WebTrust Standard and WebTrust Baseline Requirements audit criteria. See webtrust.org. The last complete audit period for NAVER was from 1 December 2018 to 30 November 2019 and no issues were found. However, the audit report was dated 28 April 2020, which was more than three months following the end of the audit period. The explanation for the delay in obtaining the audit report was as follows, “NBP had received a notification mail on updating the audit information from CCADB support in March since the Root certificate is only included into Microsoft Root Program. According to instructions on the email, I explained that NBP would submit the audit update information in April to Microsoft.” The current audit period ends 30 November 2020. *Mis-Issuances * According to crt.sh and censys.io, the issuing CA under this root (NAVER Secure Certification Authority 1) has issued approximately 80 certificates. I ran the following query for the issuing CA to identify any mis-issuances: https://crt.sh/?caid=126361&opt=cablint,zlint,x509lint&minNotBefore=2017-08-18, and during the course of our review, we identified six test certificates with errors. (Such certificates have either been revoked or have expired). See: https://crt.sh/?id=2132664529&opt=cablint,zlint,x509lint https://crt.sh/?id=2102184572&opt=cablint,zlint,x509lint https://crt.sh/?id=1478365347&opt=cablint,zlint,x509lint https://crt.sh/?id=2149282089&opt=cablint,zlint,x509lint https://crt.sh/?id=2149282369&opt=cablint,zlint,x509lint https://crt.sh/?id=2282123486&opt=cablint,zlint,x509lint The explanation provided ( https://bugzilla.mozilla.org/show_bug.cgi?id=1404221#c27) was “Regarding CA/B Forum and X.509 lint tests NBP figured out two(2) certificates which were not complied with BRs right after issuing them. The domains on SANs of the certificates were owned and controlled by NBP. They were immediately revoked according to CA procedures. For ZLint tests, the certificate (CN= test2-certificate.naver.com) had been issued and became expired in compliance with CA Browser Forum BRs and RFC 5280. I understand there is a specific Mozilla policy on Authority Key IDs. NBP already fixed the system functions. There is no such valid certificate and NBP CA currently issues certificates fully complied with the Mozilla policy. You can see the new certificate (CN= test2-certificate.naver.com) was issued without any error at https://crt.sh/?id=2824319278.” I have no further questions or concerns at this time, however I urge anyone with concerns or questions to raise them by replying to this list under the subject heading above. Again, this email begins a three-week public discussion period, which I’m scheduling to close on Monday, 2-November-2020. Sincerely yours, Ben Wilson Mozilla Root Program _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
