Hi, In the CPS v1.4.3 of NAVER, section 4.9.3, I found the following:
> 4.9.3 Procedure for Revocation Request > The NAVER BUSINESS PLATFORM processes a revocation request as follows: > [...] > 4. For requests from third parties, The NAVER BUSINESS PLATFORM personnel > begin investigating the request within 24 hours after receipt and decide > whether revocation is appropriate based on the following criteria: > a. [...], b. [...], c. [...], d. [...] > e. Relevant legislation. The wording here is concerning, as it points to potential legislation that could disallow NAVER from revoking problematic certificates. Also of note is that this 'relevant legislation' is not referenced in section 9.14, Governing Law, nor in 9.16.3, Severability (as required per BRs 9.16.3). I also noticed that the "All verification activities" type of event is not recorded, or at least not documented as such. This is a requirement from BRs 5.4.1(2)(2). Regards, Matthias On Sat, 10 Oct 2020 at 00:09, Ben Wilson via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > > Dear All, > > This is to announce the beginning of the public discussion phase of the > Mozilla root CA inclusion process, > https://wiki.mozilla.org/CA/Application_Process#Process_Overview, (Steps 4 > through 9). Mozilla is considering approval of NAVER Business Platform > Corp.’s request to include the NAVER Global Root Certification Authority as > a trust anchor with the websites trust bit enabled, as documented in the > following Bugzilla case: > https://bugzilla.mozilla.org/show_bug.cgi?id=1404221. I hereby initiate a > 3-week comment period, after which if no concerns are raised, we will close > the discussion and the request may proceed to the approval phase (Step 10). > > *A Summary of Information Gathered and Verified appears here in the CCADB:* > > https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000261 > > *NAVER Global Root Certification Authority, *valid from 8/18/2017 to > 8/18/2037 > > SHA2: 88F438DCF8FFD1FA8F429115FFE5F82AE1E06E0C70C375FAAD717B34A49E7265 > > https://crt.sh/?id=1321953839 > > *Root Certificate Download:* > > https://certificate.naver.com/cmmn/fileDown.do?atch_file_path=CERTILIST&atch_file_nm=1c3763b33dbf457d8672371567fd1a12.crt&atch_real_file_nm=naverrca1.crt > > > *CP/CPS:* > > Comments 29 (https://bugzilla.mozilla.org/show_bug.cgi?id=1404221#c29) > through 42 in Bugzilla contain discussion concerning the CPS and revisions > thereto. > > Current CPS is version 1.4.3: > > https://certificate.naver.com/cmmn/fileDown.do?atch_file_path=POLICY&atch_file_nm=b2daecb6db1846d8aeaf6f41a7aea987.pdf&atch_real_file_nm=NBP%20Certification%20Practice%20Statement%20v1.4.3.pdf > > Repository location: https://certificate.naver.com/bbs/initCrtfcJob.do > > *BR Self Assessment* (Excel file) is located here: > > https://bugzilla.mozilla.org/attachment.cgi?id=9063955 > > *Audits:* Annual audits are performed by Deloitte according to the > WebTrust Standard and WebTrust Baseline Requirements audit criteria. See > webtrust.org. The last complete audit period for NAVER was from 1 December > 2018 to 30 November 2019 and no issues were found. However, the audit > report was dated 28 April 2020, which was more than three months following > the end of the audit period. The explanation for the delay in obtaining the > audit report was as follows, “NBP had received a notification mail on > updating the audit information from CCADB support in March since the Root > certificate is only included into Microsoft Root Program. According to > instructions on the email, I explained that NBP would submit the audit > update information in April to Microsoft.” The current audit period ends > 30 November 2020. > > *Mis-Issuances * > > According to crt.sh and censys.io, the issuing CA under this root > (NAVER Secure Certification Authority 1) has issued approximately 80 > certificates. I ran the following query for the issuing CA to identify any > mis-issuances: > https://crt.sh/?caid=126361&opt=cablint,zlint,x509lint&minNotBefore=2017-08-18, > and during the course of our review, we identified six test certificates > with errors. (Such certificates have either been revoked or have expired). > See: > > https://crt.sh/?id=2132664529&opt=cablint,zlint,x509lint > > https://crt.sh/?id=2102184572&opt=cablint,zlint,x509lint > > https://crt.sh/?id=1478365347&opt=cablint,zlint,x509lint > > https://crt.sh/?id=2149282089&opt=cablint,zlint,x509lint > > https://crt.sh/?id=2149282369&opt=cablint,zlint,x509lint > > https://crt.sh/?id=2282123486&opt=cablint,zlint,x509lint > > The explanation provided ( > https://bugzilla.mozilla.org/show_bug.cgi?id=1404221#c27) was “Regarding > CA/B Forum and X.509 lint tests NBP figured out two(2) certificates which > were not complied with BRs right after issuing them. The domains on SANs of > the certificates were owned and controlled by NBP. They were immediately > revoked according to CA procedures. For ZLint tests, the certificate (CN= > test2-certificate.naver.com) had been issued and became expired in > compliance with CA Browser Forum BRs and RFC 5280. I understand there is a > specific Mozilla policy on Authority Key IDs. NBP already fixed the system > functions. There is no such valid certificate and NBP CA currently issues > certificates fully complied with the Mozilla policy. You can see the new > certificate (CN= test2-certificate.naver.com) was issued without any error > at https://crt.sh/?id=2824319278.” > > I have no further questions or concerns at this time, however I urge anyone > with concerns or questions to raise them by replying to this list under the > subject heading above. > > Again, this email begins a three-week public discussion period, which I’m > scheduling to close on Monday, 2-November-2020. > > Sincerely yours, > > Ben Wilson > > Mozilla Root Program > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
