2020년 10월 10일 토요일 오전 7시 31분 12초 UTC+9에 George님이 작성한 내용: > Minor but it seems like all certificates with a stateOrProvinceName field are > misissued. The ST field should probably be the "Gyeonggi-do" as the > "Seongnam-si" entered is a city. > > > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > On Friday, 9 October 2020 23:09, Ben Wilson via dev-security-policy > <dev-secur...@lists.mozilla.org> wrote: > > > Dear All, > > > > This is to announce the beginning of the public discussion phase of the > > Mozilla root CA inclusion process, > > https://wiki.mozilla.org/CA/Application_Process#Process_Overview, (Steps 4 > > through 9). Mozilla is considering approval of NAVER Business Platform > > Corp.’s request to include the NAVER Global Root Certification Authority as > > a trust anchor with the websites trust bit enabled, as documented in the > > following Bugzilla case: > > https://bugzilla.mozilla.org/show_bug.cgi?id=1404221. I hereby initiate a > > 3-week comment period, after which if no concerns are raised, we will close > > the discussion and the request may proceed to the approval phase (Step 10). > > > > A Summary of Information Gathered and Verified appears here in the CCADB: > > > > https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000261 > > > > > > *NAVER Global Root Certification Authority, *valid from 8/18/2017 to > > 8/18/2037 > > > > SHA2: 88F438DCF8FFD1FA8F429115FFE5F82AE1E06E0C70C375FAAD717B34A49E7265 > > > > https://crt.sh/?id=1321953839 > > > > Root Certificate Download: > > > > https://certificate.naver.com/cmmn/fileDown.do?atch_file_path=CERTILIST&atch_file_nm=1c3763b33dbf457d8672371567fd1a12.crt&atch_real_file_nm=naverrca1.crt > > > > > > CP/CPS: > > > > Comments 29 (https://bugzilla.mozilla.org/show_bug.cgi?id=1404221#c29) > > through 42 in Bugzilla contain discussion concerning the CPS and revisions > > thereto. > > > > Current CPS is version 1.4.3: > > > > https://certificate.naver.com/cmmn/fileDown.do?atch_file_path=POLICY&atch_file_nm=b2daecb6db1846d8aeaf6f41a7aea987.pdf&atch_real_file_nm=NBP > > Certification Practice Statement v1.4.3.pdf > > > > Repository location: https://certificate.naver.com/bbs/initCrtfcJob.do > > > > BR Self Assessment (Excel file) is located here: > > > > https://bugzilla.mozilla.org/attachment.cgi?id=9063955 > > > > Audits: Annual audits are performed by Deloitte according to the > > WebTrust Standard and WebTrust Baseline Requirements audit criteria. See > > webtrust.org. The last complete audit period for NAVER was from 1 December > > 2018 to 30 November 2019 and no issues were found. However, the audit > > report was dated 28 April 2020, which was more than three months following > > the end of the audit period. The explanation for the delay in obtaining the > > audit report was as follows, “NBP had received a notification mail on > > updating the audit information from CCADB support in March since the Root > > certificate is only included into Microsoft Root Program. According to > > instructions on the email, I explained that NBP would submit the audit > > update information in April to Microsoft.” The current audit period ends > > 30 November 2020. > > > > *Mis-Issuances * > > > > According to crt.sh and censys.io, the issuing CA under this root > > (NAVER Secure Certification Authority 1) has issued approximately 80 > > certificates. I ran the following query for the issuing CA to identify any > > mis-issuances: > > https://crt.sh/?caid=126361&opt=cablint,zlint,x509lint&minNotBefore=2017-08-18, > > > > and during the course of our review, we identified six test certificates > > with errors. (Such certificates have either been revoked or have expired). > > See: > > > > https://crt.sh/?id=2132664529&opt=cablint,zlint,x509lint > > > > https://crt.sh/?id=2102184572&opt=cablint,zlint,x509lint > > > > https://crt.sh/?id=1478365347&opt=cablint,zlint,x509lint > > > > https://crt.sh/?id=2149282089&opt=cablint,zlint,x509lint > > > > https://crt.sh/?id=2149282369&opt=cablint,zlint,x509lint > > > > https://crt.sh/?id=2282123486&opt=cablint,zlint,x509lint > > > > The explanation provided ( > > https://bugzilla.mozilla.org/show_bug.cgi?id=1404221#c27) was “Regarding > > CA/B Forum and X.509 lint tests NBP figured out two(2) certificates which > > were not complied with BRs right after issuing them. The domains on SANs of > > the certificates were owned and controlled by NBP. They were immediately > > revoked according to CA procedures. For ZLint tests, the certificate (CN= > > test2-certificate.naver.com) had been issued and became expired in > > compliance with CA Browser Forum BRs and RFC 5280. I understand there is a > > specific Mozilla policy on Authority Key IDs. NBP already fixed the system > > functions. There is no such valid certificate and NBP CA currently issues > > certificates fully complied with the Mozilla policy. You can see the new > > certificate (CN= test2-certificate.naver.com) was issued without any error > > at https://crt.sh/?id=2824319278.” > > > > I have no further questions or concerns at this time, however I urge anyone > > with concerns or questions to raise them by replying to this list under the > > subject heading above. > > > > Again, this email begins a three-week public discussion period, which I’m > > scheduling to close on Monday, 2-November-2020. > > > > Sincerely yours, > > > > Ben Wilson > > > > Mozilla Root Program > > > > dev-security-policy mailing list > > dev-secur...@lists.mozilla.org > > https://lists.mozilla.org/listinfo/dev-security-policy
Hello, I am Sooyoung at NAVER Business Platform. As George mentioned, all the certificates, with both of city and province names in stateOrProvinceName field, were issued to NAVER Business Platform (NBP) for test domains. The addresses were verified correctly when issuing them. NBP reflected George’s comment and has fixed the DN structure. You can directly check the issued certificate including the new DN (L is "Seongnam-si" as city name and S field is "Gyeonggi-do" as province name) as below. https://crt.sh/?id=3510606493 NBP also added additional verification process, in compliance with ISO 3166-2, in order to put province information correctly in S field of user DN for newly issued certificates. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
