Thanks for the pointer, Ben. I didn't realise that the links in section 'Particulares AC Raíz FNMT-RCM Servidores Seguros' of their main repository [1] were links to repositories that would include the applicable CPS... As those sections seemed to be for ICAs of the root, I didn't consider them as a source for the CPS of their parent CA. Together with that the CPS pointers in the certificate profile point to the main repository and that the QcPDS links in the certificate profiles don't seem to point to anything, I got lost...
So, sorry for the noise, I was very confused by the structure of the repository. Now that I know where to look, I'll probably check the contents more thoroughly sometime in the following weekend, at first glance they already looked much better. -Matthias [1] https://www.sede.fnmt.gob.es/en/normativa/declaracion-de-practicas-de-certificacion On Wed, 2 Dec 2020, 23:44 Ben Wilson, <bwil...@mozilla.com> wrote: > > Matthias, > Have you been able to obtain the CPS downloadable from here: > https://www.sede.fnmt.gob.es/en/dpcs/ac-servidores-seguros-tipo-1 or here: > https://www.sede.fnmt.gob.es/en/dpcs/ac-servidores-seguros-tipo-2 ? (They > both lead to the same CPS v. 1.6 document.) > Ben > > On Wed, Dec 2, 2020 at 7:15 AM Matthias van de Meent via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: >> >> On Fri, 27 Nov 2020 at 11:19, Santiago Brox via dev-security-policy < >> dev-security-policy@lists.mozilla.org> wrote: >> > >> > El jueves, 19 de noviembre de 2020 a las 0:47:03 UTC+1, Matthias van de >> Meent escribió: >> > > On Wed, 18 Nov 2020, 01:06 Ben Wilson via dev-security-policy, >> > > <dev-secur...@lists.mozilla.org> wrote: >> > > > >> > > > [...] >> > > > >> > > > *CP/CPS:* >> > > > >> > > > >> https://www.sede.fnmt.gob.es/documents/10445900/10536309/dpc_ss_english.pdf >> > > > >> > > > Current CPS is version 1.5, published 1-October-2020. >> > > > >> > > > Repository location: >> > > > >> https://www.sede.fnmt.gob.es/normativa/declaracion-de-practicas-de-certificacion >> > > > >> > > I'm having trouble finding the end entity certificate profiles in this >> > > CPS. According to the CPS s7.1.2, they are supposed to be available at >> > > http://www.cert.fnmt.es/dpcs/, but that redirects me to a repository >> > > [0] of which the only english-language document [1] does not contain >> > > any end entity certificate profiles, but only the root and ICA >> > > profiles in attachments. Similarly, I cannot find the CPS you linked >> > > in their repository. >> > > >> > All the relevant documentation (CPS, PDS, Terms and conditions, >> certificate profiles, and old versions of CPSs) of each CA is published in >> its corresponding channel in the website, all of them accessible from: >> > >> https://www.sede.fnmt.gob.es/normativa/declaracion-de-practicas-de-certificacion >> >> I'm sorry, but I'm having trouble finding a link to the latest version of >> the CPS of the to-be-included root in that repository. If you add this CPS, >> it would be useful to take Mozilla Root Store Policy section 3.3 (6) into >> account ("CAs must provide a way to clearly determine which CP and CPS >> applies to each of its root and intermediate certificates"). >> >> > For AC RAIZ FNMT-RCM SERVIDORES SEGUROS we have 2 channels (one for each >> intermediate CA): >> > AC SERVIDORES SEGUROS TIPO 1: >> > https://www.sede.fnmt.gob.es/en/dpcs/ac-servidores-seguros-tipo-1 >> > and >> > AC SERVIDORES SEGUROS TIPO 2: >> > https://www.sede.fnmt.gob.es/en/dpcs/ac-servidores-seguros-tipo-2 >> > >> > In regards the certificate profiles, we have included in CPS v1.6 section >> 7.1.2. direct links to the published documents of profiles. >> > >> > The document describing the profiles of the Website authentication >> certificates, including all extensions, are published at >> > AC SERVIDORES SEGUROS TIPO 1: >> > >> https://www.sede.fnmt.gob.es/documents/10445900/10575386/Perfiles_certificados_servidores_seguros_tipo1.pdf >> > AC SERVIDORES SEGUROS TIPO 2: >> > >> https://www.sede.fnmt.gob.es/documents/10445900/10575386/Perfiles_certificados_servidores_seguros_tipo2.pdf >> > >> >> Thank you for the links, I probably overlooked them before. >> >> > > I noticed that the CPS defers a great amount of sections (section 5, >> > > 6.2, 6.4, 8.2 - 8.7 and large parts of section 9) to the DGPC, which >> > > probably is [1] but that is never explicitly confirmed in the CPS - >> > > there is no explicit link to any repository in section 1.6.1 where the >> > > acronym is defined, nor are there any other indications that this DGPC >> > > is located in the repository under the link of [0]. This is confusing, >> > > and detrimental to the readability of the document. >> > > >> > CPS new version (v1.6) integrates all the sections that were referred to >> in the DGPC (v5.8) and which applied in general to all our CAs. From >> version 1.6 our CPS collects in a single document all the information and >> BRs compliance commitments for our AC RAIZ FNMT-RCM SERVIDORES SEGUROS >> > [...] >> > I hope that we have been able to resolve all the issues raised with this >> new version of the CPS (1.6) and have gained in transparency. >> > Thanks >> > Santiago. >> >> Thanks for the update, it sounds promising. I'll check it again once I can >> find the CPS in the repository. >> >> Regards, >> >> Matthias >> _______________________________________________ >> dev-security-policy mailing list >> dev-security-policy@lists.mozilla.org >> https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
