Thanks,
M.D.
On Thu, Dec 16, 2021, 09:44 [email protected]
<[email protected]> wrote:
All other Telia CA public documentation is here:
https://cps.trust.telia.com. If you think that something is
missing specify what. All links in Ben's initial announcement look
good to me. There are no unnecessary password protections.
tiistai 14. joulukuuta 2021 klo 19.51.31 UTC+2 [email protected] kirjoitti:
Thank you, Pekka
Before we can continue our discussion, could you please add
any other documents relevant to this request? Make sure the
documents are not password protected.
I’ve been relying on the documents listed in Ben's initial
announcement.
Thanks,
M.D.
Sent from my Galaxy
-------- Original message --------
From: "[email protected]"
<[email protected]>
Date: 12/14/21 16:01 (GMT+02:00)
To: [email protected]
Cc: "[email protected]" <[email protected]>,
"[email protected]" <[email protected]>
Subject: Re: FW: RE: Public Discussion: Inclusion of Telia
Root CA v2
>You clarified that Telia CA is a group function of virtual
Telia CA team from many Telia affiliates, in the meantime
Mozilla accepts only real CA with disclosed locations that
were "included in the scope of the audit or should have been
included in the scope of the audit, whether the inspection was
physically carried out in person at each location, and which
audit criteria were checked (or not checked) at each location".
I don't understand your statements above that we are not real
or not disclosed our locations or audit criteria. Telia CA is
a real CA under Telia Finland Oyj which is affiliate company
of Telia Company AB. This is clearly disclosed in our CPS
1.3.1 using this wording: "The CA operating in compliance with
this CPS is Telia CA. The legal entity responsible of Telia CA
is Finnish company “Telia Finland Oyj” (BusinessID 1475607-9).
Telia Finland Oyj is part of Swedish company “Telia Company
AB” (BusinessID 5561034249)." Also our annual Webtrust audits
clearly states that both countries have been in the audit
scope. E.g. the last Webtrust report is using this wording:
"... in providing its SSL and non-SSL Certification Authority
(CA) services in Finland and Sweden, throughout the period 1
April 2020 to 31 March 2021, Telia has: -disclosed its SSL
...". The Full Webtrust audit reports are available at links
below. Auditors have every year visited physically both
countries since 2005 to verify our all our operations. Also
audit criteria (Webtrust and its versions) is clearly stated
in our audit reports.
>a) Is this audit material available somehere?
Yes, latest:
https://support.trust.telia.com/download/CA/Telia-2020-2021-WebTrust-Auditor-Report-WTCA-20210628.pdf,
https://support.trust.telia.com/download/CA/Telia-2020-2021-WebTrust-Auditor-Report-WTBR-20210628.pdf
>The documents provided under this request show that Telia
Company AB is a PKI participant whose roles/responsibilities
within the CA are not disclosed. I’d suggest in your answers
to focus on Telia Company AB CA/RA functions/responsibilities
rather than ownership details - BRs and Mozilla policy do not
assume any privileges for owners, affiliates or groups - CA’s
operational independence must be ensured and respected not
only by its affiliates (including owners) but also by its own
company management.
I don't understand. All participants, locations and audit
reports are disclosed on our public web pages Telia
Certificate Services Repository
<https://cps.trust.telia.com/>. Both RAs were included in the
audits like explained above. Swedish RA may not be directly
mentioned in CPS but none of our competitors is listing all
their RA teams either. All our CA/RA employees are internal
Telia persons. Telia Company AB hasn't any real CA/RA role,
instead it is the owner of Telia Finland Oyj and thus
indirectly owner of Telia CA. Audit reports show how all our
CA/RA processes in all locations have passed audits with only
minor deviations. Auditors also verify all locations and roles
of all trusted persons. Company management assertions show
that Telia Company Management is behind Telia CA. Our CP/CPS
documents describe our processes in very detailed level. I
think that different Telia company roles and responsibilities
should be already clear but if any more responsibility
description is required I'm happy to provide such.
>b) according to RFC 3647 BRs and Mozilla policy require CP
and CPS, while this root has CPS only, correct?
Incorrect. Our disclosed CP/CPS is both at the same time.
Chapter 1.2 clearly states: "This CPS is also a CP for Telia
OV, DV and Seal certificates.". In many CP/CPS chapters there
is at first more general CP description and then below how
Telia CA has implemented such things.
>you explained that its a Telia group function with two
participants Telia Finland Oyj and Cygate AB, however based on
1) and the documents provided under this request, this CA has
at least three PKI participants whose roles/responsibilities
need to be disclosed.
I don't understand what would be the third Telia CA/RA
participant you are referring. Telia Company AB's role as the
owner has been already covered in my previous comments. I
don't think owner is any real CA/RA role. The only real
(functional) roles belong to Telia Finland Oyj which has the
legal responsibility of Telia CA and of the Finnish RA team
and Cygate AB which has the legal responsibility of our
Swedish RA team.
>you explaned that "We use affiliate like BR defines it",
sorry, but this is misunderstanding - in BRs affiliate is used
in specific CA/RA operation contexts, so please be as specific
as possible, what is the role of the affiliate you mentioned
earlier - Telia Lithuania (legal name AB Telia Lietuva)?
Telia Lithuania AB has no role in Telia CA/RA processes. Clear
enough? They may be using Telia certificates there thus having
"relying party" role.
tiistai 14. joulukuuta 2021 klo 11.55.37 UTC+2
[email protected] kirjoitti:
Thanks, Pekka
1) How/if Telia Company AB is (Sweden) involved in Telia
Finland Oyj’s CA/RA operations?
you clarified that Telia CA is a group function of virtual
Telia CA team from many Telia affiliates, in the meantime
Mozilla accepts only *real* CA with disclosed locations
that were "/in//cluded in the scope of the audit or should
have been included in the scope of the audit, whether the
inspection was physically carried out in person at each
location, and which audit criteria were checked (or not
checked) at each location/".
a) Is this audit material available somehere?
The documents provided under this request show that Telia
Company AB is a *PKI participant* whose
roles/responsibilities within the CA are not disclosed.
I’d suggest in your answers to focus on Telia Company AB
CA/RA functions/responsibilities rather than ownership
details - BRs and Mozilla policy do not assume any
privileges for owners, affiliates or groups - CA’s
operational independence must be ensured and respected not
only by its affiliates (including owners) but also by its
own company management.
b) according to RFC 3647 BRs and Mozilla policy require CP
and CPS, while this root has CPS only, correct?
2) does "Telia CA Policy Management Team" mean Telia
Finland Oyj?
you explained that its a Telia group function with two
participants Telia Finland Oyj and Cygate AB, however
based on 1) and the documents provided under this request,
this CA has at least three PKI participants whose
roles/responsibilities need to be disclosed.
3) what is "affiliate" in terms of specific CA/RA functions?
you explaned that "We use affiliate like BR defines it",
sorry, but this is misunderstanding - in BRs affiliate is
used in specific CA/RA operation contexts, so please be as
specific as possible, what is the role of the affiliate
you mentioned earlier - Telia Lithuania (legal name AB
Telia Lietuva)?
Thanks,
M.D.
Sent from my Galaxy
-------- Original message --------
From: "[email protected]"
<[email protected]>
Date: 12/13/21 08:34 (GMT+02:00)
To: [email protected]
Cc: "[email protected]" <[email protected]>
Subject: Re: FW: RE: Public Discussion: Inclusion of Telia
Root CA v2
1) How/if Telia Company AB is (Sweden) involved in Telia
Finland Oyj’s CA/RA operations?
The main company “Telia Company AB” is the owner of the
other Telia organizations (aka companies aka subsidiaries
aka affiliates). Telia Finland Oyj and Cygate AB are such
subsidiaries. Within Telia Company group, each subsidiary
is responsible for running the operations. Telia Finland
Oyj is the legal entity running Telia CA operations. Telia
employees from many Telia companies may belong to group
functions that create systems for the whole Telia group.
E.g. Telia CA is a group function so that persons in
virtual Telia CA team come from many Telia affiliates and
thus from many countries. Complex but big enterprises may
work like this. To simplify a bit you can say that Telia
Finland is running Telia CA using resources from many
Telia affiliates. And all is owned by Telia Company AB.
All Telia CA employees belong legally to one of the Telia
affiliates.
2) does "Telia CA Policy Management Team" mean Telia
Finland Oyj?
Telia CA Policy Management team is also a Telia group
function like described above. Currently it has members
from “Telia Finland Oyj” and “Cygate AB”.
3) what is "affiliate" in terms of specific CA/RA functions?
We use affiliate like BR defines it: “*Affiliate*: A
corporation, partnership, joint venture or other entity
controlling, controlled by, or under common control with
another entity, or an agency, department, political
subdivision, or any entity operating under the direct
control of a Government Entity.” Resources to run CA/RA
come from several Telia affiliates but CA belongs legally
to Telia Finland Oyj. One RA belongs to and is run by
Telia Finland Oyj and the other belongs to Cygate AB.
maanantai 13. joulukuuta 2021 klo 0.28.41 UTC+2
[email protected] kirjoitti:
Forwarding to the list
Sent from my Galaxy
-------- Original message --------
From: md <[email protected]>
Date: 12/8/21 17:02 (GMT+02:00)
To: "Lahtiharju, Pekka"
<[email protected]>, Ben Wilson
<[email protected]>
Cc: "Liimatainen, Mika A."
<[email protected]>, "Gholami, Ali"
<[email protected]>
Subject: RE: Public Discussion: Inclusion of Telia
Root CA v2
Good day, Pekka
Let’s focus on information directly relevant to this
CA. As you already explained, "Telia" is just a
trademark used by Telia Finland Oyj, which is the CA -
a legal entity behind this root inclusion request.
You have also clarified that Telia Finland Oyj has two
(undisclosed) RAs and a number of so called
affiliates. We still need to understand:
1) How/if Telia Company AB is (Sweden) involved in
Telia Finland Oyj’s CA/RA operations?
2) does "Telia CA Policy Management Team" mean Telia
Finland Oyj?
3) what is "affiliate" in terms of specific CA/RA
functions?
Thanks,
M.D.
Sent from my Galaxy
--
You received this message because you are subscribed to
the Google Groups "[email protected]" group.
To unsubscribe from this group and stop receiving emails
from it, send an email to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/3661305c-0adb-436d-a091-46234cb00a1dn%40mozilla.org
<https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/3661305c-0adb-436d-a091-46234cb00a1dn%40mozilla.org?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the
Google Groups "[email protected]" group.
To unsubscribe from this group and stop receiving emails from
it, send an email to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/280ffcc7-8afd-429b-9082-cadc167dd58an%40mozilla.org
<https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/280ffcc7-8afd-429b-9082-cadc167dd58an%40mozilla.org?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google
Groups "[email protected]" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/2572d036-b45c-4bea-b23b-3a0dfcf0de1en%40mozilla.org
<https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/2572d036-b45c-4bea-b23b-3a0dfcf0de1en%40mozilla.org?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google
Groups "[email protected]" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAMMZRrxvjboFLvo%3DTa2ADZk88yZsa3b8O9YhwS738_8r%2Bj%3Dt9w%40mail.gmail.com
<https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAMMZRrxvjboFLvo%3DTa2ADZk88yZsa3b8O9YhwS738_8r%2Bj%3Dt9w%40mail.gmail.com?utm_medium=email&utm_source=footer>.
