Hi Moudrick,
It would be worthwhile to try another PDF viewer, as I am successfully
able to view the WebTrust report PDFs in Telia’s Repository using
Firefox’s built-in PDF viewer without having to input any passwords.
Thanks,
Corey
*From:* [email protected]
<[email protected]> *On Behalf Of *Moudrick Dadashov
*Sent:* Thursday, December 16, 2021 2:22 PM
*To:* Dimitris Zacharopoulos <[email protected]>
*Cc:* [email protected]
<[email protected]>; [email protected]
<[email protected]>; [email protected] <[email protected]>
*Subject:* Re: FW: RE: Public Discussion: Inclusion of Telia Root CA v2
Thanks, Dimitris
Indeed the directive links no longer require passwords, however those
through WebTrust do (see attached).
Thanks,
M.D.
On Thu, Dec 16, 2021, 20:42 Dimitris Zacharopoulos <[email protected]>
wrote:
On 16/12/2021 5:23 μ.μ., Moudrick Dadashov wrote:
Thank you, Pekka
At least the audit reports in the Repository require password.
Please advise.
I managed to download and open all reports listed in
https://cps.trust.telia.com/ under the "AUDIT REPORTS AND SEALS"
section without any password issues.
Dimitris.
Thanks,
M.D.
On Thu, Dec 16, 2021, 09:44 [email protected]
<[email protected]> wrote:
All other Telia CA public documentation is here:
https://cps.trust.telia.com. If you think that something
is missing specify what. All links in Ben's initial
announcement look good to me. There are no unnecessary
password protections.
tiistai 14. joulukuuta 2021 klo 19.51.31 UTC+2 [email protected]
kirjoitti:
Thank you, Pekka
Before we can continue our discussion, could you
please add any other documents relevant to this
request? Make sure the documents are not password
protected.
I’ve been relying on the documents listed in Ben's
initial announcement.
Thanks,
M.D.
Sent from my Galaxy
-------- Original message --------
From: "[email protected]"
<[email protected]>
Date: 12/14/21 16:01 (GMT+02:00)
To: [email protected]
Cc: "[email protected]" <[email protected]>,
"[email protected]"
<[email protected]>
Subject: Re: FW: RE: Public Discussion: Inclusion of
Telia Root CA v2
>You clarified that Telia CA is a group function of
virtual Telia CA team from many Telia affiliates, in
the meantime Mozilla accepts only real CA with
disclosed locations that were "included in the scope
of the audit or should have been included in the scope
of the audit, whether the inspection was physically
carried out in person at each location, and which
audit criteria were checked (or not checked) at each
location".
I don't understand your statements above that we are
not real or not disclosed our locations or audit
criteria. Telia CA is a real CA under Telia Finland
Oyj which is affiliate company of Telia Company AB.
This is clearly disclosed in our CPS 1.3.1 using this
wording: "The CA operating in compliance with this CPS
is Telia CA. The legal entity responsible of Telia CA
is Finnish company “Telia Finland Oyj” (BusinessID
1475607-9). Telia Finland Oyj is part of Swedish
company “Telia Company AB” (BusinessID 5561034249)."
Also our annual Webtrust audits clearly states that
both countries have been in the audit scope. E.g. the
last Webtrust report is using this wording: "... in
providing its SSL and non-SSL Certification Authority
(CA) services in Finland and Sweden, throughout the
period 1 April 2020 to 31 March 2021, Telia has:
-disclosed its SSL ...". The Full Webtrust audit
reports are available at links below. Auditors have
every year visited physically both countries since
2005 to verify our all our operations. Also audit
criteria (Webtrust and its versions) is clearly stated
in our audit reports.
>a) Is this audit material available somehere?
Yes, latest:
https://support.trust.telia.com/download/CA/Telia-2020-2021-WebTrust-Auditor-Report-WTCA-20210628.pdf,
https://support.trust.telia.com/download/CA/Telia-2020-2021-WebTrust-Auditor-Report-WTBR-20210628.pdf
>The documents provided under this request show that
Telia Company AB is a PKI participant whose
roles/responsibilities within the CA are not
disclosed. I’d suggest in your answers to focus on
Telia Company AB CA/RA functions/responsibilities
rather than ownership details - BRs and Mozilla policy
do not assume any privileges for owners, affiliates or
groups - CA’s operational independence must be ensured
and respected not only by its affiliates (including
owners) but also by its own company management.
I don't understand. All participants, locations and
audit reports are disclosed on our public web pages
Telia Certificate Services Repository
<https://cps.trust.telia.com/>. Both RAs were included
in the audits like explained above. Swedish RA may not
be directly mentioned in CPS but none of our
competitors is listing all their RA teams either. All
our CA/RA employees are internal Telia persons. Telia
Company AB hasn't any real CA/RA role, instead it is
the owner of Telia Finland Oyj and thus indirectly
owner of Telia CA. Audit reports show how all our
CA/RA processes in all locations have passed audits
with only minor deviations. Auditors also verify all
locations and roles of all trusted persons. Company
management assertions show that Telia Company
Management is behind Telia CA. Our CP/CPS documents
describe our processes in very detailed level. I think
that different Telia company roles and
responsibilities should be already clear but if any
more responsibility description is required I'm happy
to provide such.
>b) according to RFC 3647 BRs and Mozilla policy
require CP and CPS, while this root has CPS only, correct?
Incorrect. Our disclosed CP/CPS is both at the same
time. Chapter 1.2 clearly states: "This CPS is also a
CP for Telia OV, DV and Seal certificates.". In many
CP/CPS chapters there is at first more general CP
description and then below how Telia CA has
implemented such things.
>you explained that its a Telia group function with
two participants Telia Finland Oyj and Cygate AB,
however based on 1) and the documents provided under
this request, this CA has at least three PKI
participants whose roles/responsibilities need to be
disclosed.
I don't understand what would be the third Telia CA/RA
participant you are referring. Telia Company AB's role
as the owner has been already covered in my previous
comments. I don't think owner is any real CA/RA role.
The only real (functional) roles belong to Telia
Finland Oyj which has the legal responsibility of
Telia CA and of the Finnish RA team and Cygate AB
which has the legal responsibility of our Swedish RA
team.
>you explaned that "We use affiliate like BR defines
it", sorry, but this is misunderstanding - in BRs
affiliate is used in specific CA/RA operation
contexts, so please be as specific as possible, what
is the role of the affiliate you mentioned earlier -
Telia Lithuania (legal name AB Telia Lietuva)?
Telia Lithuania AB has no role in Telia CA/RA
processes. Clear enough? They may be using Telia
certificates there thus having "relying party" role.
tiistai 14. joulukuuta 2021 klo 11.55.37 UTC+2
[email protected] kirjoitti:
Thanks, Pekka
1) How/if Telia Company AB is (Sweden) involved in
Telia Finland Oyj’s CA/RA operations?
you clarified that Telia CA is a group function of
virtual Telia CA team from many Telia affiliates,
in the meantime Mozilla accepts only *real* CA
with disclosed locations that were "/included in
the scope of the audit or should have been
included in the scope of the audit, whether the
inspection was physically carried out in person at
each location, and which audit criteria were
checked (or not checked) at each location/".
a) Is this audit material available somehere?
The documents provided under this request show
that Telia Company AB is a *PKI participant* whose
roles/responsibilities within the CA are not
disclosed. I’d suggest in your answers to focus on
Telia Company AB CA/RA functions/responsibilities
rather than ownership details - BRs and Mozilla
policy do not assume any privileges for owners,
affiliates or groups - CA’s operational
independence must be ensured and respected not
only by its affiliates (including owners) but also
by its own company management.
b) according to RFC 3647 BRs and Mozilla policy
require CP and CPS, while this root has CPS only,
correct?
2) does "Telia CA Policy Management Team" mean
Telia Finland Oyj?
you explained that its a Telia group function with
two participants Telia Finland Oyj and Cygate AB,
however based on 1) and the documents provided
under this request, this CA has at least three PKI
participants whose roles/responsibilities need to
be disclosed.
3) what is "affiliate" in terms of specific CA/RA
functions?
you explaned that "We use affiliate like BR
defines it", sorry, but this is misunderstanding -
in BRs affiliate is used in specific CA/RA
operation contexts, so please be as specific as
possible, what is the role of the affiliate you
mentioned earlier - Telia Lithuania (legal name AB
Telia Lietuva)?
Thanks,
M.D.
Sent from my Galaxy
-------- Original message --------
From: "[email protected]"
<[email protected]>
Date: 12/13/21 08:34 (GMT+02:00)
To: [email protected]
Cc: "[email protected]" <[email protected]>
Subject: Re: FW: RE: Public Discussion: Inclusion
of Telia Root CA v2
1) How/if Telia Company AB is (Sweden) involved in
Telia Finland Oyj’s CA/RA operations?
The main company “Telia Company AB” is the owner
of the other Telia organizations (aka companies
aka subsidiaries aka affiliates). Telia Finland
Oyj and Cygate AB are such subsidiaries. Within
Telia Company group, each subsidiary is
responsible for running the operations. Telia
Finland Oyj is the legal entity running Telia CA
operations. Telia employees from many Telia
companies may belong to group functions that
create systems for the whole Telia group. E.g.
Telia CA is a group function so that persons in
virtual Telia CA team come from many Telia
affiliates and thus from many countries. Complex
but big enterprises may work like this. To
simplify a bit you can say that Telia Finland is
running Telia CA using resources from many Telia
affiliates. And all is owned by Telia Company AB.
All Telia CA employees belong legally to one of
the Telia affiliates.
2) does "Telia CA Policy Management Team" mean
Telia Finland Oyj?
Telia CA Policy Management team is also a Telia
group function like described above. Currently it
has members from “Telia Finland Oyj” and “Cygate AB”.
3) what is "affiliate" in terms of specific CA/RA
functions?
We use affiliate like BR defines it: “*Affiliate*:
A corporation, partnership, joint venture or other
entity controlling, controlled by, or under common
control with another entity, or an agency,
department, political subdivision, or any entity
operating under the direct control of a Government
Entity.” Resources to run CA/RA come from several
Telia affiliates but CA belongs legally to Telia
Finland Oyj. One RA belongs to and is run by Telia
Finland Oyj and the other belongs to Cygate AB.
maanantai 13. joulukuuta 2021 klo 0.28.41 UTC+2
[email protected] kirjoitti:
Forwarding to the list
Sent from my Galaxy
-------- Original message --------
From: md <[email protected]>
Date: 12/8/21 17:02 (GMT+02:00)
To: "Lahtiharju, Pekka"
<[email protected]>, Ben Wilson
<[email protected]>
Cc: "Liimatainen, Mika A."
<[email protected]>, "Gholami, Ali"
<[email protected]>
Subject: RE: Public Discussion: Inclusion of
Telia Root CA v2
Good day, Pekka
Let’s focus on information directly relevant
to this CA. As you already explained, "Telia"
is just a trademark used by Telia Finland Oyj,
which is the CA - a legal entity behind this
root inclusion request.
You have also clarified that Telia Finland Oyj
has two (undisclosed) RAs and a number of so
called affiliates. We still need to understand:
1) How/if Telia Company AB is (Sweden)
involved in Telia Finland Oyj’s CA/RA operations?
2) does "Telia CA Policy Management Team" mean
Telia Finland Oyj?
3) what is "affiliate" in terms of specific
CA/RA functions?
Thanks,
M.D.
Sent from my Galaxy
--
You received this message because you are
subscribed to the Google Groups
"[email protected]" group.
To unsubscribe from this group and stop receiving
emails from it, send an email to
[email protected].
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/3661305c-0adb-436d-a091-46234cb00a1dn%40mozilla.org
<https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/3661305c-0adb-436d-a091-46234cb00a1dn%40mozilla.org?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed
to the Google Groups "[email protected]" group.
To unsubscribe from this group and stop receiving
emails from it, send an email to
[email protected].
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/280ffcc7-8afd-429b-9082-cadc167dd58an%40mozilla.org
<https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/280ffcc7-8afd-429b-9082-cadc167dd58an%40mozilla.org?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to
the Google Groups "[email protected]" group.
To unsubscribe from this group and stop receiving emails
from it, send an email to
[email protected].
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/2572d036-b45c-4bea-b23b-3a0dfcf0de1en%40mozilla.org
<https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/2572d036-b45c-4bea-b23b-3a0dfcf0de1en%40mozilla.org?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the
Google Groups "[email protected]"
<mailto:[email protected]> group.
To unsubscribe from this group and stop receiving emails from
it, send an email to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAMMZRrxvjboFLvo%3DTa2ADZk88yZsa3b8O9YhwS738_8r%2Bj%3Dt9w%40mail.gmail.com
<https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAMMZRrxvjboFLvo%3DTa2ADZk88yZsa3b8O9YhwS738_8r%2Bj%3Dt9w%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google
Groups "[email protected]" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAMMZRrwr_j%2Br%2BX-3Eso2Y_j_NvqkmW2iSKhiuct6Aetc4CJi9g%40mail.gmail.com
<https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAMMZRrwr_j%2Br%2BX-3Eso2Y_j_NvqkmW2iSKhiuct6Aetc4CJi9g%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google
Groups "[email protected]" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/DM6PR14MB21860F98F4B330A5843153EA92779%40DM6PR14MB2186.namprd14.prod.outlook.com
<https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/DM6PR14MB21860F98F4B330A5843153EA92779%40DM6PR14MB2186.namprd14.prod.outlook.com?utm_medium=email&utm_source=footer>.
