On December 1, 2021, we began a three-week public discussion[1] on a request from “Telia” for inclusion of its root certificate, the Telia Root CA v2.[2] (Step 4 of the Mozilla Root Store CA Application Process[3]). Telia seeks enablement of both the websites and the email trust bits.
*Summary of Discussion and Completion of Action Items [Application Process, Steps 5-8]:* Moudrick Dadashov inquired about the relationship among the “Telia” entities, noting that Telia Company AB (Sweden) and Telia Oy (Finland) are two separate legal persons, and that the announcement of the public discussion did not clarify which one was operating the CA that is the subject of the inclusion request. I noted that the CCADB record reflected “Telia Finland Oyj, part of Telia Company AB” as the applicant. Pekka Lahtiharju, a representative of the Telia companies, responded that “Telia” is a trademark recognized in the EU, but that “Telia Company AB” in Sweden was the main company, while Telia Finland Oyj was its Finnish affiliate responsible for publicly trusted CA services for the whole company group, and that Telia Finland Oyj was also using Swedish Cygate AB to perform CA and Registration Authority (RA) services for server certificates, and that for signature certificates under the “Telia Class 3 CA” subordinate CA, Formpipe AB would serve as an external RA. (According to the CCADB, that subordinate CA has EKUs of 1.2.840.113583.1.1.5 and 1.3.6.1.4.1.311.10.3.12 and a derived trust bit of “Document Signing.”) Additional follow-up questions were about the RA relationships among Telia Company AB, Telia Finland Oyj and the Estonian CA (a TSP under eIDAS) - SK ID Solutions (owned by Telia Company AB, Swedbank AB and SEB AB), and Telia Lithuania (legal name Telia Lietuva AB). Pekka responded that he couldn’t speak to SK ID Solutions because they were a separate company, and that Telia Lietuva AB was a Telia affiliate, but not an RA. He also responded that “[the] Swedish RA may not be directly mentioned in CPS but none of our competitors is listing all their RA teams either. All our CA/RA employees are internal Telia persons. Telia Company AB hasn't any real CA/RA role, instead it is the owner of Telia Finland Oyj and thus indirectly owner of Telia CA. Audit reports show how all our CA/RA processes in all locations have passed audits with only minor deviations. Auditors also verify all locations and roles of all trusted persons.” Pekka also stated that all of the relevant public documentation was available for review at https://cps.trust.telia.com. We did not receive any other objections or other questions or comments in opposition to Telia’s request. There still remain the three, previously-mentioned, open incidents/bugs in Bugzilla. However, I do not believe that these, or the issues mentioned above, merit a delay in Mozilla’s approval decision. *Close of Public Discussion and Intent to Approve [Application Process, Steps 9-10]: * This is notice that I am closing public discussion (Application Process, Step 9) and that it is Mozilla’s intent to approve Telia’s request (Step 10). This begins a 7-day “last call” period for any final objections. Thanks, Ben [1] https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/52Gfr4dnJD8/m/yn5fpfnACQAJ [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1664161 [3] https://wiki.mozilla.org/CA/Application_Process#Process_Overview On Thu, Dec 16, 2021 at 7:56 PM 'Moudrick M. Dadashov' via [email protected] <[email protected]> wrote: > Hi Corey, > > thank you, indeed I'm able to open all documents on my laptop (looks like > a bug in my Docs to Go app). > > I'll proceed with responding to Pekko's email. > > Thanks, > M.D. > > On 12/16/2021 9:40 PM, 'Corey Bonnell' via [email protected] > wrote: > > Hi Moudrick, > > It would be worthwhile to try another PDF viewer, as I am successfully > able to view the WebTrust report PDFs in Telia’s Repository using Firefox’s > built-in PDF viewer without having to input any passwords. > > > > Thanks, > > Corey > > > > *From:* [email protected] <[email protected]> > <[email protected]> *On Behalf Of *Moudrick Dadashov > *Sent:* Thursday, December 16, 2021 2:22 PM > *To:* Dimitris Zacharopoulos <[email protected]> <[email protected]> > *Cc:* [email protected] <[email protected]> > <[email protected]>; [email protected] > <[email protected]> <[email protected]>; > [email protected] <[email protected]> <[email protected]> > *Subject:* Re: FW: RE: Public Discussion: Inclusion of Telia Root CA v2 > > > > Thanks, Dimitris > > > > Indeed the directive links no longer require passwords, however those > through WebTrust do (see attached). > > > > Thanks, > > M.D. > > > > > > On Thu, Dec 16, 2021, 20:42 Dimitris Zacharopoulos <[email protected]> > wrote: > > > > On 16/12/2021 5:23 μ.μ., Moudrick Dadashov wrote: > > Thank you, Pekka > > > > At least the audit reports in the Repository require password. Please > advise. > > > > > I managed to download and open all reports listed in > https://cps.trust.telia.com/ under the "AUDIT REPORTS AND SEALS" section > without any password issues. > > Dimitris. > > > Thanks, > > M.D. > > > > > > On Thu, Dec 16, 2021, 09:44 [email protected] < > [email protected]> wrote: > > All other Telia CA public documentation is here: > https://cps.trust.telia.com. If you think that something is missing > specify what. All links in Ben's initial announcement look good to me. > There are no unnecessary password protections. > > > > tiistai 14. joulukuuta 2021 klo 19.51.31 UTC+2 [email protected] kirjoitti: > > Thank you, Pekka > > > > Before we can continue our discussion, could you please add any other > documents relevant to this request? Make sure the documents are not > password protected. > > > > I’ve been relying on the documents listed in Ben's initial announcement. > > > > Thanks, > > M.D. > > > > > > Sent from my Galaxy > > > > > > -------- Original message -------- > > From: "[email protected]" <[email protected]> > > Date: 12/14/21 16:01 (GMT+02:00) > > To: [email protected] > > Cc: "[email protected]" <[email protected]>, " > [email protected]" <[email protected]> > > Subject: Re: FW: RE: Public Discussion: Inclusion of Telia Root CA v2 > > > > >You clarified that Telia CA is a group function of virtual Telia CA team > from many Telia affiliates, in the meantime Mozilla accepts only real CA > with disclosed locations that were "included in the scope of the audit or > should have been included in the scope of the audit, whether the inspection > was physically carried out in person at each location, and which audit > criteria were checked (or not checked) at each location". > > > I don't understand your statements above that we are not real or not > disclosed our locations or audit criteria. Telia CA is a real CA under > Telia Finland Oyj which is affiliate company of Telia Company AB. This is > clearly disclosed in our CPS 1.3.1 using this wording: "The CA operating in > compliance with this CPS is Telia CA. The legal entity responsible of Telia > CA is Finnish company “Telia Finland Oyj” (BusinessID 1475607-9). Telia > Finland Oyj is part of Swedish company “Telia Company AB” (BusinessID > 5561034249)." Also our annual Webtrust audits clearly states that both > countries have been in the audit scope. E.g. the last Webtrust report is > using this wording: "... in providing its SSL and non-SSL Certification > Authority (CA) services in Finland and Sweden, throughout the period 1 > April 2020 to 31 March 2021, Telia has: -disclosed its SSL ...". The Full > Webtrust audit reports are available at links below. Auditors have every > year visited physically both countries since 2005 to verify our all our > operations. Also audit criteria (Webtrust and its versions) is clearly > stated in our audit reports. > > >a) Is this audit material available somehere? > > Yes, latest: > https://support.trust.telia.com/download/CA/Telia-2020-2021-WebTrust-Auditor-Report-WTCA-20210628.pdf, > > https://support.trust.telia.com/download/CA/Telia-2020-2021-WebTrust-Auditor-Report-WTBR-20210628.pdf > > >The documents provided under this request show that Telia Company AB is a > PKI participant whose roles/responsibilities within the CA are not > disclosed. I’d suggest in your answers to focus on Telia Company AB CA/RA > functions/responsibilities rather than ownership details - BRs and Mozilla > policy do not assume any privileges for owners, affiliates or groups - CA’s > operational independence must be ensured and respected not only by its > affiliates (including owners) but also by its own company management. > > I don't understand. All participants, locations and audit reports are > disclosed on our public web pages Telia Certificate Services Repository > <https://cps.trust.telia.com/>. Both RAs were included in the audits like > explained above. Swedish RA may not be directly mentioned in CPS but none > of our competitors is listing all their RA teams either. All our CA/RA > employees are internal Telia persons. Telia Company AB hasn't any real > CA/RA role, instead it is the owner of Telia Finland Oyj and thus > indirectly owner of Telia CA. Audit reports show how all our CA/RA > processes in all locations have passed audits with only minor deviations. > Auditors also verify all locations and roles of all trusted persons. > Company management assertions show that Telia Company Management is behind > Telia CA. Our CP/CPS documents describe our processes in very detailed > level. I think that different Telia company roles and responsibilities > should be already clear but if any more responsibility description is > required I'm happy to provide such. > > > > >b) according to RFC 3647 BRs and Mozilla policy require CP and CPS, while > this root has CPS only, correct? > > Incorrect. Our disclosed CP/CPS is both at the same time. Chapter 1.2 > clearly states: "This CPS is also a CP for Telia OV, DV and Seal > certificates.". In many CP/CPS chapters there is at first more general CP > description and then below how Telia CA has implemented such things. > > >you explained that its a Telia group function with two participants Telia > Finland Oyj and Cygate AB, however based on 1) and the documents provided > under this request, this CA has at least three PKI participants whose > roles/responsibilities need to be disclosed. > > I don't understand what would be the third Telia CA/RA participant you are > referring. Telia Company AB's role as the owner has been already covered in > my previous comments. I don't think owner is any real CA/RA role. The only > real (functional) roles belong to Telia Finland Oyj which has the legal > responsibility of Telia CA and of the Finnish RA team and Cygate AB which > has the legal responsibility of our Swedish RA team. > > >you explaned that "We use affiliate like BR defines it", sorry, but this > is misunderstanding - in BRs affiliate is used in specific CA/RA operation > contexts, so please be as specific as possible, what is the role of the > affiliate you mentioned earlier - Telia Lithuania (legal name AB Telia > Lietuva)? > Telia Lithuania AB has no role in Telia CA/RA processes. Clear enough? > They may be using Telia certificates there thus having "relying party" role. > > tiistai 14. joulukuuta 2021 klo 11.55.37 UTC+2 [email protected] > kirjoitti: > > Thanks, Pekka > > > > > > > > 1) How/if Telia Company AB is (Sweden) involved in Telia Finland Oyj’s > CA/RA operations? > > > > you clarified that Telia CA is a group function of virtual Telia CA team > from many Telia affiliates, in the meantime Mozilla accepts only *real* > CA with disclosed locations that were "*included in the scope of the > audit or should have been included in the scope of the audit, whether the > inspection was physically carried out in person at each location, and which > audit criteria were checked (or not checked) at each location*". > > > > a) Is this audit material available somehere? > > > > The documents provided under this request show that Telia Company AB is a *PKI > participant* whose roles/responsibilities within the CA are not > disclosed. I’d suggest in your answers to focus on Telia Company AB CA/RA > functions/responsibilities rather than ownership details - BRs and Mozilla > policy do not assume any privileges for owners, affiliates or groups - CA’s > operational independence must be ensured and respected not only by its > affiliates (including owners) but also by its own company management. > > > > > > b) according to RFC 3647 BRs and Mozilla policy require CP and CPS, while > this root has CPS only, correct? > > > > > > 2) does "Telia CA Policy Management Team" mean Telia Finland Oyj? > > > > you explained that its a Telia group function with two participants Telia > Finland Oyj and Cygate AB, however based on 1) and the documents provided > under this request, this CA has at least three PKI participants whose > roles/responsibilities need to be disclosed. > > > > > > 3) what is "affiliate" in terms of specific CA/RA functions? > > > > you explaned that "We use affiliate like BR defines it", sorry, but this > is misunderstanding - in BRs affiliate is used in specific CA/RA operation > contexts, so please be as specific as possible, what is the role of the > affiliate you mentioned earlier - Telia Lithuania (legal name AB Telia > Lietuva)? > > > > > > Thanks, > > M.D. > > > > Sent from my Galaxy > > > > > > -------- Original message -------- > > From: "[email protected]" <[email protected]> > > Date: 12/13/21 08:34 (GMT+02:00) > > To: [email protected] > > Cc: "[email protected]" <[email protected]> > > Subject: Re: FW: RE: Public Discussion: Inclusion of Telia Root CA v2 > > > > 1) How/if Telia Company AB is (Sweden) involved in Telia Finland Oyj’s > CA/RA operations? > > The main company “Telia Company AB” is the owner of the other Telia > organizations (aka companies aka subsidiaries aka affiliates). Telia > Finland Oyj and Cygate AB are such subsidiaries. Within Telia Company > group, each subsidiary is responsible for running the operations. Telia > Finland Oyj is the legal entity running Telia CA operations. Telia > employees from many Telia companies may belong to group functions that > create systems for the whole Telia group. E.g. Telia CA is a group function > so that persons in virtual Telia CA team come from many Telia affiliates > and thus from many countries. Complex but big enterprises may work like > this. To simplify a bit you can say that Telia Finland is running Telia CA > using resources from many Telia affiliates. And all is owned by Telia > Company AB. All Telia CA employees belong legally to one of the Telia > affiliates. > > 2) does "Telia CA Policy Management Team" mean Telia Finland Oyj? > > Telia CA Policy Management team is also a Telia group function like > described above. Currently it has members from “Telia Finland Oyj” and > “Cygate AB”. > > 3) what is "affiliate" in terms of specific CA/RA functions? > > We use affiliate like BR defines it: “*Affiliate*: A corporation, > partnership, joint venture or other entity controlling, controlled by, or > under common control with another entity, or an agency, department, > political subdivision, or any entity operating under the direct control of > a Government Entity.” Resources to run CA/RA come from several Telia > affiliates but CA belongs legally to Telia Finland Oyj. One RA belongs to > and is run by Telia Finland Oyj and the other belongs to Cygate AB. > > maanantai 13. joulukuuta 2021 klo 0.28.41 UTC+2 [email protected] kirjoitti: > > Forwarding to the list > > > > > > > > Sent from my Galaxy > > > > > > -------- Original message -------- > > From: md <[email protected]> > > Date: 12/8/21 17:02 (GMT+02:00) > > To: "Lahtiharju, Pekka" <[email protected]>, Ben Wilson < > [email protected]> > > Cc: "Liimatainen, Mika A." <[email protected]>, "Gholami, Ali" > <[email protected]> > > Subject: RE: Public Discussion: Inclusion of Telia Root CA v2 > > > > Good day, Pekka > > > > Let’s focus on information directly relevant to this CA. As you already > explained, "Telia" is just a trademark used by Telia Finland Oyj, which is > the CA - a legal entity behind this root inclusion request. > > > > You have also clarified that Telia Finland Oyj has two (undisclosed) RAs > and a number of so called affiliates. We still need to understand: > > > > 1) How/if Telia Company AB is (Sweden) involved in Telia Finland Oyj’s > CA/RA operations? > > > > 2) does "Telia CA Policy Management Team" mean Telia Finland Oyj? > > > > 3) what is "affiliate" in terms of specific CA/RA functions? > > > > Thanks, > > M.D. > > > > > > > > Sent from my Galaxy > > > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/3661305c-0adb-436d-a091-46234cb00a1dn%40mozilla.org > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/3661305c-0adb-436d-a091-46234cb00a1dn%40mozilla.org?utm_medium=email&utm_source=footer> > . > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/280ffcc7-8afd-429b-9082-cadc167dd58an%40mozilla.org > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/280ffcc7-8afd-429b-9082-cadc167dd58an%40mozilla.org?utm_medium=email&utm_source=footer> > . > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/2572d036-b45c-4bea-b23b-3a0dfcf0de1en%40mozilla.org > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/2572d036-b45c-4bea-b23b-3a0dfcf0de1en%40mozilla.org?utm_medium=email&utm_source=footer> > . > > -- > You received this message because you are subscribed to the Google Groups > "[email protected]" <[email protected]> group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAMMZRrxvjboFLvo%3DTa2ADZk88yZsa3b8O9YhwS738_8r%2Bj%3Dt9w%40mail.gmail.com > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAMMZRrxvjboFLvo%3DTa2ADZk88yZsa3b8O9YhwS738_8r%2Bj%3Dt9w%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAMMZRrwr_j%2Br%2BX-3Eso2Y_j_NvqkmW2iSKhiuct6Aetc4CJi9g%40mail.gmail.com > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAMMZRrwr_j%2Br%2BX-3Eso2Y_j_NvqkmW2iSKhiuct6Aetc4CJi9g%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- > You received this message because you are subscribed to the Google Groups > "[email protected]" <[email protected]> group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/DM6PR14MB21860F98F4B330A5843153EA92779%40DM6PR14MB2186.namprd14.prod.outlook.com > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/DM6PR14MB21860F98F4B330A5843153EA92779%40DM6PR14MB2186.namprd14.prod.outlook.com?utm_medium=email&utm_source=footer> > . > > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/43db5aaf-a7fb-0fc2-94c6-ead32239d7f4%40ssc.lt > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/43db5aaf-a7fb-0fc2-94c6-ead32239d7f4%40ssc.lt?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZQtsQ6MLtccrHpusj0FbLsUF1ObQBOPDCNqgDo0LEekA%40mail.gmail.com.
