Thanks, PekkaDisclosing shared CA resourcesI’m looking for the CA's human/material resources that are shared with third parties (irrelevant to ownership), in your response I see only the names of three companies.The audit reportYou explained that "Audit covered all relevant company parts under "Telia Company AB" including "Telia Finland Oyj". I still can't understand why this fact is hard to understand.", the problem here is that we need a single legal entity as the CA cooperates with other PKI participants - these roles must be disclosed clearly (no matter who owns what).If Telia Finland Oyj is the CA, then all others, including Telia Company AB, should be PKI participants. You need to disclose this. In the meantime the audit report states:"Telia makes use of external registration authorities for subscriber registration activities, as disclosed in Telia's business practices. Our procedures did not extend to the controls excercised by these external registration authorities."So, we have two different audit scenarious here:a) as the audit report is issued to the CA known as Telia Company AB, then the other PKI participants - Telia Finland Oyj and Cygate AB need to be audited according to their roles.b) in case if Telia Finland Oyj is audited as the CA, then the other two PKI participants - Telia Company AB and Cygate AB need to be audited according to their roles.Again, this has nothing to do with ownership relationship.Separation of CP and CPS provisionsYou explain that "There are no requirements to specifically separate CP and CPS texts.", according to RFC content of these two documents should be different. I’m ok with the combined document CP/CPS (but not content!) - I can’t see which part of combined document should be considered CP. At least section/page numbers could help.Audit scopeSorry, I cant accept your arguments, see The audit report above.********************To sum-up, obviousely we are in a loop, I don’t see any reason to change my opinion (see 2021-12-29 email).Thanks,M.D.Sent from my Galaxy -------- Original message --------From: "[email protected]" <[email protected]> Date: 1/4/22 16:54 (GMT+02:00) To: [email protected] Cc: "[email protected]" <[email protected]>, "[email protected]" <[email protected]>, Ryan Sleevi <[email protected]>, "[email protected]" <[email protected]> Subject: Re: FW: RE: Public Discussion: Inclusion of Telia Root CA v2 >>"CA Resources have been clearly identified above to be located in Finnish "Telia Finland Oyj" and in Swedish "Cygate AB".>Sorry, could you point us to specific URL's with page numbers?"Above" in my comment refers to this discussion where I have disclosed in very detailed level how the three legal entities are involved: "Telia Finland Oyj", "Cygate AB", "Telia Company AB". On the other hand on CPS chapter 1.3.1 we clearly say: "The CA operating in compliance with this CPS is Telia CA. The legal entity responsible of Telia CA is Finnish company “Telia Finland Oyj” (BusinessID 1475607-9). Telia Finland Oyj is part of Swedish company “Telia Company AB” (BusinessID 5561034249)." >>"Auditors have audited all related CA operations annually based on publicly disclosed Telia CP/CPS.">"all related CA operations" is not sufficient: as noted earlier, its not clear which legal entity is the CA - the references I provided were on behalf of Telia Company AB, however applicant of this request is Telia Finland Oyj - from CA operations point of view these should be two different (independent) entities (no matter who owns what).The new root has O value "Telia Finland Oyj" meaning that it is the legal entity responsible of it. CPS also states it clearly like seen in my previous comment. Audit covered all relevant company parts under "Telia Company AB" including "Telia Finland Oyj". I still can't understand why this fact is hard to understand. >Besides, we don't know which [parts of CPS] constitute the CP. If you disclose this clearly, then we'll see what criteria auditors have checked.There are no requirements to specifically separate CP and CPS texts. Auditors used our combined CP/CPS in their audit like stated in audit reports. So they have audited both CP and CPS. Audit report is stating also which CP/CPS version was used.>>"Audit scope in audit reports has been legal entity "Telia Company AB (Telia)" that is the main company. This audit scope covers both mentioned affiliate legal entities practically participating into Telia CA processes.">But we need audit reports issued to Telia Finland Oyj, which should be the only "main company". We don't care who owns Telia Finland Oyj unless the CA shares its operational resources with third parties (including owners). In all other cases, let's forget about Telia Company AB. :)Audit report based on Telia CP/CPS was using wording "Telia Company AB's ... CA operations in Finland and Sweden" in case when CP/CPS is stating that legal entity responsible is "Telia Finland Oyj". This should make it clear to everybody that "Telia Finland Oyj" was audited. >>"We can ask auditors to add all three company names in the future audit reports if it makes audit results clearer.">I'm afraid this is misunderstanding - the CA under this request should be a clearly disclosed legal entity (ownership is out of scope here). If the CA operations rely on other party's (e.g. owner's, affiliate's etc.) material or human resources, you need to disclose those shared resources and have auditors do appropriate check ups. If this information already exist, please give us specific references.This is just semantic nonsense. In my previous comments I made it clear above that the responsible legal entity "Telia Finland Oyj" (and also Telia CA parts in Sweden) have been audited. We can ask auditors to write this more closely into the next reports if more detailed description is necessary.>>"I think the used audit criteria and locations (Finland and Sweden) are clearly stated in the audit reports.">OK, if you think so, just indicate specific audit report pages.In both these links (=our audit reports)...https://support.trust.telia.com/download/CA/Telia-2020-2021-WebTrust-Auditor-Report-WTBR-20210628.pdfhttps://support.trust.telia.com/download/CA/Telia-2020-2021-WebTrust-Auditor-Report-WTCA-20210628.pdf... on the first KPMG page in the first paragraph KPMG auditor has written this text: "Telia Company AB's ... CA operations in Finland and Sweden". Then later on the same page they state which Webtrust criteria was used. I can't understand how anybody may miss seeing company, locations or criteria that was used. To understand that legal entity behind Telia CA is "Telia Finland Oyj" and that it is affiliate to "Telia Company AB" you have to read also CP/CPS 1.3.1.tiistai 4. tammikuuta 2022 klo 13.02.41 UTC+2 [email protected] kirjoitti:Thanks, Pekka"Your comment is again full of inaccurate claims and accusations without any evidence."I understand your frustration - we have different knowledge what Telia Company AB is - unfortunately you are limited to ownership and company reports, but the reality is completely different."This conversation is about Telia CA Root application to Mozilla and your unclear SK/Eidas/QS comments are not related to this at all."Correct, in my last comment I responded to Ryan's questions. Don't mix this up with my previous comment about Telia Finland Oyj's Root inclusion request, ok?"Telia Company AB is by no means any "high risk" applicant."Quoting out of context is one well known methods. If you read carefully, I explained why this is a high risk application."Semi-government company": Telia Company is a normal private company".Semi-government means a hibrid entity partly owned by Government (~40%).https://www.teliacompany.com/en/investors/share-related-information/shareholdings/"CA Resources have been clearly identified above to be located in Finnish "Telia Finland Oyj" and in Swedish "Cygate AB".Sorry, could you point us to specific URL's with page numbers?"Auditors have audited all related CA operations annually based on publicly disclosed Telia CP/CPS.""all related CA operations" is not sufficient: as noted earlier, its not clear which legal entity is the CA - the references I provided were on behalf of Telia Company AB, however applicant of this request is Telia Finland Oyj - from CA operations point of view these should be two different (independent) entities (no matter who owns what).Besides, we don't know which [parts of CPS] constitute the CP. If you disclose this clearly, then we'll see what criteria auditors have checked."Audit scope in audit reports has been legal entity "Telia Company AB (Telia)" that is the main company. This audit scope covers both mentioned affiliate legal entities practically participating into Telia CA processes."But we need audit reports issued to Telia Finland Oyj, which should be the only "main company". We don't care who owns Telia Finland Oyj unless the CA shares its operational resources with third parties (including owners). In all other cases, let's forget about Telia Company AB. :)"We can ask auditors to add all three company names in the future audit reports if it makes audit results clearer."I'm afraid this is misunderstanding - the CA under this request should be a clearly disclosed legal entity (ownership is out of scope here). If the CA operations rely on other party's (e.g. owner's, affiliate's etc.) material or human resources, you need to disclose those shared resources and have auditors do appropriate check ups. If this information already exist, please give us specific references."I think the used audit criteria and locations (Finland and Sweden) are clearly stated in the audit reports."OK, if you think so, just indicate specific audit report pages.Thanks,M.D.Sent from my Galaxy-------- Original message --------From: "[email protected]" <[email protected]> Date: 1/4/22 08:50 (GMT+02:00) To: [email protected] Cc: "[email protected]" <[email protected]>, "[email protected]" <[email protected]>, "[email protected]" <[email protected]>, "[email protected]" <[email protected]>, Ryan Sleevi <[email protected]> Subject: Re: FW: RE: Public Discussion: Inclusion of Telia Root CA v2 Your comment is again full of inaccurate claims and accusations without any evidence. Again: SK ID Solutions is not an affiliate of Telia Company AB (check annual report that is listing affiliates). Telia CA has nothing to do with them. This conversation is about Telia CA Root application to Mozilla and your unclear SK/Eidas/QS comments are not related to this at all. I wonder how long this kind of hostile discussion is tolerated by Mozilla.-"High Risk": Telia Company AB is by no means any "high risk" applicant. Telia CA has been a normal Root CA already more than 15 years without any security related issues in any of annual audit results. All BR rules have been followed during that time. Only minor technical deviations have ever been identified. Recently Telia also joined to CAB Forum work also.-"Semi-government company": Telia Company is a normal private company. Check https://www.teliacompany.com/en: Founded in 1853. The share is listed at Nasdaq Stockholm and Nasdaq Helsinki. Approximately 490,000 shareholders. 20,800 employees. Net sales SEK 89,191 million.-"The problem here is that the CA resources need to be clearly identified and audited": CA Resources have been clearly identified above to be located in Finnish "Telia Finland Oyj" and in Swedish "Cygate AB". The full CA organization and system has been audited annually in both countries and in both companies. Auditors have got exact person details who belong to Telia CA and audit has been focused on those persons and their legal entities and how they implement Telia CA.-"the discussion is about CA operations not ownership"I agree. Auditors have audited all related CA operations annually based on publicly disclosed Telia CP/CPS.-"the subject of audit should be a legal entity, not a country"Audit scope in audit reports has been legal entity "Telia Company AB (Telia)" that is the main company. This audit scope covers both mentioned affiliate legal entities practically participating into Telia CA processes.-"CA/Browser Forum Baseline Requirements Audit Report 2021 (15 pages). In this report there is no reference to Telia Finland Oyj."In audit reports there is reference to main company "Telia Company AB" because auditors kept it as better because Telia CA functions are carried by both affiliates: "Telia Finland Oyj" and "Cygate AB". We can ask auditors to add all three company names in the future audit reports if it makes audit results clearer.-"Telia Public Response to Audit 2021, In this single page document no reference to Telia Company AB or Telia Finland Oyj."Incorrect, footer has identification of entity that created this response which is: Telia Finland Oyj-"Mozilla policy requires clear indication of which audit criteria were checked (or not checked) at each location" - as you don’t have a CP and the relevant parts are not identified in the CP/CPS, its unclear what criteria you are talking about."I don't understand. We have CP (combined CP/CPS) that identifies the legal entities. I think the used audit criteria and locations (Finland and Sweden) are clearly stated in the audit reports. Both locations were using the same criteria. For WTCA criteria it is clearly written there "...in accordance with the WebTrust Principles and Criteria for Certificate Authorities v2.2.1." and for WTBR is using "...in accordance with the WebTrust Principles and Criteria for Certificate Authorities - SSL Baseline with Network Security v2.4.1." maanantai 3. tammikuuta 2022 klo 18.38.08 UTC+2 [email protected] kirjoitti:1. RE "recent eIDAS & GDPR misimplementation chaos started"1.1 misimplementation means an instance of applying something incorrectly1.1.1 instance means a data object that Telia's affiliates - SK ID Solutions (formerly AS Sertifitseerimeskeskus) together with its RA - Omnitel (legal name - AB Telia Lietuva) have been issuing to the public as "qualified certificate" (QS).1.1.2 something means "Qualified certificate" - a complex data structure that was initially defined in directive 1999/93/EC. For clarity, the QS in 1.1.1 (which is incompatible with the directive) is called surrogate QS.1.1.3 Worth mentioning also evaluation of legality of surrogate QS by:a) the Data Protection Authority (legal name Valstybinė duomenų apsaugos inspekcija - VDAI) ordered Omnitel to stop issuing surrogate QSs. This order is still ignored (how and why can be discussed separately);b) the Supreme administrative court which ruled that surrogate QS violates the Data protection law (an implementation of directive 95/46/EC, now regulation 2016/679 - GDPR). This is also ignored (how and why can be discussed separately).See case translation here: https://journals.sas.ac.uk/deeslr/article/download/2142/2072/1.1.4 based on the above, misimplementation of directive 1999/93/EC means incorrect application of Article 2 (10) (and Article 8 and Annex I). For technical details see the surrogate QC profiles here: https://www.skidsolutions.eu/en/repository/CPS/1.1.5 the regulation 910/2014 (eIDAS) enhances and expands the acquis of Directive 1999/93/EB - its transitional measure (Article 51 (2)) provision the conditions for the recognition of QSs (issued according to directive 1999/93/EC) as qualified electronic signature certificates (QESC) under eIDAS.1.1.6 the fact that SK ID Solutions together with its unaudited RA - AB Telia Lietuva:a) within transitional period issued surrogate QSs only, means incorrect application of eIDAS Article 51;b) after transitional period have been issuing surrogate QSs only, means incorrect application of eIDAS Article 28 (1) - (3).1.1.7 based on the above, misimplementation of eIDAS means incorrect application of Article 5, 28 (1) - (2) and 51 (2).1.2 chaos means complete confusion and disorder1.2.1 when surrogate QCs are accepted as QESCs, it is confusion.1.2.2 eIDAS has at least three directly applicable mechanisms to prevent issuing surrogate QCs, but none of them worked as expected (disorder):a) TSP audit by CAB - surrogate QCs were accepted;b) TSP "qualified service" assessment by the Supervisory body - surrogate QCs were accepted;c) Trust list management by the Scheme operator under the Commission implementing decision 2015/1505 - surrogate QCs were accepted.2. RE "This sounds like you're specifically referring to actions taken by Telia Company AB"Correct. Telia Company AB is the driving force of an ”organized group”, wherea) The Swedish government creates "favorable conditions" in the countries of Telia Company AB's business operation (at least easy access to local governments is guaranteed);b) The Telia Company AB management partners with local governments so that the doors of relevant institutions (agencies) are open to its local affiliate (remember "What's good for General Motors is good for the country"?)https://m.facebook.com/story.php?story_fbid=10156465065383408&id=96251623407&m_entstream_source=video_home&player_suborigin=entry_point&player_format=permalinkc) The Telia Company AB affiliate develops "special relationship" with the institutions so that at least supervision of its business is completely "switched off", this includes lobbying any desired legislation (surrogate QC is "locally legitimazed" despite of competing with other national laws and EU directives and regulations.I must apologize for this schematic/simplified response covering 20+ years of Telia Company AB's business practices in Baltics.If you google "Telia + corruption", almost all information will be about Telia Company AB's (formerly TeliaSonera AB) "achievements" in teleco markets, this is partly because of:- its huge propaganda machine on mass media and social networks;- private embassy in Brussels, e. g. see https://www.linkedin.com/posts/skaitmeninio-sertifikavimo-centras_why-we-have-the-eidas-gdpr-misimplementation-activity-6747690541766504448-iYsc- naturally invisible/hard to understand trust services.Please let me know if you need more info or have any questions - the information above is backed by publicly acessible evidence material from official sources.Thanks,M.D.Sent from my Galaxy-------- Original message --------From: Moudrick Dadashov <[email protected]> Date: 12/30/21 17:34 (GMT+02:00) To: [email protected] Cc: "[email protected]" <[email protected]>, "[email protected]" <[email protected]>, "[email protected]" <[email protected]> Subject: Re: FW: RE: Public Discussion: Inclusion of Telia Root CA v2 Sure, Ryan, allow me 2-3 days as I’m fully booked by my grandchildren :)Thanks,M.D.On Thu, Dec 30, 2021, 06:00 Ryan Sleevi <[email protected]> wrote:On Wed, Dec 29, 2021 at 9:33 AM Moudrick M. Dadashov <[email protected]> wrote:If approved, this request will create a precedent of ”do like Telia” - a practice that is widely used by Telia Company AB and its affiliates in the trust services markets under eIDAS. That’s how the recent eIDAS & GDPR misimplementation chaos started.I suggest this request be approved after the conversion of corporate relationships into clearly identified, disclosed and audited specific PKI participant roles.Moudrick,For those following, could you share more precise details (e.g. references to news articles or other discussions) about the "recent eIDAS & GDPR misimplementation chaos started"? This sounds like you're specifically referring to actions taken by Telia Company AB, and perhaps some more context/references would help understand your concern.
-- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAMMZRrw30kcstFoUBKZBKtcDC_YYqkAr8BPBobdz44%3D9NwsnjQ%40mail.gmail.com. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/ae0dda7a-3cc5-481e-9a56-3c1af92b8990n%40mozilla.org. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/61d5420f.1c69fb81.178eb.5ddc%40mx.google.com.
