Certigna has applied to add one new root CA certificate to the Mozilla root store. The first public discussion of this inclusion request can be found here:
http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thread/1eb7ad475c762788# Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=393166 Pending certificates list entry: http://www.mozilla.org/projects/security/certs/pending/#Certigna%20of%20Dhimyotis Summary of Information Gathering and Verification Phase: https://bugzilla.mozilla.org/attachment.cgi?id=359344 There was one action item that resulted from the first public discussion, which was for Certigna to post the public and relevant portion of the CPS, and to have their auditor confirm that the posted portion is indeed what was audited. The relevant, public portion of their CPS has been attached to the bug: https://bugzilla.mozilla.org/attachment.cgi?id=364343 Translations of portions of this document have also been attached to the bug: https://bugzilla.mozilla.org/attachment.cgi?id=364146 I have received email from the lead auditor for LSTI which states that this part of the CPS was indeed reviewed during Certigna’s last audit. LSTI is an accredited certification body in France who provided the previous audit statement dated 8/20/2008. Of particular interest from the first public discussion was how the validation requirements were met in regards to section 7, parts a, b, and c of the Mozilla CA Certificate Policy at http://www.mozilla.org/projects/security/certs/policy/. SSL: CPS section 5.2.7 specifies the controls for applications for server certificates. It says that in addition to verifying the identity of the applicant, they use the whois service (www.whois.net) to verify that the organization owns the FQDN in the requested certificate. Email: CPS section 5.2.6 specifies the controls for applications for the Certigna ID certificates. It says that in addition to verifying the identity of the applicant, they check the email address as follows as per the supplied translation: “On left part of the email address, we have to found, in a non equivoque form, the name and the first name of the future bearer. In the opposite case, and in case of a doubt on the intention of usurpation, it is important to report that at the security responsible who will defined the actions to make (exhaustive check of the order, reject or acceptation). On the right part of the email address is located the name of the web site of the entity or the name of a FAI (and name of another entity).” Code Signing: There is a separate internal document for the new code- signing sub-CA. The section of the document that describes the verification of the identity of the subscriber has been translated into English and attached to the bug: https://bugzilla.mozilla.org/attachment.cgi?id=365278 I am not aware of any potentially problematic practices, as per https://wiki.mozilla.org/CA:Problematic_Practices The SSL certs are OV. End-entity certs are issued from intermediate CAs, and the intermediate CAs are internally operated. OCSP and CRLs were both successfully used in Firefox. This begins phase 2 of the public discussion of the request from Certigna to add the Certigna CA root certificate to Mozilla. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
