Hi, That's not what I tried to explain. We are already adhering to the rules of BR SSL. We have implemented all the controls required in the policies, the problems that occurred have all been corrected and that we have no non-conformities in the certificates that are active, we are not waiting to be accepted into the root program to start initiating any rules. They are already in our CA. You can check the annual results of our external audit.
About what added value AC SERPRO brings is that SERPRO is the largest public IT company in Latin America and that government bodies trust it to guarantee their security, we issue certificates to bodies such as the presidency of the republic and tax authorities, government agencies that wish to maintain the security of their information in the custody of the public administration. There are no Brazilian CAs, but international ones, which sell their certificates in Brazil, but we need to have a Brazilian CA that is part of the root program to bring security and reliability. Thanks, Em quinta-feira, 8 de dezembro de 2022 às 14:11:38 UTC-3, [email protected] escreveu: > Hi Lucia, > > Sorry if I am misunderstanding, but are you saying that you will start > adhering to the policies if/when you are accepted into root programs? > I don't think that is a good way of getting the root stores and relying > parties to want you included. > You need to first show that you are a properly run CA before you get > accepted. > Accepting you based on a promise that you will do better once accepted is > not really a good way to do this. > > Secondly, I get that you want to sell certificates to entities outside of > the Brazilian public administration but I still don't understand what > additional value you would bring, could you clarify that? > I have read the statement in the Quantifying Value document but it still > don't quite understand the point. > I will admit that I don't know much about the WebPKI situation in Brazil, > so maybe there are problems there currently for all I know. > Are there a lot of Brazilian websites that don't have HTTPS using a cert > issued by one of the CAs currently trusted by Mozilla? > > -Cynthia > > On Thu, Dec 8, 2022 at 3:57 PM Lucia Castelli <[email protected]> wrote: > >> Now I understand better. Thanks for rephrasing the question. >> What happened was that we started using the CACHECKER "first" instead of >> waiting for the Root CA to be alerted to wrong certificates. >> We always aim to only use CA SSL/TLS software in compliance with BR SSL >> requirements. >> We understand that we need to respect the rules about the time for >> revocation, and we started intensify this issue even more if we are >> accepted in root programs. >> Well, as I read the bugzillas daily, I see that even today there are >> still CAs, that are in the program, and also have problems, keeping the >> revocation time within the rules. >> We assume that we have rules to resolve issues and not remain impartial. >> Thanks about your question.l >> >> Em quinta-feira, 8 de dezembro de 2022 às 11:48:38 UTC-3, >> [email protected] escreveu: >> >>> Hello: >>> >>> regarding this: >>> >>> >>> >>>> 2 - As I explained earlier, we had problems with the SAN of all these >>>> certificates, alerted by Mozilla to our Root CA, as the Root CA rules >>>> overlapped the BR SSL rules. >>>> >>> Unfortunately, due to the very large number of certificates, it was not >>>> possible to fulfill what is expected(24 hours timeline), both from the BR >>>> SSL regulations and what we reflect in our regulations (CPS). >>>> >>>> These revocations, unfortunately, lasted much longer than expected. >>>> >>>> We understand that we would not, yet, be infringing the rules, because >>>> our certificate is not in the Mozilla program. >>>> >>> I suppose my question is what specific operational changes have been >>> made on your side since then so that the inability to fulfill the baseline >>> requirements won't remain an issue were you to be part of Mozilla's program? >>> >>> >> -- >> > You received this message because you are subscribed to the Google Groups >> "public" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> > To view this discussion on the web visit >> https://groups.google.com/a/ccadb.org/d/msgid/public/63ca387d-fcd3-44b3-9838-fdca227134f6n%40ccadb.org >> >> <https://groups.google.com/a/ccadb.org/d/msgid/public/63ca387d-fcd3-44b3-9838-fdca227134f6n%40ccadb.org?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/39f10d7b-2589-4b32-a1fc-fd48ad4a41d8n%40ccadb.org.
