Re: FNMT: Public Discussion of Root Inclusion Request

2020-12-04 Thread Santiago Brox via dev-security-policy 
El viernes, 4 de diciembre de 2020 a las 18:20:41 UTC+1, Matthias van de Meent 
escribió:
> Thanks for the pointer, Ben. 
> 
> I didn't realise that the links in section 'Particulares AC Raíz 
> FNMT-RCM Servidores Seguros' of their main repository [1] were links 
> to repositories that would include the applicable CPS... As those 
> sections seemed to be for ICAs of the root, I didn't consider them as 
> a source for the CPS of their parent CA. Together with that the CPS 
> pointers in the certificate profile point to the main repository and 
> that the QcPDS links in the certificate profiles don't seem to point 
> to anything, I got lost... 
> 
> So, sorry for the noise, I was very confused by the structure of the 
> repository. 
> 
> Now that I know where to look, I'll probably check the contents more 
> thoroughly sometime in the following weekend, at first glance they 
> already looked much better. 
> 
> -Matthias 
> 
> [1] 
> https://www.sede.fnmt.gob.es/en/normativa/declaracion-de-practicas-de-certificacion
> On Wed, 2 Dec 2020, 23:44 Ben Wilson,  wrote: 
> > 
> > Matthias, 
> > Have you been able to obtain the CPS downloadable from here: 
> > https://www.sede.fnmt.gob.es/en/dpcs/ac-servidores-seguros-tipo-1 or here: 
> > https://www.sede.fnmt.gob.es/en/dpcs/ac-servidores-seguros-tipo-2 ? (They 
> > both lead to the same CPS v. 1.6 document.) 
> > Ben 
> > 
> > On Wed, Dec 2, 2020 at 7:15 AM Matthias van de Meent via 
> > dev-security-policy  wrote: 
> >> 
> >> On Fri, 27 Nov 2020 at 11:19, Santiago Brox via dev-security-policy < 
> >> dev-secur...@lists.mozilla.org> wrote: 
> >> > 
> >> > El jueves, 19 de noviembre de 2020 a las 0:47:03 UTC+1, Matthias van de 
> >> Meent escribió:
> >> > > On Wed, 18 Nov 2020, 01:06 Ben Wilson via dev-security-policy, 
> >> > >  wrote: 
> >> > > > 
> >> > > > [...] 
> >> > > > 
> >> > > > *CP/CPS:* 
> >> > > > 
> >> > > > 
> >> https://www.sede.fnmt.gob.es/documents/10445900/10536309/dpc_ss_english.pdf
> >>  
> >> > > > 
> >> > > > Current CPS is version 1.5, published 1-October-2020. 
> >> > > > 
> >> > > > Repository location: 
> >> > > > 
> >> https://www.sede.fnmt.gob.es/normativa/declaracion-de-practicas-de-certificacion
> >>  
> >> > > > 
> >> > > I'm having trouble finding the end entity certificate profiles in this 
> >> > > CPS. According to the CPS s7.1.2, they are supposed to be available at 
> >> > > http://www.cert.fnmt.es/dpcs/, but that redirects me to a repository 
> >> > > [0] of which the only english-language document [1] does not contain 
> >> > > any end entity certificate profiles, but only the root and ICA 
> >> > > profiles in attachments. Similarly, I cannot find the CPS you linked 
> >> > > in their repository. 
> >> > >
> >> > All the relevant documentation (CPS, PDS, Terms and conditions, 
> >> certificate profiles, and old versions of CPSs) of each CA is published in 
> >> its corresponding channel in the website, all of them accessible from: 
> >> > 
> >> https://www.sede.fnmt.gob.es/normativa/declaracion-de-practicas-de-certificacion
> >>  
> >> 
> >> I'm sorry, but I'm having trouble finding a link to the latest version of 
> >> the CPS of the to-be-included root in that repository. If you add this 
> >> CPS, 
> >> it would be useful to take Mozilla Root Store Policy section 3.3 (6) into 
> >> account ("CAs must provide a way to clearly determine which CP and CPS 
> >> applies to each of its root and intermediate certificates"). 
> >> 
> >> > For AC RAIZ FNMT-RCM SERVIDORES SEGUROS we have 2 channels (one for each 
> >> intermediate CA): 
> >> > AC SERVIDORES SEGUROS TIPO 1: 
> >> > https://www.sede.fnmt.gob.es/en/dpcs/ac-servidores-seguros-tipo-1 
> >> > and 
> >> > AC SERVIDORES SEGUROS TIPO 2: 
> >> > https://www.sede.fnmt.gob.es/en/dpcs/ac-servidores-seguros-tipo-2 
> >> > 
> >> > In regards the certificate profiles, we have included in CPS v1.6 
> >> > section 
> >> 7.1.2. direct links to the published documents of profiles. 
> >> > 
> >> > The document describing the profiles of the Website authentication 
> >> certificates, including all exten

Re: FNMT: Public Discussion of Root Inclusion Request

2020-11-27 Thread Santiago Brox via dev-security-policy 
El jueves, 19 de noviembre de 2020 a las 0:47:03 UTC+1, Matthias van de Meent 
escribió:
> On Wed, 18 Nov 2020, 01:06 Ben Wilson via dev-security-policy, 
>  wrote: 
> > 
> > All, 
> > 
> > This is to announce the beginning of the public discussion phase of the 
> > Mozilla root CA inclusion process for Fábrica Nacional de Moneda y Timbre 
> > (FNMT)’s request to include the AC RAIZ FNMT-RCM SERVIDORES SEGUROS in the 
> > root store. See 
> > https://wiki.mozilla.org/CA/Application_Process#Process_Overview, (Steps 4 
> > through 9). 
> > 
> > Mozilla is considering approving FNMT’s request to add the root as a trust 
> > anchor with the websites trust bit and EV enabled as documented in Bugzilla 
> > bug 
> > #1559342 . 
> > 
> > This email begins the 3-week comment period, after which, if no concerns 
> > are raised, we will close the discussion and the request may proceed to the 
> > approval phase (Step 10). 
> >
> > [...]
> > 
> > *CP/CPS:* 
> > 
> > https://www.sede.fnmt.gob.es/documents/10445900/10536309/dpc_ss_english.pdf 
> > 
> > Current CPS is version 1.5, published 1-October-2020. 
> > 
> > Repository location: 
> > https://www.sede.fnmt.gob.es/normativa/declaracion-de-practicas-de-certificacion
> >  
> >
> I'm having trouble finding the end entity certificate profiles in this 
> CPS. According to the CPS s7.1.2, they are supposed to be available at 
> http://www.cert.fnmt.es/dpcs/, but that redirects me to a repository 
> [0] of which the only english-language document [1] does not contain 
> any end entity certificate profiles, but only the root and ICA 
> profiles in attachments. Similarly, I cannot find the CPS you linked 
> in their repository. 
> 
All the relevant documentation (CPS, PDS, Terms and conditions, certificate 
profiles, and old versions of CPSs) of each CA is published in its 
corresponding channel in the website, all of them accessible from:
https://www.sede.fnmt.gob.es/normativa/declaracion-de-practicas-de-certificacion

For AC RAIZ FNMT-RCM SERVIDORES SEGUROS we have 2 channels (one for each 
intermediate CA): 
AC SERVIDORES SEGUROS TIPO 1:
https://www.sede.fnmt.gob.es/en/dpcs/ac-servidores-seguros-tipo-1 
and
AC SERVIDORES SEGUROS TIPO 2:
https://www.sede.fnmt.gob.es/en/dpcs/ac-servidores-seguros-tipo-2

In regards the certificate profiles, we have included in CPS v1.6 section 
7.1.2. direct links to the published documents of profiles. 

The document describing the profiles of the Website authentication 
certificates, including all extensions, are published at 
AC SERVIDORES SEGUROS TIPO 1:
https://www.sede.fnmt.gob.es/documents/10445900/10575386/Perfiles_certificados_servidores_seguros_tipo1.pdf
AC SERVIDORES SEGUROS TIPO 2:
https://www.sede.fnmt.gob.es/documents/10445900/10575386/Perfiles_certificados_servidores_seguros_tipo2.pdf


> I noticed that the CPS defers a great amount of sections (section 5, 
> 6.2, 6.4, 8.2 - 8.7 and large parts of section 9) to the DGPC, which 
> probably is [1] but that is never explicitly confirmed in the CPS - 
> there is no explicit link to any repository in section 1.6.1 where the 
> acronym is defined, nor are there any other indications that this DGPC 
> is located in the repository under the link of [0]. This is confusing, 
> and detrimental to the readability of the document. 
> 
CPS new version (v1.6) integrates all the sections that were referred to in the 
DGPC (v5.8) and which applied in general to all our CAs. From version 1.6 our 
CPS collects in a single document all the information and BRs compliance 
commitments for our AC RAIZ FNMT-RCM SERVIDORES SEGUROS

> CPS s4.9.2 and s1.5.2 both mention that third parties may send 
> certificate problem reports, and select parties may send revocation 
> requests, which is great; but I cannot find a commitment to 
> communicating a preliminary report within 24 hours to the reporter as 
> stipulated by BR 4.9.5. 
> 
> CPS / DGPC s5.2.2 includes by reference an internal policy, which may 
> or may not comply with the "at least dual control for CA private key 
> backup/storage/recovery" requirement of BR 5.2.2. 
> 
Detailed information has been included in CPS v1.6 sections 4.9.5. and 5.2.2. 
following BRs.

> CPS / DGPC s5.3.1 only guarantee the "experience and knowledge", not 
> the "trustworthiness and identity" of the operators. 
> 
Our HR selection department and the engagement process guarantees the 
fulfilment of requirements in BRs 5.3.1, verifying also the trustworthiness and 
identity of the operators. In addition, the trustworthiness and suitability of 
assigned trusted roles are reviewed periodically by the TSP Management 
Committee. We have included more detailed information in this regard in CPS 
section 5.3.1.

> CPS / DGPC s5.3.3 does not provide information on the specific topics 
> that are SHALL-qualified in BR s5.3.3. This same can be said about 
> s5.3.4 and s5.3.7. 

We have enclosed further the information in

Re: FNMT: Public Discussion of Root Inclusion Request

2020-11-20 Thread Santiago Brox via dev-security-policy 
El jueves, 19 de noviembre de 2020 a las 0:47:03 UTC+1, Matthias van de Meent 
escribió:
> On Wed, 18 Nov 2020, 01:06 Ben Wilson via dev-security-policy, 
>  wrote: 
> > 
> > All, 
> > 
> > This is to announce the beginning of the public discussion phase of the 
> > Mozilla root CA inclusion process for Fábrica Nacional de Moneda y Timbre 
> > (FNMT)’s request to include the AC RAIZ FNMT-RCM SERVIDORES SEGUROS in the 
> > root store. See 
> > https://wiki.mozilla.org/CA/Application_Process#Process_Overview, (Steps 4 
> > through 9). 
> > 
> > Mozilla is considering approving FNMT’s request to add the root as a trust 
> > anchor with the websites trust bit and EV enabled as documented in Bugzilla 
> > bug 
> > #1559342 . 
> > 
> > This email begins the 3-week comment period, after which, if no concerns 
> > are raised, we will close the discussion and the request may proceed to the 
> > approval phase (Step 10). 
> >
> > [...]
> > 
> > *CP/CPS:* 
> > 
> > https://www.sede.fnmt.gob.es/documents/10445900/10536309/dpc_ss_english.pdf 
> > 
> > Current CPS is version 1.5, published 1-October-2020. 
> > 
> > Repository location: 
> > https://www.sede.fnmt.gob.es/normativa/declaracion-de-practicas-de-certificacion
> >  
> >
> I'm having trouble finding the end entity certificate profiles in this 
> CPS. According to the CPS s7.1.2, they are supposed to be available at 
> http://www.cert.fnmt.es/dpcs/, but that redirects me to a repository 
> [0] of which the only english-language document [1] does not contain 
> any end entity certificate profiles, but only the root and ICA 
> profiles in attachments. Similarly, I cannot find the CPS you linked 
> in their repository. 
> 
> I noticed that the CPS defers a great amount of sections (section 5, 
> 6.2, 6.4, 8.2 - 8.7 and large parts of section 9) to the DGPC, which 
> probably is [1] but that is never explicitly confirmed in the CPS - 
> there is no explicit link to any repository in section 1.6.1 where the 
> acronym is defined, nor are there any other indications that this DGPC 
> is located in the repository under the link of [0]. This is confusing, 
> and detrimental to the readability of the document. 
> 
> CPS s4.9.2 and s1.5.2 both mention that third parties may send 
> certificate problem reports, and select parties may send revocation 
> requests, which is great; but I cannot find a commitment to 
> communicating a preliminary report within 24 hours to the reporter as 
> stipulated by BR 4.9.5. 
> 
> CPS / DGPC s5.2.2 includes by reference an internal policy, which may 
> or may not comply with the "at least dual control for CA private key 
> backup/storage/recovery" requirement of BR 5.2.2. 
> 
> CPS / DGPC s5.3.1 only guarantee the "experience and knowledge", not 
> the "trustworthiness and identity" of the operators. 
> 
> CPS / DGPC s5.3.3 does not provide information on the specific topics 
> that are SHALL-qualified in BR s5.3.3. This same can be said about 
> s5.3.4 and s5.3.7. 
> 
> CPS / DGPC s5.4.1 does definately not mention logging 
> rejection/acceptance of certificate requests (BR s5.4.1(1)(3)), and 
> probably also doesn't cover some other parts, but the language is very 
> opaque (i.e. unclear). 
> ... looks further 
> ... those specific events are apparently included in 5.5.1 Types of 
> Records Archived (?) 
> 
> CPS / DGPC s5.4.3 does not comply with BR 5.4.3: Audit log retention 
> of 15 years is not enough to cover the CA certificate event record log 
> retention timespan of 2 years past the latest of 1.) the destruction 
> of the CA private key, and 2.) the revocation or expiration of the 
> final CA certificate of that private key. Unless of course you expect 
> to revoke the root and destroy the CA keys within 13 years after 
> creation. 
> 
> CPS / DGPC s6.1.1.1 (CA Key Pair Generation) fails to include the 
> procedure with which CA keys are generated. 
> More specifically, the current implication is that the auditor could 
> not be witness of the CA key generation ceremony, nor have seen any 
> evidence other than the report, and sign this report. This fails to 
> apply BR 6.1.1.1(1) items 2 and 3, and BR 6.1.1.1(2)(2). The procedure 
> included by reference is not accessible [3] and may add requirements, 
> but those requirements need not meet the baseline of the BR. 
> 
> CPS s6.2 points to a section s6.2 in the DGPC, which is blank. 
> Therefore, I'm missing the documentation on that the CA is committed 
> to securing the CA private key material in a BR-compliant manner. 
> 
> CPS / DGPC s6.2.4 does not apply the requirements of BR 6.2 nor 5.2.2 
> to their private key backup procedure. 
> 
> CPS delegates s6.2.5 fully to the DGPC, but that s6.2.5 requires the 
> CPS to at least specify a maximum number of copies of the private key, 
> which is not specified. 
> 
> CPS / DGPC s6.2.6 has the interesting construction "Consequently, the 
> Keys cannot be transferred, although