Re: Certigna Root Inclusion Request Round 2
On Tue, Mar 3, 2009 at 1:35 PM, wrote: > Email: CPS section 5.2.6 specifies the controls for applications for > the Certigna ID certificates. It says that in addition to verifying > the identity of the applicant, they check the email address as follows > as per the supplied translation: > “On left part of the email address, we have to found, in a non > equivoque form, the name and the first name of the future bearer. In > the opposite case, and in case of a doubt on the intention of > usurpation, it is important to report that at the security responsible > who will defined the actions to make (exhaustive check of the order, > reject or acceptation). > On the right part of the email address is located the name of the web > site of the entity or the name of a FAI (and name of another entity).” I'll be so bold as to try to translate this into better English (this is obviously NOT to be considered authoritative): The left-hand side of the email address must contain both the first and last name of the person in order to pass the automatic issuance procedure [[NB: this is due to the word 'and' in the translation; I would assume that it should actually be an 'or', and the email address has to at least be the last name of the subscriber]]. If the left-hand side of the email address does not contain the first and[or] last name of the person, then it gets passed up the line for manual review. [[NB: the mechanism for manual review is not defined, but allows for a more exhaustive verification, automatic denial (such as 'georgewb...@thisisnottheofficialbushdomain.com', I presume), or immediate acceptance (under some unknown criteria).]] On the right-hand side (sitename) part of the email address must be either the name of the web site [[NB: this suggests that it must be, for example, 'hec...@www.mozillafoundation.org' instead of 'hec...@mozillafoundation.org']], or the name of a [[??What is an FAI??]] and another entity. [[NB: presumably 'gmail.com' would be the 'name of another entity', but I'm still unable to parse this sentence.]] To Certigna: I am very sorry if I have mangled the meaning of your CPS through the apparently-automated translation. > This begins phase 2 of the public discussion of the request from > Certigna to add the Certigna CA root certificate to Mozilla. Thank you, Kathleen. (And thank you, Frank, for getting Mozilla to hire her. :)) -Kyle H -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Certigna Root Inclusion Request Round 2
Certigna has applied to add one new root CA certificate to the Mozilla root store. The first public discussion of this inclusion request can be found here: http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thread/1eb7ad475c762788# Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=393166 Pending certificates list entry: http://www.mozilla.org/projects/security/certs/pending/#Certigna%20of%20Dhimyotis Summary of Information Gathering and Verification Phase: https://bugzilla.mozilla.org/attachment.cgi?id=359344 There was one action item that resulted from the first public discussion, which was for Certigna to post the public and relevant portion of the CPS, and to have their auditor confirm that the posted portion is indeed what was audited. The relevant, public portion of their CPS has been attached to the bug: https://bugzilla.mozilla.org/attachment.cgi?id=364343 Translations of portions of this document have also been attached to the bug: https://bugzilla.mozilla.org/attachment.cgi?id=364146 I have received email from the lead auditor for LSTI which states that this part of the CPS was indeed reviewed during Certigna’s last audit. LSTI is an accredited certification body in France who provided the previous audit statement dated 8/20/2008. Of particular interest from the first public discussion was how the validation requirements were met in regards to section 7, parts a, b, and c of the Mozilla CA Certificate Policy at http://www.mozilla.org/projects/security/certs/policy/. SSL: CPS section 5.2.7 specifies the controls for applications for server certificates. It says that in addition to verifying the identity of the applicant, they use the whois service (www.whois.net) to verify that the organization owns the FQDN in the requested certificate. Email: CPS section 5.2.6 specifies the controls for applications for the Certigna ID certificates. It says that in addition to verifying the identity of the applicant, they check the email address as follows as per the supplied translation: “On left part of the email address, we have to found, in a non equivoque form, the name and the first name of the future bearer. In the opposite case, and in case of a doubt on the intention of usurpation, it is important to report that at the security responsible who will defined the actions to make (exhaustive check of the order, reject or acceptation). On the right part of the email address is located the name of the web site of the entity or the name of a FAI (and name of another entity).” Code Signing: There is a separate internal document for the new code- signing sub-CA. The section of the document that describes the verification of the identity of the subscriber has been translated into English and attached to the bug: https://bugzilla.mozilla.org/attachment.cgi?id=365278 I am not aware of any potentially problematic practices, as per https://wiki.mozilla.org/CA:Problematic_Practices The SSL certs are OV. End-entity certs are issued from intermediate CAs, and the intermediate CAs are internally operated. OCSP and CRLs were both successfully used in Firefox. This begins phase 2 of the public discussion of the request from Certigna to add the Certigna CA root certificate to Mozilla. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Microsec Root Inclusion Request Round 2
On 03/03/2009 02:34 PM, Frank Hecker: If you have particular sections where you are concerned about the accuracy of the translation, we can ask someone on the Mozilla Hungarian localization team to double-check the translation. However they are volunteers, and I do not want to burden them by asking them to check the entire CPS translation. The CPS looks accurate as far as I can see, I just wanted to know if they perhaps bothered already to produce a confirmation beforehand. If one exists even the better, why not have it. I don't want to burden the localization people with this. -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Microsec Root Inclusion Request Round 2
Eddy Nigg wrote: I don't want to complicate matters, but I would like to ask if there is some confirmation about the correctness of the translation. If you have particular sections where you are concerned about the accuracy of the translation, we can ask someone on the Mozilla Hungarian localization team to double-check the translation. However they are volunteers, and I do not want to burden them by asking them to check the entire CPS translation. Frank -- Frank Hecker hec...@mozillafoundation.org -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
