Re: Certigna Root Inclusion Request Round 2
Many thanks to those of you who have participated in the discussions for this root inclusion request, and reviewed the information that has been provided. Certigna met the request from the first round of public discussion to post and translate the relevant portions of their CPS. During the discussions two items have been requested: 1) The public portion of the Certigna CPS should be made public and posted on their website. 2) The internal document for code signing should be made part of the CPS. While Certigna is encouraged to do these two action items, these will not block the inclusion request. This concludes the public discussions about Certigna’s request to add one new root CA certificate to the Mozilla root store, as documented in the following bug: https://bugzilla.mozilla.org/show_bug.cgi?id=393166 I will post a summary of the request and my recommendation for approval in the bug. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Certigna Root Inclusion Request Round 2
On 03/13/2009 07:34 PM, Kathleen Wilson: Certigna met our request to post and translate the relevant portions of their CPS. There has been very little resulting discussion. Are there still questions that need to be addressed in this public discussion phase? Or shall I move forward with making the recommendation to approve this request? The internal document for code signing should have been made part of the CP/CPS. Apart from that I've not seen anything of concern. Unfortunately my knowledge in the French language is not sufficient enough in order to understand the CPS. Preferable we should be able to review (and understand) the CPS in its entirety, however I don't feel this to be a reason at this stage to question their inclusion after they complied to our requests from the first round. -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Certigna Root Inclusion Request Round 2
Certigna met our request to post and translate the relevant portions of their CPS. There has been very little resulting discussion. Are there still questions that need to be addressed in this public discussion phase? Or shall I move forward with making the recommendation to approve this request? -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Certigna Root Inclusion Request Round 2
Kyle Hamilton wrote, On 2009-03-10 14:14: > I second this motion, no objections. > > -Kyle H > > On Tue, Mar 10, 2009 at 10:48 AM, Kathleen Wilson > wrote: >>> are we planning to move the discussions of accepting CAs into the root >>> list over to the other list? I think that dev-security-policy is going now? >> OK. If no one objects, I will post all future root inclusion request >> discussions on mozilla.dev.security.policy instead of >> dev.tech.crypto. >> >> Kathleen Me too. I'll bet there are some web pages that need to be updated to point to the new list instead of the crypto list. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Certigna Root Inclusion Request Round 2
I second this motion, no objections. -Kyle H On Tue, Mar 10, 2009 at 10:48 AM, Kathleen Wilson wrote: >> are we planning to move the discussions of accepting CAs into the root >> list over to the other list? I think that dev-security-policy is going now? > > OK. If no one objects, I will post all future root inclusion request > discussions on mozilla.dev.security.policy instead of > dev.tech.crypto. > > Kathleen > > -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Certigna Root Inclusion Request Round 2
> are we planning to move the discussions of accepting CAs into the root > list over to the other list? I think that dev-security-policy is going now? OK. If no one objects, I will post all future root inclusion request discussions on mozilla.dev.security.policy instead of dev.tech.crypto. Kathleen -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Certigna Root Inclusion Request Round 2
On 10/3/09 09:22, Eddy Nigg wrote: On 03/03/2009 11:35 PM, kathleen95...@yahoo.com: Kathleen, are we planning to move the discussions of accepting CAs into the root list over to the other list? I think that dev-security-policy is going now? iang -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Certigna Root Inclusion Request Round 2
On 03/03/2009 11:35 PM, kathleen95...@yahoo.com: The relevant, public portion of their CPS has been attached to the bug: https://bugzilla.mozilla.org/attachment.cgi?id=364343 Translations of portions of this document have also been attached to the bug: https://bugzilla.mozilla.org/attachment.cgi?id=364146 As a by-note I'd like to state that that ETSI 101 456 and ETSI TS 102 042 speak very clearly about "The CA shall make available to subscribers and relying parties its certification practice statement, and other relevant documentation, as necessary to assess conformance to the qualified certificate policy." As such Certigna is not complying to the audit criteria it chose! -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Certigna Root Inclusion Request Round 2
On Tue, Mar 3, 2009 at 1:35 PM, wrote: > Email: CPS section 5.2.6 specifies the controls for applications for > the Certigna ID certificates. It says that in addition to verifying > the identity of the applicant, they check the email address as follows > as per the supplied translation: > “On left part of the email address, we have to found, in a non > equivoque form, the name and the first name of the future bearer. In > the opposite case, and in case of a doubt on the intention of > usurpation, it is important to report that at the security responsible > who will defined the actions to make (exhaustive check of the order, > reject or acceptation). > On the right part of the email address is located the name of the web > site of the entity or the name of a FAI (and name of another entity).” I'll be so bold as to try to translate this into better English (this is obviously NOT to be considered authoritative): The left-hand side of the email address must contain both the first and last name of the person in order to pass the automatic issuance procedure [[NB: this is due to the word 'and' in the translation; I would assume that it should actually be an 'or', and the email address has to at least be the last name of the subscriber]]. If the left-hand side of the email address does not contain the first and[or] last name of the person, then it gets passed up the line for manual review. [[NB: the mechanism for manual review is not defined, but allows for a more exhaustive verification, automatic denial (such as 'georgewb...@thisisnottheofficialbushdomain.com', I presume), or immediate acceptance (under some unknown criteria).]] On the right-hand side (sitename) part of the email address must be either the name of the web site [[NB: this suggests that it must be, for example, 'hec...@www.mozillafoundation.org' instead of 'hec...@mozillafoundation.org']], or the name of a [[??What is an FAI??]] and another entity. [[NB: presumably 'gmail.com' would be the 'name of another entity', but I'm still unable to parse this sentence.]] To Certigna: I am very sorry if I have mangled the meaning of your CPS through the apparently-automated translation. > This begins phase 2 of the public discussion of the request from > Certigna to add the Certigna CA root certificate to Mozilla. Thank you, Kathleen. (And thank you, Frank, for getting Mozilla to hire her. :)) -Kyle H -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Certigna Root Inclusion Request Round 2
Certigna has applied to add one new root CA certificate to the Mozilla root store. The first public discussion of this inclusion request can be found here: http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thread/1eb7ad475c762788# Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=393166 Pending certificates list entry: http://www.mozilla.org/projects/security/certs/pending/#Certigna%20of%20Dhimyotis Summary of Information Gathering and Verification Phase: https://bugzilla.mozilla.org/attachment.cgi?id=359344 There was one action item that resulted from the first public discussion, which was for Certigna to post the public and relevant portion of the CPS, and to have their auditor confirm that the posted portion is indeed what was audited. The relevant, public portion of their CPS has been attached to the bug: https://bugzilla.mozilla.org/attachment.cgi?id=364343 Translations of portions of this document have also been attached to the bug: https://bugzilla.mozilla.org/attachment.cgi?id=364146 I have received email from the lead auditor for LSTI which states that this part of the CPS was indeed reviewed during Certigna’s last audit. LSTI is an accredited certification body in France who provided the previous audit statement dated 8/20/2008. Of particular interest from the first public discussion was how the validation requirements were met in regards to section 7, parts a, b, and c of the Mozilla CA Certificate Policy at http://www.mozilla.org/projects/security/certs/policy/. SSL: CPS section 5.2.7 specifies the controls for applications for server certificates. It says that in addition to verifying the identity of the applicant, they use the whois service (www.whois.net) to verify that the organization owns the FQDN in the requested certificate. Email: CPS section 5.2.6 specifies the controls for applications for the Certigna ID certificates. It says that in addition to verifying the identity of the applicant, they check the email address as follows as per the supplied translation: “On left part of the email address, we have to found, in a non equivoque form, the name and the first name of the future bearer. In the opposite case, and in case of a doubt on the intention of usurpation, it is important to report that at the security responsible who will defined the actions to make (exhaustive check of the order, reject or acceptation). On the right part of the email address is located the name of the web site of the entity or the name of a FAI (and name of another entity).” Code Signing: There is a separate internal document for the new code- signing sub-CA. The section of the document that describes the verification of the identity of the subscriber has been translated into English and attached to the bug: https://bugzilla.mozilla.org/attachment.cgi?id=365278 I am not aware of any potentially problematic practices, as per https://wiki.mozilla.org/CA:Problematic_Practices The SSL certs are OV. End-entity certs are issued from intermediate CAs, and the intermediate CAs are internally operated. OCSP and CRLs were both successfully used in Firefox. This begins phase 2 of the public discussion of the request from Certigna to add the Certigna CA root certificate to Mozilla. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto