SG Trust Services has applied to add the “SG TRUST SERVICES RACINE” root
certificate and turn on the Email trust bit.
SG Trust Services is a subsidiary of Groupe SG, which is the high level
entity of all subsidiaries of Société Générale, one of the oldest and
largest banks in France and is a major international financial services
company. Customers are the general public who make e-Services with banks
and French government third parties.
The request is documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=662259
And in the pending certificates list here:
http://www.mozilla.org/projects/security/certs/pending/#SG%20Trust%20Services
Summary of Information Gathered and Verified:
https://bugzilla.mozilla.org/attachment.cgi?id=672856
Noteworthy points:
* The primary documents are the CP documents listed below, which are in
French. Some sections have been translated into English.
Document Repository:
http://www.sgtrustservices.com/entreprise/pc/index.htm
CP for Authentication and Encryption Certs:
http://www.sgtrustservices.com/entreprise/pc/authentification/index.htm
CP for Signing Certs:
http://www.sgtrustservices.com/entreprise/pc/signature/index.htm
CP for 2-Star Certs:
https://www.sgts.rgs2e.sgtrustservices.com/doc/PC/SG_TS_2E_PC_Authentification.pdf
CP for 2-Star Certs (English translation of some sections):
https://bugzilla.mozilla.org/attachment.cgi?id=560318
The “SG TRUST SERVICES RACINE” root has two internally-operated
intermediate certificates, one for authentication certificates and
another for signing certificates.
The request is to turn on the Email trust bit.
* CP for 2-Star Certs Section 3.2.3.3 describes the steps to verify and
register a Certificate Manager (the customer). Certificate Manager is a
person in a client company of SG Trust Services who can collect the
registration document (Individual Subscriber Request) of the Subscriber,
and validate the registration documents before sending to Registration
Service
** The Legal Representative also signs the subscription contract between
the organisation to which they belong (the Client) and SG Trust Services.
** The Legal Representative must provide the future Manager with a
"K-bis” certifying the company’s registration with a French trade and
companies register (or any similar trade register for foreign entities)
or an identification certificate from the Répertoire National des
Entreprises et de leurs Établissements database. Legal Representatives
of an association must provide a copy of the Journal Officiel containing
the mention of their organisation as well as a copy of its articles of
association and the minutes of the last Annual General Meeting during
which an executive was appointed.
** The Customer account manager meets with the future CM in person and
checks their proof of identity.
** The Customer account manager validates the appointment of the
Certificate Manager and verifies that:
-- The Registration File is complete.
-- The Legal Representative has signed the Certificate Manager
Identification Form and the subscription contract.
-- The future Certificate Manager has signed the Certificate Manager
Identification Form.
-- The information in the Certificate Manager Identification Form is
consistent with both the ID card (for personal ID information) and the
subscription contract (for the organisation's information).
* CP for 2-Star Certs Section
3.2.3.4: The following procedure is
systematically applied:
- The future Subscriber must bring the Certificate Manager his ID card.
- The Certificate Manager verifies that the person present matches the
ID card.
- The Certificate Manager photocopies the proof of identity adding
"Certified Copy" and signs it. The Subscriber also signs the photocopy
of the ID card.
- The Certificate Manager ensures that the future Subscriber is
authorised to use the certificates on behalf of the Client.
- The Certificate Manager asks the Subscriber to complete and sign the
Individual Subscriber Request Form. He ensures that the identity
information filled in by the Subscriber matches the information on the
ID card.
* The Certificate Manager verifies that the email to be included in the
certificate is correct and is attached to his organization before
sending to Registration Service.
* The Certificate Manager sends the registration file to the Customer
account manager. The registration file of a new Subscriber includes:
- The Individual Subscriber Request (ISR) form dated less than 3 months
prior, completed and signed both by the future Subscriber and the CM.
-- The ISR form includes personal information on the future Subscriber
required for creating the certificate.
-- The ISR form includes the General Terms and Conditions of Use.
- The photocopy of the Certificate Subscriber's ID card, signed by the
Certificate Manager and the Subscriber.
* Registration Service validates each subscriber’s registration demand by:
- Validating that the Certificate Manager who provided the registration
documents is well-known;
- Validating the completion of registration documents;
- Validating the copy of the subscriber’s identity card;
- Compare signature of disclosures statements and signature of the
identity card.
* The URL to install the certificate is emailed to the email address
that is included in the certificate.
* Root Cert URL:
https://bugzilla.mozilla.org/attachment.cgi?id=608632
* Example Certificates provided in the bug
https://bugzilla.mozilla.org/show_bug.cgi?id=662259#c39
* CRL
http://crl.sgtrustservices.com/racine-GroupeSG/LatestCRL
http://crl.sgtrustservices.com/SGTS-2Etoiles/LatestCRL
(NextUpdate: 6 days)
* OCSP not provided
(Note: This request is to turn on the Email trust bit only, so the CAB
Forum Baseline requirements don’t apply.)
* Audit: Audits are performed against the ETSI TS 102 042 criteria by
LSTI, and a list of the certified certificate providers is provided on
the LSTI website.
http://www.lsti-certification.fr/index.php?option=com_content&view=article&id=54&Itemid=14
ETSI Certificate:
https://bugzilla.mozilla.org/attachment.cgi?id=537541
Annual surveillance audits are also performed. The last one was done in
November 2011, and the next one is planned for December 2012.
* Potentially Problematic Practices
(
http://wiki.mozilla.org/CA:Problematic_Practices):
** Delegation of email validation to third parties, as described above.
This begins the discussion of the request from SG Trust Services to add
the “SG TRUST SERVICES RACINE” root certificate and turn on the Email
trust bit. At the conclusion of this discussion I will provide a summary
of issues noted and action items. If there are outstanding issues, then
an additional discussion may be needed as follow-up. If there are no
outstanding issues, then I will recommend approval of this request in
the bug.
Kathleen