E-ME has applied to add the “E-ME SSI (RCA)” root certificate, and to
enable the websites and code signing trust bits.
E-ME is the brand name for the certification services that are operated
by the Latvian State Radio and Television Centre (LVRTC). LVRTC is a
joint-stock company, in which the Republic of Latvia being represented
by the Ministry of Transportation owns all shares of the company. LVRTC
provides transmission of radio and television signals covering all of
Latvia. The main function of E-ME is to provide electronic document law
enforcement in Latvia.
The request is documented in the following bug:
And in the pending certificates list here:
Summary of Information Gathered and Verified:
* The CP and CPS documents are provided in both Latvian and English.
* CP section 1.2 describes the general architecture, and provides a
** The “E-ME SSI (RCA)” root certificate issues certificates for the
Policy CA and the Trusted OCSP Responder. According to E-ME policy
requirements there is one Policy CA, which is internally-operated by
E-ME. The Policy CA issues certificates to the Issuing CAs and the Time
Stamping Authority. There is currently one Issuing CA certificate, which
is internally-operated by E-ME.
* In the CP and CPS the term CSP refers to E-ME as the certificate
* CP section 220.127.116.11: Issuing CAs are organizations authorized by E-ME
CSP to create, sign, issue and manage End User Certificates. Each
Issuing CA is bound to act according to the terms of this CP. An Issuing
CA's specific practices, in addition to the more general requirements
set out in this CP, must be set out in a Certification Practice
Statement adopted by the Issuing CA and approved by E-ME CSP…
* CP section 18.104.22.168: Each Issuing CA will remain ultimately responsible
for all E-ME CSP Certificates it issues. However, under this CP, the
Issuing CA may subcontract registration and I&A functions to an
organization that agrees to fulfill the functions of an RA in accordance
with the terms of this CP, and who will accept E-ME CSP Certificate
applications and locally collect and verify Applicant identity
information to be entered into an E-ME CSP Certificate…
* Currently this root has not cross-signed a cert with another root, and
no cross-signing is planned. However, the CP has provision for this in
CP section 2.6.
* CP section 7.2: The CA shall only claim conformance to this CP…
** if the CA has a current assessment of conformance to this CP by a
competent independent party…
** CA compliance shall be checked on a regular basis and whenever major
change is made to the CA operations.
* CP section 8: Following any Compliance Audit, the audited CA shall
provide E-ME CSP with the annual report and attestations based on its
audit within fourteen (14) days after the completion of the audit.
* The request is to enable the websites and code signing trust bits.
** See CPS sections 3.2.2 and 3.2.3 for information about the process
for E-ME CSP ICA and RA to validate the identification and authorization
of the certificate applicant.
** CPS section 22.214.171.124: The RA proceeds initial identity validation
procedure. In particular:
*** the authentication of individual identity;
*** the authentication of organisational identity;
*** validation of authority.
** SSL and Code Signing certs are organizationally validated as per
section 3.2.2 and 3.2.3 of the CPS.
** CPS section 126.96.36.199: Web Site (SSL) certificates is carried out
*** Domain Clearance home using network resources
(Http://www.nic.lv/?lang=en (Latvian), http://www.iana.org/domains/
*** Certifikate request verification of a contract;
*** Review of good practice standards
** CPS section 188.8.131.52: Code signing certificates are carried out
*** Certificate request verification of a contract;
*** Review of good practice standards
* E-ME is not requesting EV-enablement.
* Test Website: https://www.eme.lv/csp-web/certsearch.aspx?lang=LAT
** All CRLs listed at: http://info.e-me.lv/en/atbalsts/atsauktie_sertif/
** Root CA CRL: http://www.eme.lv/cdp/E-ME%20SSI%20(RCA).crl
** Policy CA CRL: http://www.eme.lv/cdp/E-ME%20PSI%20(PCA).crl
** Issuing CA CRL: http://www.eme.lv/cdp/E-ME%20SI%20(CA1).crl
(NextUpdate 24 hours)
* OCSP: http://ocsp.eme.lv/responder.eme
* Audit: KPMG Baltics performed the audit according to the ETSI TS 101
456 criteria. I exchanged email with the auditor at KPMG to confirm the
authenticity of the audit statement that was provided:
This begins a one-week discussion period. After that week, I will
provide a summary of issues noted and action items. If there are no
outstanding issues, then this request can be approved. If there are
outstanding issues or action items, then an additional discussion may be
needed as follow-up.