E-ME has applied to add the “E-ME SSI (RCA)” root certificate, and to
enable the websites and code signing trust bits.

E-ME is the brand name for the certification services that are operated
by the Latvian State Radio and Television Centre (LVRTC). LVRTC is a
joint-stock company, in which the Republic of Latvia being represented
by the Ministry of Transportation owns all shares of the company. LVRTC
provides transmission of radio and television signals covering all of
Latvia. The main function of E-ME is to provide electronic document law
enforcement in Latvia.

The request is documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=518098

And in the pending certificates list here:
http://www.mozilla.org/projects/security/certs/pending/#E-ME

Summary of Information Gathered and Verified:
https://bugzilla.mozilla.org/attachment.cgi?id=474133

Noteworthy points:

* The CP and CPS documents are provided in both Latvian and English.

CPS: https://bugzilla.mozilla.org/attachment.cgi?id=473411
CP: https://bugzilla.mozilla.org/attachment.cgi?id=463125

* CP section 1.2 describes the general architecture, and provides a
hierarchy diagram.
** The “E-ME SSI (RCA)” root certificate issues certificates for the
Policy CA and the Trusted OCSP Responder. According to E-ME policy
requirements there is one Policy CA, which is internally-operated by
E-ME. The Policy CA issues certificates to the Issuing CAs and the Time
Stamping Authority. There is currently one Issuing CA certificate, which
is internally-operated by E-ME.

* In the CP and CPS the term CSP refers to E-ME as the certificate
service provider.

* CP section 1.4.1.4: Issuing CAs are organizations authorized by E-ME
CSP to create, sign, issue and manage End User Certificates. Each
Issuing CA is bound to act according to the terms of this CP. An Issuing
CA's specific practices, in addition to the more general requirements
set out in this CP, must be set out in a Certification Practice
Statement adopted by the Issuing CA and approved by E-ME CSP…

* CP section 1.4.1.5: Each Issuing CA will remain ultimately responsible
for all E-ME CSP Certificates it issues. However, under this CP, the
Issuing CA may subcontract registration and I&A functions to an
organization that agrees to fulfill the functions of an RA in accordance
with the terms of this CP, and who will accept E-ME CSP Certificate
applications and locally collect and verify Applicant identity
information to be entered into an E-ME CSP Certificate…

* Currently this root has not cross-signed a cert with another root, and
no cross-signing is planned. However, the CP has provision for this in
CP section 2.6.

* CP section 7.2: The CA shall only claim conformance to this CP…
** if the CA has a current assessment of conformance to this CP by a
competent independent party…
** CA compliance shall be checked on a regular basis and whenever major
change is made to the CA operations.

* CP section 8: Following any Compliance Audit, the audited CA shall
provide E-ME CSP with the annual report and attestations based on its
audit within fourteen (14) days after the completion of the audit.

* The request is to enable the websites and code signing trust bits.

** See CPS sections 3.2.2 and 3.2.3 for information about the process
for E-ME CSP ICA and RA to validate the identification and authorization
of the certificate applicant.
** CPS section 3.2.2.1: The RA proceeds initial identity validation
procedure. In particular:
*** the authentication of individual identity;
*** the authentication of organisational identity;
*** validation of authority.

** SSL and Code Signing certs are organizationally validated as per
section 3.2.2 and 3.2.3 of the CPS.

** CPS section 3.2.3.1: Web Site (SSL) certificates is carried out
following checks:
*** Domain Clearance home using network resources
(Http://www.nic.lv/?lang=en (Latvian), http://www.iana.org/domains/
(World));
*** Certifikate request verification of a contract;
*** Review of good practice standards

** CPS section 3.2.3.1: Code signing certificates are carried out
following checks:
*** Certificate request verification of a contract;
*** Review of good practice standards

* E-ME is not requesting EV-enablement.

* Test Website: https://www.eme.lv/csp-web/certsearch.aspx?lang=LAT

* CRL
** All CRLs listed at: http://info.e-me.lv/en/atbalsts/atsauktie_sertif/
** Root CA CRL: http://www.eme.lv/cdp/E-ME%20SSI%20(RCA).crl
** Policy CA CRL: http://www.eme.lv/cdp/E-ME%20PSI%20(PCA).crl
** Issuing CA CRL: http://www.eme.lv/cdp/E-ME%20SI%20(CA1).crl
(NextUpdate 24 hours)

* OCSP: http://ocsp.eme.lv/responder.eme

* Audit: KPMG Baltics performed the audit according to the ETSI TS 101
456 criteria. I exchanged email with the auditor at KPMG to confirm the
authenticity of the audit statement that was provided:
https://bugzilla.mozilla.org/attachment.cgi?id=402071 (2009.08.14)

This begins a one-week discussion period. After that week, I will
provide a summary of issues noted and action items. If there are no
outstanding issues, then this request can be approved. If there are
outstanding issues or action items, then an additional discussion may be
needed as follow-up.

Kathleen

The site isn't very reliable, I get timeouts some of the time.

Error 404.

Not a good indication to begin with I'd say.

--
Kurt Seifried
k...@seifried.org
tel: 1-703-879-3176

On 1 okt., 02:17, Kurt Seifried <k...@seifried.org> wrote:

** All CRLs listed at: http://info.e-me.lv/en/atbalsts/atsauktie_sertif/
<-- OLD page
new link for all CRLs http://info.e-me.lv/?page_id=60

CRL links never changes!!!!!
** Root CA CRL: http://www.eme.lv/cdp/E-ME%20SSI%20(RCA).crl
** Policy CA CRL: http://www.eme.lv/cdp/E-ME%20PSI%20(PCA).crl
** Issuing CA CRL: http://www.eme.lv/cdp/E-ME%20SI%20(CA1).crl
(NextUpdate 24 hours)

On 10/2/10 3:39 PM, Ben Bucksch wrote:

Interesting. Ben's posting shows up in Thunderbird newsreader, but not
in Google Groups.

I have asked E-ME about Ben's question, and the response is:
There is only "sign legal documents for citizens, per law requirements"

Kathleen

On 9/30/10 9:56 AM, Kathleen Wilson wrote:

Thank you to those of you who have commented on this request.

Would one or two more people please review and comment on this request?

Note the new link for all CRLs: http://info.e-me.lv/?page_id=60
The link in my previous posting is obsolete.

Thanks,
Kathleen

  On 10/12/2010 11:02 PM, From Kathleen Wilson:

If you can wait for the weekend I'd be glad to do that.

--
Regards

Signer:  Eddy Nigg, StartCom Ltd.
XMPP:    start...@startcom.org
Blog:    http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg

  On 09/30/2010 06:56 PM, From Kathleen Wilson:

Due to some time constraints I haven't been able to perform a thorough
review, but I believe one is required. After browsing through the bug
and documents I might have a couple of questions. However before that,
I'd like to ask the most obviously before proceeding:

Kathleen, were you able to check the OCSP responder?

Could KPMG please issue an audit statement for public consumption
without strings attached and not addressed to one particular software
vendor? The audit opinion was prepared solely for the purpose of
enrolling into the Microsoft Root Program.

The current audit report is dated more than a year ago (has a new one
been issued by now?) and doesn't include the relevant audit period in
the letter. I believe that a normal audit opinion should be obtained
before considering inclusion. KPMG knows very well how to do this.

--
Regards

Signer:  Eddy Nigg, StartCom Ltd.
XMPP:    start...@startcom.org
Blog:    http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg

On 10/18/10 4:08 AM, Eddy Nigg wrote:

I tested as follows.

I have my Firefox browser set to enforce OCSP, eg. the checkbox is
selected for "When an OCSP server connection fails, treat the
certificate as invalid".

I browse to the website:
https://www.eme.lv/csp-web/certsearch.aspx?lang=LAT

I click on either the blue bar or the lock icon, and view certificate
details for the www.eme.lv SSL cert. The OCSP URI in the AIA is
http://ocsp.eme.lv/responder.eme

Kathleen

On 9/30/10 9:56 AM, Kathleen Wilson wrote:

I am closing this discussion for two reasons:

1) No representative of the CA has responded in the discussion to
questions posted. Email communication with me is insufficient. The CA
needs to be actively involved in the discussion of their request.

2) It appears that the representative of E-ME who made the inclusion
request is no longer working at E-ME. E-ME needs to provide a
representative who is currently associated with the organization
operating this root.

Kathleen