Certigna Root Inclusion Request Round 2
kathle...@yahoo.com
root store. The first public discussion of this inclusion request can
be found here:
http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thread/1eb7ad475c762788#
Bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=393166
Pending certificates list entry:
http://www.mozilla.org/projects/security/certs/pending/#Certigna%20of%20Dhimyotis
Summary of Information Gathering and Verification Phase:
https://bugzilla.mozilla.org/attachment.cgi?id=359344
There was one action item that resulted from the first public
discussion, which was for Certigna to post the public and relevant
portion of the CPS, and to have their auditor confirm that the posted
portion is indeed what was audited.
The relevant, public portion of their CPS has been attached to the
bug:
https://bugzilla.mozilla.org/attachment.cgi?id=364343
Translations of portions of this document have also been attached to
the bug:
https://bugzilla.mozilla.org/attachment.cgi?id=364146
I have received email from the lead auditor for LSTI which states that
this part of the CPS was indeed reviewed during Certigna’s last audit.
LSTI is an accredited certification body in France who provided the
previous audit statement dated 8/20/2008.
Of particular interest from the first public discussion was how the
validation requirements were met in regards to section 7, parts a, b,
and c of the Mozilla CA Certificate Policy at
http://www.mozilla.org/projects/security/certs/policy/.
SSL: CPS section 5.2.7 specifies the controls for applications for
server certificates. It says that in addition to verifying the
identity of the applicant, they use the whois service (www.whois.net)
to verify that the organization owns the FQDN in the requested
certificate.
Email: CPS section 5.2.6 specifies the controls for applications for
the Certigna ID certificates. It says that in addition to verifying
the identity of the applicant, they check the email address as follows
as per the supplied translation:
“On left part of the email address, we have to found, in a non
equivoque form, the name and the first name of the future bearer. In
the opposite case, and in case of a doubt on the intention of
usurpation, it is important to report that at the security responsible
who will defined the actions to make (exhaustive check of the order,
reject or acceptation).
On the right part of the email address is located the name of the web
site of the entity or the name of a FAI (and name of another entity).”
Code Signing: There is a separate internal document for the new code-
signing sub-CA. The section of the document that describes the
verification of the identity of the subscriber has been translated
into English and attached to the bug:
https://bugzilla.mozilla.org/attachment.cgi?id=365278
I am not aware of any potentially problematic practices, as per
https://wiki.mozilla.org/CA:Problematic_Practices
The SSL certs are OV. End-entity certs are issued from intermediate
CAs, and the intermediate CAs are internally operated. OCSP and CRLs
were both successfully used in Firefox.
This begins phase 2 of the public discussion of the request from
Certigna to add the Certigna CA root certificate to Mozilla.
Kyle Hamilton
> Email: CPS section 5.2.6 specifies the controls for applications for
> the Certigna ID certificates. It says that in addition to verifying
> the identity of the applicant, they check the email address as follows
> as per the supplied translation:
> “On left part of the email address, we have to found, in a non
> equivoque form, the name and the first name of the future bearer. In
> the opposite case, and in case of a doubt on the intention of
> usurpation, it is important to report that at the security responsible
> who will defined the actions to make (exhaustive check of the order,
> reject or acceptation).
> On the right part of the email address is located the name of the web
> site of the entity or the name of a FAI (and name of another entity).”
I'll be so bold as to try to translate this into better English (this
is obviously NOT to be considered authoritative):
The left-hand side of the email address must contain both the first
and last name of the person in order to pass the automatic issuance
procedure [[NB: this is due to the word 'and' in the translation; I
would assume that it should actually be an 'or', and the email address
has to at least be the last name of the subscriber]]. If the
left-hand side of the email address does not contain the first and[or]
last name of the person, then it gets passed up the line for manual
review. [[NB: the mechanism for manual review is not defined, but
allows for a more exhaustive verification, automatic denial (such as
'georg...@thisisnottheofficialbushdomain.com', I presume), or
immediate acceptance (under some unknown criteria).]]
On the right-hand side (sitename) part of the email address must be
either the name of the web site [[NB: this suggests that it must be,
for example, 'hec...@www.mozillafoundation.org' instead of
'hec...@mozillafoundation.org']], or the name of a [[??What is an
FAI??]] and another entity. [[NB: presumably 'gmail.com' would be the
'name of another entity', but I'm still unable to parse this
sentence.]]
To Certigna: I am very sorry if I have mangled the meaning of your CPS
through the apparently-automated translation.
> This begins phase 2 of the public discussion of the request from
> Certigna to add the Certigna CA root certificate to Mozilla.
Thank you, Kathleen. (And thank you, Frank, for getting Mozilla to
hire her. :))
-Kyle H
Eddy Nigg
> The relevant, public portion of their CPS has been attached to the
> bug:
> https://bugzilla.mozilla.org/attachment.cgi?id=364343
>
> Translations of portions of this document have also been attached to
> the bug:
> https://bugzilla.mozilla.org/attachment.cgi?id=364146
As a by-note I'd like to state that that ETSI 101 456 and ETSI TS 102
042 speak very clearly about "The CA shall make available to subscribers
and relying parties its certification practice statement, and other
relevant documentation, as necessary to assess conformance to the
qualified certificate policy."
As such Certigna is not complying to the audit criteria it chose!
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: star...@startcom.org
Blog: https://blog.startcom.org
Ian G
> On 03/03/2009 11:35 PM, kathle...@yahoo.com:
Kathleen,
are we planning to move the discussions of accepting CAs into the root
list over to the other list? I think that dev-security-policy is going now?
iang
Kathleen Wilson
> list over to the other list? I think that dev-security-policy is going now?
OK. If no one objects, I will post all future root inclusion request
discussions on mozilla.dev.security.policy instead of
dev.tech.crypto.
Kathleen
Kyle Hamilton
-Kyle H
> --
> dev-tech-crypto mailing list
> dev-tec...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>
Nelson B Bolyard
> I second this motion, no objections.
>
> -Kyle H
>
> On Tue, Mar 10, 2009 at 10:48 AM, Kathleen Wilson
> <kathle...@yahoo.com> wrote:
Me too. I'll bet there are some web pages that need to be updated to
point to the new list instead of the crypto list.
Kathleen Wilson
of their CPS. There has been very little resulting discussion.
Are there still questions that need to be addressed in this public
discussion phase? Or shall I move forward with making the
recommendation to approve this request?
Eddy Nigg
The internal document for code signing should have been made part of the
CP/CPS. Apart from that I've not seen anything of concern.
Unfortunately my knowledge in the French language is not sufficient
enough in order to understand the CPS. Preferable we should be able to
review (and understand) the CPS in its entirety, however I don't feel
this to be a reason at this stage to question their inclusion after they
complied to our requests from the first round.
Kathleen Wilson
for this root inclusion request, and reviewed the information that has
been provided.
Certigna met the request from the first round of public discussion to
post and translate the relevant portions of their CPS. During the
discussions two items have been requested:
1) The public portion of the Certigna CPS should be made public and
posted on their website.
2) The internal document for code signing should be made part of the
CPS.
While Certigna is encouraged to do these two action items, these will
not block the inclusion request.
This concludes the public discussions about Certigna’s request to add
one new root CA certificate to the Mozilla root store, as documented
in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=393166
I will post a summary of the request and my recommendation for
approval in the bug.