Microsec Root Inclusion Request Round 2
kathle...@yahoo.com
root store. The first public discussion of this inclusion request can
be found here:
http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thread/416427a350db11a9#
Bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=370505
Pending certificates list entry:
http://www.mozilla.org/projects/security/certs/pending/#Microsec
Summary of Information Gathering and Verification Phase:
https://bugzilla.mozilla.org/attachment.cgi?id=332762
There were two items of note in the first public discussion.
The first concern was about the Microsec practice of having a separate
root for OCSP, particularly given the inclusion of AIA extensions with
OCSP URLs in end entity certificates. From the first discussion it
looked like Microsec is removing AIA extensions with OCSP URLs from
end entity certificates and from intermediate CA certificates, and
this should address this problem going forward. It also looked like
Microsec’s long-term plan would completely resolve the concerns.
Microsec’s long-term plan is to introduce an OCSP service that is
usable for the general public, such that it does not require
authentication and works using the 'authorized responder' concept.
They already had a discussion with the National Communications
Authority, so they will be able to issue OCSP responder certificates
with their CAs, even with CAs that sign qualified certificates.
The second concern was that all of the CPSs were provided in
Hungarian. Microsec has used a third-party translation company (http://
www.kfi.hu) to prepare the translation of their CPS that is used for
web server certificates, code signing certificates, e-mail encryption
certificates and SSL client certificates.
http://www.e-szigno.hu/docs/szsz--hsz--altalanos--v1.6--EN.doc
This is the translation of version 1.6 that will come into effect on
the 9th of March, 2009. Note that the other CPSs have very similar
content, but they were required to create separate CPSs for for
qualified and non-qualified electronic signature certificates. We only
requested that the one CPS be translated.
The procedure for the verification of the subscriber identity/
organization and ownership of domain name and email address is
discussed in Sections 3.2 and 4.2. The issuing frequency of CRLs is
discussed in Section 4.10.
This begins phase 2 of the public discussion of the request from
Microsec to add the Microsec e-Szigno Root CA root certificate to
Mozilla.
Eddy Nigg
> This begins phase 2 of the public discussion of the request from
> Microsec to add the Microsec e-Szigno Root CA root certificate to
> Mozilla.
First of all I want to congratulate István for the speedy and efficient
response with the translation of the CPS. I believe this to be an
extremely positive development for the review and inclusion process -
and certainly useful for all parties involved! It shows that it can be
done in a useful time. I don't want to complicate matters, but I would
like to ask if there is some confirmation about the correctness of the
translation. Also I can't find now the latest audit statement, can you
provide me with a URL?
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: star...@startcom.org
Blog: https://blog.startcom.org
Eddy Nigg
> First of all I want to congratulate István for the speedy and efficient
> response with the translation of the CPS. I believe this to be an
> extremely positive development for the review and inclusion process -
> and certainly useful for all parties involved! It shows that it can be
> done in a useful time. I don't want to complicate matters, but I would
> like to ask if there is some confirmation about the correctness of the
> translation. Also I can't find now the latest audit statement, can you
> provide me with a URL?
>
More questions (and I apologize upfront if we asked it in the previous
round already - that thread has some 11+ messages):
I understand that subscribers have to appear in person at the "service
provider" in order to receive the private key? Anyway, how exactly do
you verify email addresses and domain names to be under control by the
subscriber?
In the meantime I could find the reference to the confirmation letter of
supervision. It's at http://srv.e-szigno.hu/menu/docs/NhhSupervision2008.pdf
The letter claims that the next audit is scheduled for autumn 2008, has
the audit been successfully completed? Is there any other reference to
the various ETSI CA policy requirements besides the letter?
Frank Hecker
> I don't want to complicate matters, but I would
> like to ask if there is some confirmation about the correctness of the
> translation.
If you have particular sections where you are concerned about the
accuracy of the translation, we can ask someone on the Mozilla Hungarian
localization team to double-check the translation. However they are
volunteers, and I do not want to burden them by asking them to check the
entire CPS translation.
Frank
--
Frank Hecker
hec...@mozillafoundation.org
Eddy Nigg
> If you have particular sections where you are concerned about the
> accuracy of the translation, we can ask someone on the Mozilla Hungarian
> localization team to double-check the translation. However they are
> volunteers, and I do not want to burden them by asking them to check the
> entire CPS translation.
The CPS looks accurate as far as I can see, I just wanted to know if
they perhaps bothered already to produce a confirmation beforehand. If
one exists even the better, why not have it. I don't want to burden the
localization people with this.
istvan...@microsec.hu
> like to ask if there is some confirmation about the correctness of the
> translation.
We received a paper-based declaration from the translation company
stating that "the translated text is in full conformity with the
Hungarian original".
This declaration is physically attached to the document with some
special ribbon
led through all of the pages of the translation. Unfortunately, this
form
of authentication is inherently paper-based, I do not see any sensible
way of sending it in an electronic format.
However, you may contact the translation company at in...@kfi.hu for a
confirmation.
We gave them this document to be translated:
http://srv.e-szigno.hu/menu/docs/szsz--hsz--altalanos--v1.6.pdf
And they provided the above doc file as a translation.
> I understand that subscribers have to appear in person at the "service
> provider" in order to receive the private key?
In case of Class 3 certificates - that includes web server and code
signing certificates -
the personal meeting at registration is mandatory.
If the certificate is issued on a smart card - which is typical in
case of certificates
for encrypting e-mails - the subject also receives the private key at
this point.
In case of web server certificates, the keypair is typically generated
by the subscriber,
and we do not receive the private key, we receive a PKCS#10 request
only.
> Anyway, how exactly do you verify email addresses and domain names
> to be under control by the subscriber?
E-mail addresses are verified by sending an e-mail to that address,
and the contents of this e-mail are needed at registration.
Domain names are verified using the online registry for appropriate
domains,
e.g. http://www.domain.hu for the .hu top level domains.
If the subscriber is not the registered owner of the domain, we
request
on official letter from the owner confirming that the subscriber is
allowed
to request the certificate.
> The letter claims that the next audit is scheduled for autumn 2008, has
> the audit been successfully completed?
Yes, the audit has been successfully completed. We have not received
an English confirmation letter. We can ask one from the Hungarian
National
Communications Authority if necessary, but it takes time.
> Is there any other reference to the various ETSI CA policy
> requirements besides the letter?
I don't quite understand what you mean here. ETSI policy documents are
referred in
our CPSs (e.g. in Section 1.1.5). The ETSI policy documents are also
referred
in the confirmation letter. Could you be more specific on what you
mean?
Kathleen Wilson
discussion phase? Or shall I move forward with making the
recommendation to approve this request?
Eddy Nigg
> Are there still questions that need to be addressed in this public
> discussion phase? Or shall I move forward with making the
> recommendation to approve this request?
I have once again reviewed the letter of confirmation from the National
Communications Authority and Microsec has demonstrated compliance to
ETSI's requirements according to the letter.
In my option there are no outstanding questions and I want to thank
István for his very positive cooperation!
Kyle Hamilton
I'd like to see a photo of how the security tape is wound through the
paper translation, but that's just a matter of personal curiosity. :)
-Kyle H
> --
> dev-tech-crypto mailing list
> dev-tec...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>
Kathleen Wilson
for this root inclusion request, and reviewed the information that has
been provided.
The concerns that were raised during the first round of public
discussion have been addressed, and this second round of public
discussion has not raised any additional concerns.
This concludes the public discussions about Microsec’s request to add
one new root CA certificate to the Mozilla root store, as documented
in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=370505
I will post a summary of the request and my recommendation for
approval in the bug.