Including FNMT cert in Firefox 3 (Spanish government)
Nukeador
Following all comments and information in Bug 408008 (https://
bugzilla.mozilla.org/show_bug.cgi?id=408008), I think that it's a high
priority to include this cert in the upcoming Firefox 3 release.
A official member of the FNMT has sent all the requested information
to the bug and, as you can see, this is requested by all Spanish users
for doing their communication with official sites.
As Jose Carlos commented in the bug:
"You have to understand that FNMT is the issuer designed by Goverment
as CA. Thought there are other recognised CAs, it is the main one,
used in every official websites. Also, to get the extent of this,
every new National ID card (which is mandatory for every citizen) is
an smartcard with a cert issued by FNMT CA, which can be legally used
to digitally sign any document, and it, by Spanish Digital Signature
Law, as to be recognized as such not only by Goverment, but by every
citizen. Please, it is an important certificate, that has to be
included to promote Firefox use within Spanish users. Not having it
will mean that a lot of official webpages 'won't work' with FF from
users point of view. And they will use IE instead."
I hope this message helps to speed up the process catching your
attention ;)
Regards.
willyaranda
I don't know how certificates are used in Firefox3. If they are
embedded in the main program or they are retrieved from mozilla's
website.
Well, the thing is that who must do the next step, Mozilla or FMNT,
but we need the CA. Why?
Nukeador has posted a comment that is in the bug, but I need to add:
The *only* railway company, which is public, has the certificate
(www.renfe.es).
The principal mail company has the certificate.
All lawyers colleges have a FMNT certificate to sign and verify all
bits are correct.
Public administration has the certificate, in the new ID and for all
kind of operations on the Internet.
So, for Spanish users, we NEED the certificate.
If a person sees a security alert on these sites, he/she AUTOMATICALLY
leaves the page and open Internet Explorer that doesn't show that kind
of warning.
Thanks...
Eddy Nigg (StartCom Ltd.)
willyaranda:
I don't know how certificates are used in Firefox3. If they are embedded in the main program or they are retrieved from mozilla's website. Well, the thing is that who must do the next step, Mozilla or FMNT, but we need the CA. Why? So, for Spanish users, we NEED the certificate. If a person sees a security alert on these sites, he/she AUTOMATICALLY leaves the page and open Internet Explorer that doesn't show that kind of warning.
Please make FNMT or the individual CAs aware of this fact and ask them to make a request for inclusion according to the guidelines from here: http://wiki.mozilla.org/CA:Root_Certificate_Requests
There is nothing else you can do at this stage.
| Regards | |
| Signer: | Eddy Nigg, StartCom Ltd. |
| Jabber: | star...@startcom.org |
| Blog: | Join the Revolution! |
| Phone: | +1.213.341.0390 |
Nukeador
Please make FNMT or the individual CAs aware of this fact and ask them to make a request for inclusion according to the guidelines from here: http://wiki.mozilla.org/CA:Root_Certificate_Requests
There is nothing else you can do at this stage.
Jose Amalio
> 1 KDescargar
pity, let's go back to iexplorer
Eddy Nigg (StartCom Ltd.)
This bug can't be considered to be a request for inclusion. I suggest that the representative opens a new bug and provides all needed information according to the template from the above link. Once an inclusion requests has been submitted correctly the request will be considered and processed accordingly. (Please also note that currently there is a backlog of processing CA inclusion requests.)
Kyle Hamilton
The management of the request can only be done via direct contact
between the CA and the root team.
There has been no valid request for inclusion. There is no "ball" in
Mozilla's court. An authorized representative of FMNT must contact
Mozilla directly, else there is no 'game'.
In order for the ball to be in anyone's court, the rules of the game
must be followed. The ball hasn't even been served.
(It is akin to a fan kicking a football onto the field from the stands
and expecting the teams to play with it.)
-Kyle H
2008/5/21 Nukeador <nuke...@gmail.com>:
> _______________________________________________
> dev-tech-crypto mailing list
> dev-tec...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>
>
Gen Kanai
> Cristina needs to OPEN an NEW BUG, with all her contact information.
> The management of the request can only be done via direct contact
> between the CA and the root team.
>
> There has been no valid request for inclusion. There is no "ball" in
> Mozilla's court. An authorized representative of FMNT must contact
> Mozilla directly, else there is no 'game'.
>
> In order for the ball to be in anyone's court, the rules of the game
> must be followed. The ball hasn't even been served.
>
> (It is akin to a fan kicking a football onto the field from the stands
> and expecting the teams to play with it.)
Kyle is absolutely correct.
Many other CAs have been working with Mozilla to get inclusion into
Firefox.
You can see the list of CAs and the status of the requests here:
http://www.mozilla.org/projects/security/certs/pending/
Gen
Nukeador
OK, I understand. This request is fairly new, but I also can't see anywhere at this bug that the representative of this CA submitted and completed all information required to start any evaluation according to http://wiki.mozilla.org/CA:Root_Certificate_RequestsComments #3 and #4 (translation) are evidences of a representative of the CA asking for inclusion and the attachment has the information requested in that wiki page.
Am I missing something?
Kyle Hamilton
directly, not through an intermediary. That's the point that you're
missing.
-Kyle H
2008/5/21 Nukeador <nuke...@gmail.com>:
Eddy Nigg (StartCom Ltd.)
CA Details ---------- CA Name: [ ] Website URL: [http:// ] CA Summary: [ A one Paragraph Summary of your CA, ] [ including the following: ] [ - General nature (e.g., commercial, government, ] [ academic/research, nonprofit) ] [ - Primary geographical area(s) served ] [ - Number and type of subordinate CAs ] Audit Type (WebTrust, ETSI etc.): [ ] Auditor: [ ] Auditor Website URL: [http:// ] Audit Document URL(s): [http:// ] [http:// ] URL of certificate hierarchy diagram (if available): [http:// ] Certificate Details ------------------- (To be completed once for each root certificate; note that we only include root certificates in the store, not intermediates.) Certificate Name: [ a short name, 60 characters max, no ':' ] Summary Paragraph: [ including the following: ] [ - End entity certificate issuance policy, ] [ i.e. what you plan to do with the root ] Root certificate download URL (on CA website): [http:// ] [alternatively, paste a copy of the certificate in "PEM" format ] Certificate SHA1 Fingerprint (in hexadecimal): [ XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX ] Key size (for RSA, modulus length) in bits: [ ] Valid From (YYYY-MM-DD): [ ] Valid To (YYYY-MM-DD): [ ] CRL HTTP URL (if any): [http:// ] CRL issuing frequency for subordinate CA certificates: [ days ] CRL issuing frequency for subordinate EE certificates: [ days ] OCSP responder URL (if any): [http:// ] Class: [domain-validated, identity/organizationally-validated or EV ] Certificate Policy URL: [http:// ] CPS URL: [http:// ] Requested Trust Indicators: [ email and/or SSL and/or code signing ] URL of a sample website using a certificate chained to this root (if applying for SSL): [https:// ]
Nukeador
Apparently yes! From http://wiki.mozilla.org/CA:Root_Certificate_Requests see the lower section. I suggest that the representative of the CA starts a new bug according to the instructions of this page:Ok, I'm contacting now with Cristina Acedo, who is from the FNMT, and giving her the details to open a bug herself with the information inside that particular template.
One doubt, how are the new certificates included in Firefox? With new releases? Are they updated from a server?
Regards.
Frank Hecker
> One doubt, how are the new certificates included in Firefox? With new
> releases? Are they updated from a server?
New root certificates are first added to NSS (the cryptographic library
used by Firefox) and then new releases of NSS are incorporated into
future versions of Firefox. We do not currently have a mechanism to
update the root certificate list from a server.
However Firefox does have an automated update mechanism that is used by
almost all Firefox users, so once a new Firefox version is released the
vast majority of users (90% or more) will be updated to the new release
within a few weeks.
New Firefox versions are released every one or two months to address
security vulnerabilities or other bugs. However because it takes time
for us to process CA requests, it may be 6 months or more from the time
a request is submitted to us by a CA and the time a version of Firefox
including that CA's root is released.
Frank
--
Frank Hecker
hec...@mozillafoundation.org
Eddy Nigg (StartCom Ltd.)
Nelson Bolyard
> Eddy Nigg (StartCom Ltd.) escribió:
>> Apparently yes! From
>> http://wiki.mozilla.org/CA:Root_Certificate_Requests see the lower
>> section. I suggest that the representative of the CA starts a new bug
>> according to the instructions of this page:
> Ok, I'm contacting now with Cristina Acedo, who is from the FNMT, and
> giving her the details to open a bug herself with the information inside
> that particular template.
I would say that a new bug is not necessary. What *IS* necessary is
direct communication between an official CA representative and Mozilla
through the bug system, and that all the information requested be provided.
Any information upon which Mozilla will rely in performing its evaluation
must not come through a third party.
If using the English language presents a problem, the I would suggest that
the CA representative delegate this responsibility to some other CA
employee or officer who can act as an official CA representative.
To put the FNMT request in perspective:
FNMT is one of a small number of official CAs for parts of Spain.
According to a presentation about this subject made by izenpe earlier
this week,
for Catelonia, there is Catcert,
for Comunidad de Valencia, there is ACCV,
for the Basque regions, there is izenpe,
and for the rest of Spain, there are
FNMT, CameraFirma, ipsCA, FirmaProfesional, and "Notaries"
(I may have erred in that last transcription).
FNMT issues smart cards with certificates on them to individuals, as does
izenpe for its region. The presentation says that FNMT's dni-e serves a
population of 44.7 million and izenpe serves a population of 2.13 million.
I believe those numbers are the numbers of individuals who are eligible to
receive smart cards with certs and private keys.
It should not be necessary for those CA certs to be included and trusted in
Mozilla for those individuals' certs to be usable for SSL client
authentication in Firefox. IMO, the principal reason for Mozilla to
include a root CA cert is for that cert to issue SSL server certs, and/or
code signing certs. I don't think we have any numbers for how many of
such certs are issued by those CAs. The number of server certs may not be
proportional to the number of individuals eligible to receive smart cards.
Of the CAs named above, these are already in NSS's built-in root CA list:
- AC Camerafirma SA CIF
- Chambers of Commerce Root
- Global Chambersign Root
- Autoridad de Certificacion Firmaprofesional CIF
- IPS Internet Publishing Services s.l. (6 roots)
- IPS Seguridad CA (1 root)
There are presently 5 open CA cert inclusion requests for CAs in Spain.
number opened ----------------- summary ---------------------
261778 2004-09-27 Add Camerfirma CA certificate
274100 2004-12-10 Add ACCV CA certificate (confirmed complete)
295474 2005-05-25 Add CATCert root CA certificate
361957 2006-11-27 Add Izenpe CA EV root certificate (incomplete)
408008 2007-12-11 Add FNMT Root CA cert for SSL
Personal opinion: while I accept that FNMT may serve the largest number
of subscribers, their request is the most recent, and they did not even
make the request themselves. There are two requests that are 3+ years
older than theirs, one of which is confirmed complete. I think Mozilla
Foundation should make some attempt to honor those CAs who were diligent
and timely in making their requests, and not displace them for an
additional indefinite time to give preference to a larger CA.
/Nelson
Nukeador
personal certificates or electronic identity document (e-DNI) which is
the only official way to identification a person in Spain. The problem
is that all official and public pages in ALL regions use this
certificate when they serve secure content, including the only rail
company. You have to understand that it's a public CA, not a private
enterprise, FNMT is part of the Treasury and Economy Department of
Spain.
I don't know the status of the other Spanish CA request, if they are
complete I don't know why they are not approved yet, but this should
not be a problem to include FNMT cert when they have uploaded all
information in the correct way, you don't have displace any other CA
to approve this.
It's not a matter of size, it's a matter of importance.
Eddy Nigg (StartCom Ltd.)
I don't know the status of the other Spanish CA request, if they are complete I don't know why they are not approved yet, but this should not be a problem to include FNMT cert when they have uploaded all information in the correct way
...the problem is they have not done so yet! As a matter of fact they haven't quite started yet. I'm sure that Mozilla will love to tend to this request once some relevant information exists.
Gen Kanai
> You have to understand that it's a public CA, not a private
> enterprise, FNMT is part of the Treasury and Economy Department of
> Spain.
FNMT is not the only public CA in the list.
See below:
"Kamu Sertifikasyon Merkezi is the one government CA in Turkey that
has authorization to issue certificates to government entities."
http://www.mozilla.org/projects/security/certs/pending/#Kamu%20SM
Korea Information Security Agency (KISA):
http://www.mozilla.org/projects/security/certs/pending/#KISA
> I don't know the status of the other Spanish CA request, if they are
> complete I don't know why they are not approved yet, but this should
> not be a problem to include FNMT cert when they have uploaded all
> information in the correct way, you don't have displace any other CA
> to approve this.
>
> It's not a matter of size, it's a matter of importance.
How do you propose to prioritize the "importance" of the Turkish
government request vs. the Korean govt. request vs. that of FNMT?
pascal
> On May 22, 2008, at 4:46 PM, Nukeador wrote:
>
>> You have to understand that it's a public CA, not a private
>> enterprise, FNMT is part of the Treasury and Economy Department of
>> Spain.
>
> FNMT is not the only public CA in the list.
>
Nukeador is speaking about the case of Public CA vs Private CA in Spain,
not worldwide.
Pascal
Eddy Nigg (StartCom Ltd.)
Frank Hecker
> Just for the better understanding, but there is no preferential
> treatment for any type of certification authorities. The only exception
> which has been made, was the recent adding of roots and acceptance of
> CAs which issue extended validation (EV) certificates.
For the record, that's not *quite* true. In the past we had a concern
about including root CA certificates for government-operated CAs below
the country level, e.g., CAs operated by municipalities and regional
governments. Our concern was based on the impact on browser footprint
(especially for mobile Firefox) of adding root CA certificate data for
what could turn out to be hundreds of government CAs, combined with the
time that we'd have to spend evaluating requests from all those CAs.
Because of that we postponed considering applications from
regional/local government CAs, including ACCV if I recall correctly.
We've discussed whether our official policy should address the question
of including government CAs below the country level, but we never could
reach consensus on what to do. One option we considered was having
localized versions of the root store, so that, for example, Firefox
users would not see roots for ACCV, etc., unless they were using one of
the Firefox versions localized for Spain and its regions (e.g., es-ES,
eu, ca, etc.). However there was strong opposition expressed to having
localized root lists, and in any case we don't currently have the
technical capability to do that.
Given the lack of consensus, I think the best course is simply to
consider requests from local/regional government CAs on a first-come,
first-served basis, just as we do for requests from commercial CAs.
However I believe we should prioritize requests for country-level
government CAs over requests for local/regional government CAs, whether
in the same country or a different one.
pascal
> Nukeador:
>> Eddy Nigg (StartCom Ltd.) escribió:
>>>
>>> Please make FNMT or the individual CAs aware of this fact and ask
>>> them to make a request for inclusion according to the guidelines from
>>> here: http://wiki.mozilla.org/CA:Root_Certificate_Requests
>>>
>>> There is nothing else you can do at this stage.
>>>
>> They have already done it in bug 408008
>> (https://bugzilla.mozilla.org/show_bug.cgi?id=408008), Cristina is
>> from FNMT and, as you can see, she sent all the information to the bug
>> via Pascal.
>>
> OK, I understand. This request is fairly new, but I also can't see
> anywhere at this bug that the representative of this CA submitted and
> completed all information required to start any evaluation according to
> http://wiki.mozilla.org/CA:Root_Certificate_Requests
This page was created in March, they provided all the data in February
based on the scarse documentation we could point them too. You can't
blame them for not following guidelines that didn't exist, especially if
you haven't informed them personally of a process change after they
provided the requested information.
>
> This bug can't be considered to be a request for inclusion. I suggest
> that the representative opens a new bug and provides all needed
> information according to the *template* from the above link. Once an
> inclusion requests has been submitted correctly the request will be
> considered and processed accordingly. (Please also note that currently
> there is a backlog of processing CA inclusion requests.)
>
FNMT has emailed gerv asking if they should open a separate bug or not
asking if we needed more information and if they were following the
right process. They didn't get any response that's why I attached the
files they had sent to the bug.
I understand that there is a long backlog, that everybody is busy and
that other CA are much more active on bugzilla than FNMT , but saying
that they did it incorrectly while we had no clear process to follow and
ignored their email is not correct, we definitely have our own wrongs on
this issue (and probably other CAs).
Fact is that a bug is open, that FNMT has contacted Mozilla Foundation
directly both by email and in the bug, they provided the information we
were asking and are waiting for us to get back to them with a yes or no
answer.
Pascal
pascal
>> Eddy Nigg (StartCom Ltd.) escribió:
>>>
>>> Please make FNMT or the individual CAs aware of this fact and ask
>>> them to make a request for inclusion according to the guidelines from
>>> here: http://wiki.mozilla.org/CA:Root_Certificate_Requests
>>>
>>> There is nothing else you can do at this stage.
>>>
>> They have already done it in bug 408008
>> (https://bugzilla.mozilla.org/show_bug.cgi?id=408008), Cristina is
>> from FNMT and, as you can see, she sent all the information to the bug
>> via Pascal.
>>
> OK, I understand. This request is fairly new, but I also can't see
> anywhere at this bug that the representative of this CA submitted and
> completed all information required to start any evaluation according to
> http://wiki.mozilla.org/CA:Root_Certificate_Requests
This page was created in March, they provided all the data in February
based on the scarse documentation we could point them too. You can't
blame them for not following guidelines that didn't exist, especially if
you haven't informed them personally of a process change after they
provided the requested information.
>
> This bug can't be considered to be a request for inclusion. I suggest
> that the representative opens a new bug and provides all needed
> information according to the *template* from the above link. Once an
> inclusion requests has been submitted correctly the request will be
> considered and processed accordingly. (Please also note that currently
> there is a backlog of processing CA inclusion requests.)
>
FNMT has emailed gerv asking if they should open a separate bug or not
pascal
>> Eddy Nigg (StartCom Ltd.) escribió:
>>>
>>> Please make FNMT or the individual CAs aware of this fact and ask
>>> them to make a request for inclusion according to the guidelines from
>>> here: http://wiki.mozilla.org/CA:Root_Certificate_Requests
>>>
>>> There is nothing else you can do at this stage.
>>>
>> They have already done it in bug 408008
>> (https://bugzilla.mozilla.org/show_bug.cgi?id=408008), Cristina is
>> from FNMT and, as you can see, she sent all the information to the bug
>> via Pascal.
>>
> OK, I understand. This request is fairly new, but I also can't see
> anywhere at this bug that the representative of this CA submitted and
> completed all information required to start any evaluation according to
> http://wiki.mozilla.org/CA:Root_Certificate_Requests
This page was created in March, they provided all the data in February
based on the scarse documentation we could point them too. You can't
blame them for not following guidelines that didn't exist, especially if
you haven't informed them personally of a process change after they
provided the requested information.
>
> This bug can't be considered to be a request for inclusion. I suggest
> that the representative opens a new bug and provides all needed
> information according to the *template* from the above link. Once an
> inclusion requests has been submitted correctly the request will be
> considered and processed accordingly. (Please also note that currently
> there is a backlog of processing CA inclusion requests.)
>
FNMT has emailed gerv asking if they should open a separate bug or not
Eddy Nigg (StartCom Ltd.)
I think it inherently useless to argue about it, better accept the
current state as a fact that Mozilla is asking the CA to provide the
needed information as advised. I'm reading the entries in the bug and
nothing has been provided in February and I can only see the submission
of the root certificate in April. Even if this requested would have been
completed in full previously, I doubt that this request would have been
processed until now. Currently it takes about half a year or longer to
get an inclusion request reviewed and as Frank indicated, there might be
other priority considerations for this bug as well.
pascal:
> I understand that there is a long backlog, that everybody is busy and
> that other CA are much more active on bugzilla than FNMT , but saying
> that they did it incorrectly while we had no clear process to follow and
> ignored their email is not correct, we definitely have our own wrongs on
> this issue (and probably other CAs).
>
It doesn't help. Nelson pointed all of you to the steps which have to be
fulfilled at comment
https://bugzilla.mozilla.org/show_bug.cgi?id=408008#c5 in March. But
even December 2007 (when this bug was opened) would have been too late
for Firefox 3. In order to get done anything I suggest to start the
process as advised, you'll get better results in the end.
> Fact is that a bug is open, that FNMT has contacted Mozilla Foundation
> directly both by email and in the bug, they provided the information we
> were asking and are waiting for us to get back to them with a yes or no
> answer.
>
>
Oh, currently the people involved in evaluating this request aren't
anywhere near the position to give you any answer, being it positive or
negative. Apparently you aren't aware of the process for CA root
acceptance at Mozilla, this process is way more extensive than you
apparently think it is.
Frank, Nelson, I suggest that you mark bug 408008 as incomplete (again)
and let the CA open a new bug (and a new leaf) for this inclusion request.
Nelson B Bolyard
> Eddy Nigg (StartCom Ltd.) a écrit :
>> http://wiki.mozilla.org/CA:Root_Certificate_Requests
>
> This page was created in March, they provided all the data in February
> based on the scarse documentation we could point them too. You can't
> blame them for not following guidelines that didn't exist, especially if
> you haven't informed them personally of a process change after they
> provided the requested information.
Pascal,
The requirements did not change in March. The requirements have been
the same for a very long time. The creation of the template page in
March was in response to the fact that quite a few CAs apparently did
not attempt to fulfill the published requirements when making their
applications. The template page now serves as a convenient and succinct
way to tell CAs what they must provide. It is ANOTHER way of stating the
existing requirements, not a new or changed requirement.
> FNMT has emailed gerv asking if they should open a separate bug or not
> asking if we needed more information and if they were following the
> right process. They didn't get any response that's why I attached the
> files they had sent to the bug.
Gerv doesn't work on this any more. The person assigned to administering
the process changes from time to time. There is an email address for the
administration that does not change when the assignment changes. That
email address (certif...@mozilla.org) is published, together with the
requirements, in http://www.mozilla.org/projects/security/certs/policy/
That email address is the only address that has been published for this
purpose since Mozilla's CA cert policy first went into effect years ago.
> I understand that there is a long backlog, that everybody is busy and
> that other CA are much more active on bugzilla than FNMT , but saying
> that they did it incorrectly while we had no clear process to follow and
> ignored their email is not correct, we definitely have our own wrongs on
> this issue (and probably other CAs).
They won't get a yes/no answer until they have supplied all the requisite
information in the bug.
> Fact is that a bug is open, that FNMT has contacted Mozilla Foundation
> directly both by email
According to your report, they contacted a private person formerly
responsible for administering the policy, not Mozilla Foundation.
> and in the bug, they provided the information we were asking
They did? That information was supplied in comment 8 by a third
party, namely you. Are you an official representative of FNMT?
If not, then I suggest that you step back, and make it clear to
FNMT that they must communicate with Mozilla directly in the bug.
Again, that is not a new requirement. Mozilla has enforced that
policy for years.
> and are waiting for us to get back to them with a yes or no
> answer.
I suspect that YOU set their expectation in this matter. I suggest that YOU
should reset their expectations to be in line with Mozilla's policy.
pascal
>
>> and in the bug, they provided the information we were asking
>
> They did? That information was supplied in comment 8 by a third
> party, namely you. Are you an official representative of FNMT?
> If not, then I suggest that you step back, and make it clear to
> FNMT that they must communicate with Mozilla directly in the bug.
> Again, that is not a new requirement. Mozilla has enforced that
> policy for years.
I am a Mozilla Corp. employee and a Mozilla Europe board member, Gerv
that they contacted by email is a Mozilla Foundation employee and has
been visible as the mozilla CA guy in Europe for a long time. Are you
telling me that Cristina not creating the attachment herself but asking
for help to European mozilla employees is not communicating with Mozilla?
Should I draw the conclusion from your comments that you are now the new
person in charge of certificates for Mozilla Foundation replacing Gerv?
Pascal
Eddy Nigg (StartCom Ltd.)
I am a Mozilla Corp. employee and a Mozilla Europe board member, Gerv that they contacted by email is a Mozilla Foundation employee and has been visible as the mozilla CA guy in Europe for a long time. Are you telling me that Cristina not creating the attachment herself but asking for help to European mozilla employees is not communicating with Mozilla? Should I draw the conclusion from your comments that you are now the new person in charge of certificates for Mozilla Foundation replacing Gerv?
1.) Gerv is not the person in charge right now, but it's Frank Hecker since last October 2007.
2.) Mozilla needs much more than the CA root certificate. Mozilla needs all the information requested in the template, it needs information about policies and practice statements, audits, CRLs, OCSP responders and much, much more. Please see the pending requests at http://www.mozilla.org/projects/security/certs/pending/ and browse to the bugs of each entry. You'll see that they all had to provide information according to that template.
Hope this helps!
Gen Kanai
Nelson is a _module owner_ of NSS (and NSPR, and JSS for that matter).
http://www.mozilla.org/owners.html
Gerv/Frank and Nelson have very different roles and responsibilities
in this process as you can see.
Gen
pascal
>>
>> I am a Mozilla Corp. employee and a Mozilla Europe board member, Gerv
>> that they contacted by email is a Mozilla Foundation employee and has
>> been visible as the mozilla CA guy in Europe for a long time. Are you
>> telling me that Cristina not creating the attachment herself but asking
>> for help to European mozilla employees is not communicating with Mozilla?
>>
>> Should I draw the conclusion from your comments that you are now the new
>> person in charge of certificates for Mozilla Foundation replacing Gerv?
>>
>>
> Pascal, let me try to explain it better:
>
> 1.) Gerv is not the person in charge right now, but it's Frank Hecker
> since last October 2007.
Yes, apparently this information did not cross the pool to the european
office...
>
> 2.) Mozilla needs much more than the CA root certificate. Mozilla needs
> all the information requested in the template, it needs information
> about policies and practice statements, audits, CRLs, OCSP responders
> and much, much more. Please see the pending requests at
> http://www.mozilla.org/projects/security/certs/pending/ and browse to
> the bugs of each entry. You'll see that they all had to provide
> information according to that template.
>
I'd say that all of these informations are provided into the 200 pages
document provided by FNMT, if you think that some data is missing,
incomplete or that they haven't provided enough information on specific
points, it should have been mentioned in the bug so as that they can act
upon it IMO. It is also not clear to me what FNMT has to do to go from
bug 408008 to the above URL.
pascal
Eddy Nigg (StartCom Ltd.)
Yes, apparently this information did not cross the pool to the european office...
I'd say that all of these informations are provided into the 200 pages document provided by FNMT,
if you think that some data is missing, incomplete or that they haven't provided enough information on specific points, it should have been mentioned in the bug so as that they can act upon it IMO.
It is also not clear to me what FNMT has to do to go from bug 408008 to the above URL.
pascal
Buenas noches
Eddy Nigg (StartCom Ltd.)
Eddy Nigg (StartCom Ltd.):
Buenas noches
Excusez-moi, je voulais dire bonne nuit... ;-)
pascal
>> Yes, apparently this information did not cross the pool to the european
>> office...
>>
>>
>
> :-)
>
>
>>
>> I'd say that all of these informations are provided into the 200 pages
>> document provided by FNMT,
>
> Which document? Can you point me to a link? I haven't seen anything like
> this...perhaps if you explain we can sort out the confusion.
>
Sure, here are the documents they have linked in their .doc explaining
the audit and certificate policy:
http://www.cert.fnmt.es/content/pages_std/docs/dpc.pdf
http://www.cert.fnmt.es/content/pages_std/docs/ETSI.pdf
pascal
Eddy Nigg (StartCom Ltd.)
Sure, here are the documents they have linked in their .doc explaining the audit and certificate policy: http://www.cert.fnmt.es/content/pages_std/docs/dpc.pdf http://www.cert.fnmt.es/content/pages_std/docs/ETSI.pdf
Opening a new bug will have no effect on the speed of when this CA will be reviewed, it will just make it clearer perhaps for the person reviewing the request. Completeness of the supplied information will however influence the speed of the process perhaps. I hope that we are in sync now...
Nelson B Bolyard
> Nelson B Bolyard a écrit :
>
>>> and in the bug, they provided the information we were asking
>> They did? That information was supplied in comment 8 by a third
>> party, namely you. Are you an official representative of FNMT?
>> If not, then I suggest that you step back, and make it clear to
>> FNMT that they must communicate with Mozilla directly in the bug.
>> Again, that is not a new requirement. Mozilla has enforced that
>> policy for years.
>
> I am a Mozilla Corp. employee and a Mozilla Europe board member, Gerv
> that they contacted by email is a Mozilla Foundation employee and has
> been visible as the mozilla CA guy in Europe for a long time.
Sounds like a lot of information has failed to cross the Atlantic in both
directions.
Since you don't post from a mozilla.org email address, I had no idea that
you work for Mozilla.
Gerv has not been responsible for the root CA program for at least 6 months.
He was on leave for quite some time, if I'm not mistaken.
> Are you telling me that Cristina not creating the attachment herself but
> asking for help to European mozilla employees is not communicating with
> Mozilla?
It's pretty apparent that NONE of the people who have been responding to
you in this thread had any idea that you were affiliated with Mozilla.
I think this may be the first thread in which you've ever posted in this
list/newsgroup. Maybe you should introduce yourself. You may be well
known in certain circles, but in this newsgroup, you're unknown.
Personally, I will look for confirmation from Frank before proceeding.
> Should I draw the conclusion from your comments that you are now the new
> person in charge of certificates for Mozilla Foundation replacing Gerv?
As NSS module co-owner, I share in the responsibility for ensuring that
the certs put into NSS have followed Mozilla's policy.
> Pascal
Frank Hecker
> It's pretty apparent that NONE of the people who have been responding to
> you in this thread had any idea that you were affiliated with Mozilla.
> I think this may be the first thread in which you've ever posted in this
> list/newsgroup. Maybe you should introduce yourself. You may be well
> known in certain circles, but in this newsgroup, you're unknown.
> Personally, I will look for confirmation from Frank before proceeding.
I'm sorry, proceeding with what?
>> Should I draw the conclusion from your comments that you are now the new
>> person in charge of certificates for Mozilla Foundation replacing Gerv?
>
> As NSS module co-owner, I share in the responsibility for ensuring that
> the certs put into NSS have followed Mozilla's policy.
And to add to this, for Pascal's benefit: I am responsible for the
overall process of evaluating root CA certificates for inclusion in
Mozilla, and I make the final decisions. Gerv has been at school and so
has not been involved with certificate stuff for the past 9 months or
so; however he may do some cert-related work this summer. Finally, we
have a new person, Kathleen Wilson, helping gather information from CAs
for use in our evaluation.
Gervase Markham
> FNMT has emailed gerv asking if they should open a separate bug or not
> asking if we needed more information and if they were following the
> right process. They didn't get any response that's why I attached the
> files they had sent to the bug.
If people are emailing me specifically at ge...@mozilla.org and not
getting a response I want to know about it. (I would have directed them
to Frank.)
Gerv
pascal
That's the email they used yes, so that would be an email address ending
in @fnmt.es sent in february or maybe march.
Cristina contacted me in April (and actually sent emails to all european
addresses she could find) for help:
"Hola , me comentan mis responsables que hace un mes ya os pasaron los
datos que nos solcitásteis a la dirección ge...@mozilla.org sin
respuesta. No sabemos si lo recibísteis o si nosotros hemos sido los que
no hemos recibido vuestra respuesta.
Te adjunto los datos solicitados, por favor guíame si puedes los pasos
que debemos dar para que se pueda incluir.
Os estoy escribiendo a varios contactos para poder incluir el
certificado pero no conseguimos avanzar.
Yo soy el contacto de la FNMT con vosotros así que cualquier cosa me la
puedes comentar.
Gracias"
probably in your spam box :)
Pascal
pascal
> And to add to this, for Pascal's benefit: I am responsible for the
> overall process of evaluating root CA certificates for inclusion in
> Mozilla, and I make the final decisions. Gerv has been at school and so
> has not been involved with certificate stuff for the past 9 months or
> so; however he may do some cert-related work this summer. Finally, we
> have a new person, Kathleen Wilson, helping gather information from CAs
> for use in our evaluation.
>
Great news, thanks Frank
Pascal
Nukeador
Eddy Nigg (StartCom Ltd.)
Cristina has just opened a new bug with the information:
https://bugzilla.mozilla.org/show_bug.cgi?id=435736
Gervase Markham
> That's the email they used yes, so that would be an email address ending
> in @fnmt.es sent in february or maybe march.
A search of all my email for this year reveals a message sent to me on
the 5th of March. I replied on the 7th of March at 15:24 my time, with
the following message.
Gerv
-------- Original Message --------
Subject: Re: Solicitude inclusion Root Certificate in Browser
Date: Fri, 07 Mar 2008 15:24:47 +0000
From: Gervase Markham <ge...@mozilla.org>
To: paco...@fnmt.es
References:
<OFDE467E2B.AF42D8C4-ONC12574...@fnmt.es>
paco...@fnmt.es wrote:
> As a member of the Management Directorate from the Spanish Certificate
> Authority FNMT-RCM, I attached the requested form to include the Root
> Certificate of our CA in next Mozilla browser versions.
The correct procedure for applying is detailed here:
http://wiki.mozilla.org/CA:Root_Certificate_Requests
I hope this is helpful :-)
Gerv
Nukeador
>> Cristina has just opened a new bug with the information:
>>
>> https://bugzilla.mozilla.org/show_bug.cgi?id=435736
>
> Congratulations. Now I think Frank can accept that bug.
http://www.mozilla.org/projects/security/certs/pending/ ?
Eddy Nigg (StartCom Ltd.)
"Accepting bug. It will go into the queue with all the other requests, so we will not be processing it immediately."
Friends, there is a queue, there are others which applied long before you did. Completeness of the details you submitted will accelerate evaluation of your request, even though there is no guaranty that there won't be other considerations holding up your request in the future or even rejection is possible. You made the request now correctly, your request will be considered, please be patient!
Nukeador
> https://bugzilla.mozilla.org/show_bug.cgi?id=435736#c4
>
> "Accepting bug. It will go into the queue with all the other requests,
> so we will not be processing it immediately."
>
> Friends, there is a queue, there are others which applied long before
> you did. Completeness of the details you submitted will accelerate
> evaluation of your request, even though there is no guaranty that
> there won't be other considerations holding up your request in the
> future or even rejection is possible. You made the request now
> correctly, your request will be considered, please be patient!
nothing less. I completely understad that there is a queue.
Eddy Nigg (StartCom Ltd.)
Just follow the bug comments...
Eddy Nigg
> Is there a site with the pending requests queue? Just to see the order
> and see more less how long would it take.
>
> Regards.
>
We have the "Pending" page at
http://www.mozilla.org/projects/security/certs/pending/ which you most
likely know already. Otherwise there is no queue per se.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: star...@startcom.org
Nukeador
> Nukeador:
>> Is there a site with the pending requests queue? Just to see the order
>> and see more less how long would it take.
>>
>> Regards.
>>
>
> We have the "Pending" page at
> http://www.mozilla.org/projects/security/certs/pending/ which you most
> likely know already. Otherwise there is no queue per se.
>
Eddy Nigg
That should happen when (most) information is complete in the bug. Is
this the case?
Nukeador
>>>
>> Then I'm misunderstanding the procedure. Shouldn't FNMT request be
>> there?
>>
>
> That should happen when (most) information is complete in the bug. Is
> this the case?
>
Eddy Nigg
OK, hereby Frank has seen your request to add the details of FNMT to the
pending page and I guess that he'll gladly will do so soon.
Eddy Nigg
>
> OK, hereby Frank has seen your request to add the details of FNMT to the
> pending page and I guess that he'll gladly will do so soon.
>
After having time to actually visit the bug entry I believe that FNMT
isn't ready yet for prime time. The status currently is at best
"information incomplete" until somebody has confirmed it otherwise.
A thorough review and information gathering phase has to be performed
before this bug can advance further. It should be possible to make an
entry in the pending page at a convenient time, except in case Frank has
other considerations which are unknown to me right now.
Nelson B Bolyard
Nukeador wrote, On 2008-07-20 10:05:
> Is there a site with the pending requests queue?
> Just to see the order and see more less how long would it take.
This is the complete list of unresolved requests, in order of submission.
That is not necessarily the order in which they are processed.
There are presently 55 requests in the queue.
The oldest dates back to September 2004.
27 have no indication of their status in the "status whiteboard" field.
6 are reported in "information incomplete" state.
9 are reported in "confirmed complete" state.
1 is reported as "probably complete". (?)
7 are reported in "public discussion" state.
5 are reported in "inclusion approved" state.
(2 are reported in both "confirmed complete" and "public discussion" state,
but I counted them only in public discussion.)
19 are categorized as EV requests
Nelson B Bolyard
Eddy Nigg wrote, On 2008-07-20 16:30:
> Eddy Nigg:
>> OK, hereby Frank has seen your request to add the details of FNMT to the
>> pending page and I guess that he'll gladly will do so soon.
>>
>
> After having time to actually visit the bug entry I believe that FNMT
> isn't ready yet for prime time. The status currently is at best
> "information incomplete" until somebody has confirmed it otherwise.
I'm curious why you say that, Eddy. They do seem to have filled in the
information requested in the form fields we asked them to fill out.
Is the form still incomplete?
What other fields should we ask CAs to fill in?
Eddy Nigg
Well, until somebody confirms the bug to be "information complete" it
remains "information incomplete"...But an entry still could be added at
the "Pending" page with its current status (I think).
Nukeador
(https://bugzilla.mozilla.org/show_bug.cgi?id=435736#c4), I supposed
that the information was complete.
What more is needed? Please, comment it also in the bug to inform
Cristina from FNMT.
Regards.
Nukeador
As I told Frank at the Summit, we should consider this bug as a hight
priority marketing issue in Spain. We are not going to gain more market
share if the Spanish citizens are unable to view a government site or
buy train tickets with Firefox.
Whatever is needed to speed up the process, contact us and we will help.
Regards.