All,
This is to announce the beginning of the public discussion phase of the Mozilla root CA inclusion process (https://wiki.mozilla.org/CA/Application_Process#Process_Overview - Steps 4 through 9) for Telia’s inclusion request for the Telia Root CA v2 (https://crt.sh/?id=1199641739).
Mozilla is considering approving Telia’s request to add the
root as a trust anchor with the websites and email trust bits as documented in Bugzilla #1664161
and CCADB
Case #660.
This email begins the 3-week comment period, after which, if no concerns are raised, we will close the discussion and the request may proceed to the approval phase (Step 10).
Summary
This CA certificate for Telia Root CA v2 is valid from 29-Nov-2018 to 29-Nov-2043.
SHA2 Certificate Hash:
242B69742FCB1E5B2ABF98898B94572187544E5B4D9911786573621F6A74B82C
Root Certificate Downloads:
https://support.trust.telia.com/repository/teliarootcav2_selfsigned.cer
https://support.trust.telia.com/repository/teliarootcav2_selfsigned.pem
CP/CPS: Effective October 14,
2021, the current CPS for the Telia Root CA v2 may be downloaded here:
https://cps.trust.telia.com/Telia_Server_Certificate_CPS_v4.4.pdf (v.4.4).
Repository location: https://cps.trust.telia.com/
Test Websites:
Valid - https://juolukka.cover.telia.fi:10603/
Revoked - https://juolukka.cover.telia.fi:10604/
Expired - https://juolukka.cover.telia.fi:10605/
BR Self Assessment (PDF) is located here: https://support.trust.telia.com/download/CA/Telia_CA_BR_Self_Assessment.pdf
Audits: Annual audits are performed by KPMG. The most recent audits were completed for the period ending March 31, 2021, according to WebTrust audit criteria. The standard WebTrust audit (in accordance with v.2.2.1) contained no adverse findings. The WebTrust Baseline Requirements audit (in accordance with v.2.4.1) was qualified based on the fact that the Telia Root CA v1 certificate did not include subject:countryName. (The Telia Root CA v2 contains a subject:countryName of “FI”.)
Attachment B to the WebTrust Baseline Requirements audit report listed eight (8) Bugzilla bugs for incidents open during the 2020-2021 audit period, which are now resolved as fixed. They were as follows:
Link to Bugzilla Bug |
Matter description |
Two CA certificates not listed in 2020 WebTrust audit report |
|
Ambiguity on KeyUsage with ECC public key |
|
One Telia certificate containing a stateOrProvinceName of “Some-State” |
|
Two Telia’s pre-2012 rootCA certificates aren’t fully compliant with Baseline Requirements |
|
AIA CA Issuer field pointing to PEM-encoded certificate |
|
Certificates with RSA keys where modulus is not divisible by 8 |
|
Subject field automatic check in CA system |
|
Disallowed curve (P-521) in leaf certificate |
Recent, open bugs/incidents are the following:
Link to Bugzilla Bug |
Matter description |
Issued three precertificates with non-NIST EC curve |
|
Invalid email contact address was used for few domains |
|
Delayed revocation of 5 EE certificates in connection to id=1736020 |
I have no further questions or concerns about this inclusion request, however I urge anyone with concerns or questions to raise them on this list by replying directly in this discussion thread. Likewise, a representative of Telia must promptly respond directly in the discussion thread to all questions that are posted.
Again, this email begins a three-week public discussion period, which I’m scheduling to close on December 22, 2021.
Sincerely yours,
Ben Wilson
Mozilla Root Program
Hi,as Telia Company AB (Sweden) and Telia Oy (Finland) are two separate legal persons, its not clear what is Telia?Actually the same clarification needed for all other countries listed in the Bug.Thanks,M.D.Sent from my Galaxy-------- Original message --------From: Ben Wilson <bwi...@mozilla.com>Date: 12/1/21 17:16 (GMT+02:00)Subject: Public Discussion: Inclusion of Telia Root CA v2
--
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/61ae97d0.1c69fb81.1a5c0.698fSMTPIN_ADDED_MISSING%40mx.google.com.
Hi Moudrick,
This division of Telia RA functionality to two internal affiliated teams is not now documented into our CP/CPS. I think many CA competitors like Entrust are also using several RA teams that are not documented. Should we document our RA practices from this angle?
SK ID Solutions is not counted as Telia affiliate because Telia ownership is only 50 %. Telia can’t control it now. Thus, it has its own processes and policies which are independent from Telia.
Br Pekka
From: Moudrick M. Dadashov <m...@ssc.lt>
Sent: tiistai 7. joulukuuta 2021 16.23
To: Lahtiharju, Pekka <pekka.la...@teliacompany.com>; Ben Wilson <bwi...@mozilla.com>
Cc: Liimatainen, Mika A. <mika.lii...@teliacompany.com>; Gholami, Ali <ali.g...@teliacompany.com>
Subject: RE: Public Discussion: Inclusion of Telia Root CA v2
Thank you, Pekka.
Is this RA policy described somewhere in Telia Finland Oyj CA documentation?
Hopefully this will help to understand the relationship between Telia Company AB, Telia Finland Oyj and the Estonian CA (a TSP under eIDAS) - SK ID Solutions which is owned by Telia Company AB, Swedbank AB and SEB AB.
Thanks,
M.D.
Sent from my Galaxy
-------- Original message --------
From: "Lahtiharju, Pekka" <pekka.la...@teliacompany.com>
Date: 12/7/21 16:03 (GMT+02:00)
To: "Moudrick M. Dadashov" <m...@ssc.lt>, Ben Wilson <bwi...@mozilla.com>
Cc: "Liimatainen, Mika A." <mika.lii...@teliacompany.com>, "Gholami, Ali" <ali.g...@teliacompany.com>
Subject: RE: Public Discussion: Inclusion of Telia Root CA v2
Hi Moudrick,
Currently Telia CA has two RA teams: one in Telia Finland Oyj in Finland and another in Cygate AB in Sweden. Cygate AB is also fully owned subsidiary of Telia Company AB. All validations from any country are done in these two teams but today we have a policy that company validation is done only to companies where it or its main company is located in one of the Telia countries meaning: FI, SE, NO, DK, EE, LT. These countries are divided to the our RA teams. Telia Finland has responsibility of FI, EE, LT and internal Telia certificates. Cygate has responsibility of SE, NO, DK certificates. Telia Finland Oyj is the “owner” of RA functions and may start using later other Telia affiliates for RA purposes if business in some country grows significantly. Telia Finland Oyj is also responsible of the TLS certificate process. Telia CA won’t use any external parties for TLS validation. This means that your example certificate from “Telia Company AB” is validated by Telia Finland Oyj. Note! DV certificates are enrolled without any country or company validation.
Telia also enroll some signature certificates for Swedish Citizens. These client certificates are outside of Mozilla scope based on their EKU. There user identification is outsourced to a third party called Formpipe AB (https://www.formpipe.com/). They use Swedish national citizen authentication called BankID to authenticate users. This functionality is included into our basic Webtrust audit under special subCA “Telia Class 3 CA”. Formpipe is the only external delegated RA party Telia CA is using.
Br Pekka
From: Moudrick M. Dadashov <m...@ssc.lt>
Sent: tiistai 7. joulukuuta 2021 15.18
To: Lahtiharju, Pekka <pekka.la...@teliacompany.com>; Ben Wilson <bwi...@mozilla.com>
Cc: Liimatainen, Mika A. <mika.lii...@teliacompany.com>; Gholami, Ali <ali.g...@teliacompany.com>
Subject: RE: Public Discussion: Inclusion of Telia Root CA v2
Hi Pekka,
Thanks for clarification.
As noted earlier, my question is about distribution/delegation of CA functions among all "part of Telia Company AB". Specifically, I'd like to understand delegated RA functions (if any).
Just take an example of issuing an TSL certificate for Telia Company AB.
Thanks,
M.D.
Sent from my Galaxy
-------- Original message --------
From: "Lahtiharju, Pekka" <pekka.la...@teliacompany.com>
Date: 12/7/21 14:48 (GMT+02:00)
To: Ben Wilson <bwi...@mozilla.com>
Cc: "Liimatainen, Mika A." <mika.lii...@teliacompany.com>, "Gholami, Ali" <ali.g...@teliacompany.com>, m...@ssc.lt
Subject: RE: Public Discussion: Inclusion of Telia Root CA v2
Hi Ben,
Here is the full evidence from our legal department related to Telia Company’s right to use trade mark “Telia”. Telia Finland Oyj is a fully owned subsidiary of Telia Company AB and has a license to use trademark TELIA in business in Finland. List of other valid countries is in the attachment.
Br Pekka
From: Lahtiharju, Pekka
Sent: tiistai 7. joulukuuta 2021 10.59
To: Ben Wilson <bwi...@mozilla.com>
Cc: Liimatainen, Mika A. <mika.lii...@teliacompany.com>; Gholami, Ali <ali.g...@teliacompany.com>;
m...@ssc.lt
Subject: RE: Public Discussion: Inclusion of Telia Root CA v2
Hi Ben,
I have the main responsibility of this discussion so you should add posting privileges to me. Before that I answer using this email.
Telia Group is a huge European company group consisting of about one hundred affiliates in several countries. The main company is “Telia Company AB” in Sweden. Telia Finland Oyj is its Finnish affiliate that is responsible of publicly trusted CA services for the whole company group. Telia Finland Oyj is using some other affiliates like Swedish “Cygate AB” when implementing CA services. Many affiliates resell Telia’s CA services. We have used both company names “Telia Company AB” and “Telia Finland Oyj” in this application.
The common name under Telia company group is “Telia” that is trade mark used in all Telia countries by most Telia affiliates. “Telia” trade mark is protected on European Union level using mechanisms of “European Union Intellectual Property Office”. It is also protected in all Telia countries using local rules in each country. The link to describe European Union level trade mark protection system is Trade marks (europa.eu). For these reasons we use name “Telia CA” in most contexts where public can see our CA services. E.g. we want to use CN value “Telia Root CA v2” so that it is clearly linked to Telia Company group in all Telia countries. Generally public is not aware of company names of Telia group or how they own each others, but public usually know our well-known trade mark “Telia” at least in our primary target countries.
Br
Pekka
From: Ben Wilson <bwi...@mozilla.com>
Sent: maanantai 6. joulukuuta 2021 20.13
To: Lahtiharju, Pekka <pekka.la...@teliacompany.com>; Liimatainen, Mika A. <mika.lii...@teliacompany.com>; Gholami, Ali <ali.g...@teliacompany.com>
Subject: Re: Public Discussion: Inclusion of Telia Root CA v2
Also, let me know who will be responding so that I can make sure they have posting privileges to the list.
On Mon, Dec 6, 2021 at 11:08 AM Ben Wilson <bwi...@mozilla.com> wrote:
Please respond to Moudrick on MDSP list and clarify - thanks!
My CCADB records say "Telia Finland Oyj, part of Telia Company AB"
This email may contain information which is privileged or protected against unauthorized disclosure or communication. If you are not the intended recipient, please notify the sender and delete this message and any attachments from your system without producing,
distributing or retaining copies thereof or disclosing its contents to any other person.
Telia Company processes emails and other files that may contain personal data in accordance with Telia Company’s
Privacy Policy.
1) How/if Telia Company AB is (Sweden) involved in Telia Finland Oyj’s CA/RA operations?
The main company “Telia Company AB” is the owner of the other Telia organizations (aka companies aka subsidiaries aka affiliates). Telia Finland Oyj and Cygate AB are such subsidiaries. Within Telia Company group, each subsidiary is responsible for running the operations. Telia Finland Oyj is the legal entity running Telia CA operations. Telia employees from many Telia companies may belong to group functions that create systems for the whole Telia group. E.g. Telia CA is a group function so that persons in virtual Telia CA team come from many Telia affiliates and thus from many countries. Complex but big enterprises may work like this. To simplify a bit you can say that Telia Finland is running Telia CA using resources from many Telia affiliates. And all is owned by Telia Company AB. All Telia CA employees belong legally to one of the Telia affiliates.
2) does "Telia CA Policy Management Team" mean Telia Finland Oyj?
Telia CA Policy Management team is also a Telia group function like described above. Currently it has members from “Telia Finland Oyj” and “Cygate AB”.
3) what is "affiliate" in terms of specific CA/RA functions?
We use affiliate like BR defines it: “Affiliate: A
corporation, partnership, joint venture or other entity controlling, controlled
by, or under common control with another entity, or an agency, department,
political subdivision, or any entity operating under the direct control of a
Government Entity.” Resources to run CA/RA come from several Telia affiliates
but CA belongs legally to Telia Finland Oyj. One RA belongs to and is run by
Telia Finland Oyj and the other belongs to Cygate AB.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/2572d036-b45c-4bea-b23b-3a0dfcf0de1en%40mozilla.org.
Thank you, Pekka
At least the audit reports in the Repository require password. Please advise.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAMMZRrxvjboFLvo%3DTa2ADZk88yZsa3b8O9YhwS738_8r%2Bj%3Dt9w%40mail.gmail.com.
Hi Moudrick,
It would be worthwhile to try another PDF viewer, as I am successfully able to view the WebTrust report PDFs in Telia’s Repository using Firefox’s built-in PDF viewer without having to input any passwords.
Thanks,
Corey
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAMMZRrwr_j%2Br%2BX-3Eso2Y_j_NvqkmW2iSKhiuct6Aetc4CJi9g%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/DM6PR14MB21860F98F4B330A5843153EA92779%40DM6PR14MB2186.namprd14.prod.outlook.com.
On December 1, 2021, we began a three-week public discussion[1] on a request from “Telia” for inclusion of its root certificate, the Telia Root CA v2.[2] (Step 4 of the Mozilla Root Store CA Application Process[3]). Telia seeks enablement of both the websites and the email trust bits.
Summary of Discussion and Completion of Action Items [Application Process, Steps 5-8]:
Moudrick Dadashov inquired about the relationship among the “Telia” entities, noting that Telia Company AB (Sweden) and Telia Oy (Finland) are two separate legal persons, and that the announcement of the public discussion did not clarify which one was operating the CA that is the subject of the inclusion request. I noted that the CCADB record reflected “Telia Finland Oyj, part of Telia Company AB” as the applicant.
Pekka Lahtiharju, a representative of the Telia companies, responded that “Telia” is a trademark recognized in the EU, but that “Telia Company AB” in Sweden was the main company, while Telia Finland Oyj was its Finnish affiliate responsible for publicly trusted CA services for the whole company group, and that Telia Finland Oyj was also using Swedish Cygate AB to perform CA and Registration Authority (RA) services for server certificates, and that for signature certificates under the “Telia Class 3 CA” subordinate CA, Formpipe AB would serve as an external RA. (According to the CCADB, that subordinate CA has EKUs of 1.2.840.113583.1.1.5 and 1.3.6.1.4.1.311.10.3.12 and a derived trust bit of “Document Signing.”)
Additional follow-up questions were about the RA relationships among Telia Company AB, Telia Finland Oyj and the Estonian CA (a TSP under eIDAS) - SK ID Solutions (owned by Telia Company AB, Swedbank AB and SEB AB), and Telia Lithuania (legal name Telia Lietuva AB).
Pekka responded that he couldn’t speak to SK ID Solutions because they were a separate company, and that Telia Lietuva AB was a Telia affiliate, but not an RA. He also responded that “[the] Swedish RA may not be directly mentioned in CPS but none of our competitors is listing all their RA teams either. All our CA/RA employees are internal Telia persons. Telia Company AB hasn't any real CA/RA role, instead it is the owner of Telia Finland Oyj and thus indirectly owner of Telia CA. Audit reports show how all our CA/RA processes in all locations have passed audits with only minor deviations. Auditors also verify all locations and roles of all trusted persons.”
Pekka also stated that all of the relevant public documentation was available for review at https://cps.trust.telia.com.
We did not receive any other objections or other questions or comments in opposition to Telia’s request.
There still remain the three, previously-mentioned, open incidents/bugs in Bugzilla. However, I do not believe that these, or the issues mentioned above, merit a delay in Mozilla’s approval decision.
Close of Public Discussion and Intent to Approve [Application Process, Steps 9-10]:
This is notice that I am closing public discussion (Application Process, Step 9) and that it is Mozilla’s intent to approve Telia’s request (Step 10).
This begins a 7-day “last call” period for any final objections.
Thanks,
Ben
[1] https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/52Gfr4dnJD8/m/yn5fpfnACQAJ
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1664161
[3] https://wiki.mozilla.org/CA/Application_Process#Process_Overview
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/43db5aaf-a7fb-0fc2-94c6-ead32239d7f4%40ssc.lt.
If approved, this request will create a precedent of ”do like Telia” - a practice that is widely used by Telia Company AB and its affiliates in the trust services markets under eIDAS. That’s how the recent eIDAS & GDPR misimplementation chaos started.I suggest this request be approved after the conversion of corporate relationships into clearly identified, disclosed and audited specific PKI participant roles.
1.1.1 instance means a data object that Telia's affiliates - SK ID Solutions (formerly AS Sertifitseerimeskeskus) together with its RA - Omnitel (legal name - AB Telia Lietuva) have been issuing to the public as "qualified certificate" (QS).
1.1.2 something means "Qualified certificate" - a complex data structure that was initially defined in directive 1999/93/EC. For clarity, the QS in 1.1.1 (which is incompatible with the directive) is called surrogate QS.
1.1.3 Worth mentioning also evaluation of legality of surrogate QS by:a) the Data Protection Authority (legal name Valstybinė duomenų apsaugos inspekcija - VDAI) ordered Omnitel to stop issuing surrogate QSs. This order is still ignored (how and why can be discussed separately);b) the Supreme administrative court which ruled that surrogate QS violates the Data protection law (an implementation of directive 95/46/EC, now regulation 2016/679 - GDPR). This is also ignored (how and why can be discussed separately).See case translation here: https://journals.sas.ac.uk/deeslr/article/download/2142/2072/
1.2.2 eIDAS has at least three directly applicable mechanisms to prevent issuing surrogate QCs, but none of them worked as expected (disorder):a) TSP audit by CAB - surrogate QCs were accepted;b) TSP "qualified service" assessment by the Supervisory body - surrogate QCs were accepted;c) Trust list management by the Scheme operator under the Commission implementing decision 2015/1505 - surrogate QCs were accepted.
2. RE "This sounds like you're specifically referring to actions taken by Telia Company AB"Correct. Telia Company AB is the driving force of an ”organized group”,
wherea) The Swedish government creates "favorable conditions" in the countries of Telia Company AB's business operation (at least easy access to local governments is guaranteed);
b) The Telia Company AB management partners with local governments so that the doors of relevant institutions (agencies) are open to its local affiliate (remember "What's good for General Motors is good for the country"?)
c) The Telia Company AB affiliate develops "special relationship" with the institutions so that at least supervision of its business is completely "switched off", this includes lobbying any desired legislation (surrogate QC is "locally legitimazed" despite of competing with other national laws and EU directives and regulations.
I must apologize for this schematic/simplified response covering 20+ years of Telia Company AB's business practices in Baltics.If you google "Telia + corruption", almost all information will be about Telia Company AB's (formerly TeliaSonera AB) "achievements" in teleco markets, this is partly because of:
Please let me know if you need more info or have any questions - the information above is backed by publicly acessible evidence material from official sources.
Thanks, RyanI'm afraid we are taking wrong direction. :)As I responded to Pekka today, the email you are commenting below is my answer to your questions about my comments re: eIDAS & GDPR chaos. If you are still interested, we can continue this discussion separately.
To keep the root inclusion process in order, I'd suggest to reply to my last email today.
If approved, this request will create a precedent of ”do like Telia” - a practice that is widely used by Telia Company AB and its affiliates in the trust services markets under eIDAS. That’s how the recent eIDAS & GDPR misimplementation chaos started.
instance means a data object that Telia's affiliates - SK ID Solutions (formerly AS Sertifitseerimeskeskus) together with its RA - Omnitel (legal name - AB Telia Lietuva) have been issuing to the public as "qualified certificate"
Correct. Telia Company AB is the driving force of an ”organized group”, where
The audit reportYou explained that "Audit covered all relevant company parts under "Telia Company AB" including "Telia Finland Oyj". I still can't understand why this fact is hard to understand.", the problem here is that we need a single legal entity as the CA cooperates with other PKI participants - these roles must be disclosed clearly (no matter who owns what).If Telia Finland Oyj is the CA, then all others, including Telia Company AB, should be PKI participants. You need to disclose this. In the meantime the audit report states:"Telia makes use of external registration authorities for subscriber registration activities, as disclosed in Telia's business practices. Our procedures did not extend to the controls excercised by these external registration authorities."So, we have two different audit scenarious here:a) as the audit report is issued to the CA known as Telia Company AB, then the other PKI participants - Telia Finland Oyj and Cygate AB need to be audited according to their roles.b) in case if Telia Finland Oyj is audited as the CA, then the other two PKI participants - Telia Company AB and Cygate AB need to be audited according to their roles.Again, this has nothing to do with ownership relationship.
For Delegated Third Parties which are not Enterprise RAs, then the CA SHALL obtain an audit report, issued under the auditing standards that underlie the accepted audit
schemes found in Section 8.4, that provides an opinion whether the Delegated Third Party’s performance complies with either the Delegated Third Party’s practice statement or the CA’s Certificate Policy and/or Certification Practice Statement. If the opinion is that the Delegated Third Party does not comply, then the CA SHALL not allow the Delegated Third Party to continue performing delegated functions.
Is that correct?
Audit scope
Sorry, I cant accept your arguments, see The audit report above.
You asked if my comment was about Delegated Third Parties - sorry, no, I had in mind the CA [1] and its RAs [] as defined in BRs.
Audit scope"If my above understanding is correct, then I’m not fully sure your argument here is correct. It’s certainly true that the RAs, which are DTPs, need to be audited, but that doesn’t necessarily propagate to the scope of the parent."My comment was about Pekka's argument, which is quite typical to Telia Company AB and its affiliates, that their corporate ownership relationship is directly apllicable to the CA operations, I believe this is fundamentally wrong.
The CA has a single audit report and I’m OK with that, but, as I quoted earlier, the audit report says:"Telia makes use of external registration authorities for subscriber registration activities, as disclosed in Telia's business practices. Our procedures did not extend to the controls excercised by these external registration authorities."
While this is quite typical for Telia Company AB’s eIDAS related practices, I’m very concerned its happening here.
All,
This is to announce the beginning of the public discussion phase of the Mozilla root CA inclusion process (https://wiki.mozilla.org/CA/Application_Process#Process_Overview - Steps 4 through 9) for Telia’s inclusion request for the Telia Root CA v2 (https://crt.sh/?id=1199641739).
Mozilla is considering approving Telia’s request to add the root as a trust anchor with the websites and email trust bits as documented in Bugzilla #1664161 and CCADB Case #660.
This email begins the 3-week comment period, after which, if no concerns are raised, we will close the discussion and the request may proceed to the approval phase (Step 10).
Summary
This CA certificate for Telia Root CA v2 is valid from 29-Nov-2018 to 29-Nov-2043.
SHA2 Certificate Hash:
242B69742FCB1E5B2ABF98898B94572187544E5B4D9911786573621F6A74B82C
Root Certificate Downloads:
https://support.trust.telia.com/repository/teliarootcav2_selfsigned.cer
https://support.trust.telia.com/repository/teliarootcav2_selfsigned.pem
CP/CPS: Effective October 14, 2021, the current CPS for the Telia Root CA v2 may be downloaded here:https://cps.trust.telia.com/Telia_Server_Certificate_CPS_v4.4.pdf (v.4.4).
Repository location: https://cps.trust.telia.com/
Test Websites:
Valid - https://juolukka.cover.telia.fi:10603/
Revoked - https://juolukka.cover.telia.fi:10604/
Expired - https://juolukka.cover.telia.fi:10605/
BR Self Assessment (PDF) is located here: https://support.trust.telia.com/download/CA/Telia_CA_BR_Self_Assessment.pdf
Audits: Annual audits are performed by KPMG. The most recent audits were completed for the period ending March 31, 2021, according to WebTrust audit criteria. The standard WebTrust audit (in accordance with v.2.2.1) contained no adverse findings. The WebTrust Baseline Requirements audit (in accordance with v.2.4.1) was qualified based on the fact that the Telia Root CA v1 certificate did not include subject:countryName. (The Telia Root CA v2 contains a subject:countryName of “FI”.)
Attachment B to the WebTrust Baseline Requirements audit report listed eight (8) Bugzilla bugs for incidents open during the 2020-2021 audit period, which are now resolved as fixed. They were as follows:
Link to Bugzilla Bug
Matter description
Two CA certificates not listed in 2020 WebTrust audit report
Ambiguity on KeyUsage with ECC public key
One Telia certificate containing a stateOrProvinceName of “Some-State”
Two Telia’s pre-2012 rootCA certificates aren’t fully compliant with Baseline Requirements
AIA CA Issuer field pointing to PEM-encoded certificate
Certificates with RSA keys where modulus is not divisible by 8
Subject field automatic check in CA system
Disallowed curve (P-521) in leaf certificate
Recent, open bugs/incidents are the following:
Link to Bugzilla Bug
Matter description
Issued three precertificates with non-NIST EC curve
Invalid email contact address was used for few domains
Delayed revocation of 5 EE certificates in connection to id=1736020
I have no further questions or concerns about this inclusion request, however I urge anyone with concerns or questions to raise them on this list by replying directly in this discussion thread. Likewise, a representative of Telia must promptly respond directly in the discussion thread to all questions that are posted.
Again, this email begins a three-week public discussion period, which I’m scheduling to close on December 22, 2021.
Sincerely yours,
Ben Wilson
Mozilla Root Program
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZZj87QS3jL7R_32JEnfPZeU4hBNBJ%2BGHWU_pUdqF%3Dbbg%40mail.gmail.com.
Hi Dimitris,
I wonder why Telia should provide audit report to Mozilla about the only external RA Telia CA is using when this external RA is using subCA that is out of scope of Mozilla based on its EKU values. This external RA is producing only client certificates for signature purposes.
Both provided audit reports WTCA and WTBR state that they cover Telia CA operations in Finland and Sweden and only WTCA report has remark about External RA in this format (WTBR report doesn't have this):
"Telia makes use of external registration authorities for subscriber registration activities as disclosed in Telia's business practices. Our procedures did not extend to the controls excercised by these external registration authorities."
This text above refers to Telia Client CPS that has disclosed that the only case in addition to Enterprise RA when Telia is using External RA is related to Telia Class 3 client certificates and all SMIME related validation is done only by Telia CA itself. E.g. Client CPS 1.3.2: "Telia CA employs two RAs: Internal RA and External RA. Telia will not delegate domain validation to be performed by a third-party. The CA itself verifies email domain ownership or verifies that End-entity controls the email account." Chapter 1.3.2.2 defines Telia's only External RA to be restricted only to Class 3 certificates outside of Mozilla context. Note also that Server CPS states clearly that within TLS validation no External RAs are used: 1.3.2: "All RA functions in this CPS are performed internally by Telia. Telia will not delegate domain validation to be performed by a third-party."
All,
Over the past few weeks, we have discussed here Telia Finland Oyj’s request in more depth. The discussion has mainly focused on Telia Finland Oyj’s parent company, Telia Company AB, and whether any unaffiliated third-party entities might be involved in providing RA services.
As Moudrick Dadashov rightly noted, the management assertion that accompanied the WebTrust audit report stated, “Telia Company AB (Telia) operates the Certificate Authority (CA) services as listed in Appendix A, and provides the following services: Subscriber registration, Certificate renewal, Certificate rekey, Certificate issuance, Certificate distribution, Certificate revocation, Certificate validation, Subscriber key generation and management. The management of Telia is responsible for establishing and maintaining effective control over its CA operations….”
KPMG’s audit report likewise addressed Telia Company AB management and stated, “Telia makes use of external registration authorities for subscriber registration activities, as disclosed in Telia's business practices. Our procedures did not extend to the controls exercised by these external registration authorities.”
Telia has stated that its CA resources were clearly identified by the auditors as located in Finland and Sweden and that the full CA organization and system had been audited annually in both countries and in both companies. Auditors received details on the persons involved with the Telia CA and the “audit has been focused on those persons and their legal entities and how they implement Telia CA.” It also responded that the audit scope in the audit reports included the legal entity Telia Company AB, because it was the main company, but also included affiliated legal entities practically participating in the Telia CA processes.
Moudrick has made the point that the two organizations (Telia Company AB and Telia Finland Oyj) are separate legal entities. He said it was unclear which legal entity was the CA. He has argued that some of the materials provided (e.g. the audit documents) were on behalf of Telia Company AB, while the applicant is Telia Finland Oyj, and that these are two different, independent entities. He argued that "legal ownership" has nothing to do with the CA operations -- that Telia Company AB only controls shares of another legal entity (Telia Finland Oyj), which has nothing to do with CA operations. Moudrick has argued that the audit reports should have been issued to Telia Finland Oyj, which should be the only ‘main company’, but that “[a]ccording to the audit report … Telia Company AB is the CA.”
Representatives from Telia have stated clearly and consistently that the applicant and CA operator is Telia Finland Oyj. The CA certificate identifies “Telia Finland Oyj” as the Organization. Section 1.3.1 of the CP/CPS for Telia Server Certificates (v.4.4) states, "The CA operating in compliance with this CPS is Telia CA. The legal entity responsible of Telia CA is Finnish company “Telia Finland Oyj” (BusinessID 1475607-9). Telia Finland Oyj is part of Swedish company “Telia Company AB” (BusinessID 5561034249)." To avoid future confusion, Telia has offered to “ask [its] auditors to add all three company names in the future audit reports if it makes audit results clearer.” I’d ask Telia to also improve its CP/CPS to provide more detail on the involvement of Telia Company AB in the management of the CA and any other subsidiaries’ provision of operational services.
Wikipedia and other information sources provide some information on the organizational and financial relationships among Telia Company AB and its subsidiaries, but not enough information is available on management structure and operations of the conglomerate. KPMG, in addressing its opinion to the management of Telia Company AB, implied that it had determined that Telia Company AB had some degree of control over CA operations. This is where the CP/CPS could be improved.
As noted by Ryan Sleevi, Peter Bowen, and Dimitris Zacharopoulos, PKI participant roles need to be adequately disclosed and any Delegated Third Party RAs need to be disclosed and audited. There is a need for greater transparency and specificity. Ryan and Peter both felt that more explanation was needed concerning RA functions--“it would be helpful to clarify what functions any external RA does for any certificate that falls within the Mozilla policy.” Dimitris also stated that “it needs to be clearly (and explicitly?) stated that this external RA does not perform RA functions related to Certificates for TLS and email.” Pekka Lahtiharju from Telia responded that Telia hasn't used any third party RAs except in the mentioned client certificate cases – that the external RA does not perform RA functions related to Certificates for TLS and email.
Basically, Moudrick has also asked for greater transparency and specificity, which is in line with what Mozilla wants. Moudrick also cited MRSP section 8, that “trust is not transferrable”. Without getting into an interpretation of what that means for CAs operated by conglomerates, I agree with these points - it is important to know who is responsible, and I agree with Moudrick’s position that “If the CA operations rely on other party's (e.g. owner's, affiliate's etc.) material or human resources, you need to disclose those shared resources.” Peter Bowen noted, “If Mozilla wants to have all the legal entities involved listed in the audit report, that is something that should be included in the Mozilla policy.” As a result of this, I have filed an issue in Github for these issues to be explored and worked on further in the future development of the Mozilla Root Store Policy. See https://github.com/mozilla/pkipolicy/issues/237
Based on all of the discussions back and forth, it appears that there is some common management under the umbrella of Telia Company AB, but that is no reason to withhold the approval of the inclusion of the root CA operated by Telia Finland Oyj, which has ownership and control of the CA certificate and keys. I believe the question of whether unaffiliated third-party entities might be involved in providing RA services has been adequately answered. I urge Telia to add more detail, relative to these public discussions, the next time it updates its CP/CPS.
Thus, I'm going to ask Kathleen to proceed and approve the request to include the Telia Root CA v2 in the Mozilla/NSS root store.
Thanks,
Ben
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/ed9f3f6b-ada4-439a-8ce1-d650297d1953n%40mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/b2f1143c-906a-4fcd-bddd-0f5513cae4aen%40mozilla.org.