Public Discussion of Firmaprofesional's Inclusion Request

191 views
Skip to first unread message

Ben Wilson

unread,
Oct 20, 2021, 1:12:21 PM10/20/21
to dev-secur...@mozilla.org

This is to announce the beginning of the public discussion phase of the Mozilla root CA inclusion process (https://wiki.mozilla.org/CA/Application_Process#Process_Overview - Steps 4 through 9) for Firmaprofesional’s request to replace its SHA1 root CA certificate with a SHA256 version of the Autoridad de Certificacion Firmaprofesional CIF A62634068 (https://crt.sh/?caid=430).

Mozilla is considering approving Firmaprofesional’s request to add the root as a trust anchor with the websites and email trust bits and EV enabled, as documented in Bugzilla bug #1102143. This email begins the 3-week comment period, after which, if no concerns are raised, we will close the discussion and the request may proceed to the approval phase (Step 10).

A Summary of Information Gathered and Verified appears here in the CCADB:

https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000053

This CA certificate for Autoridad de Certificacion Firmaprofesional CIF A62634068 is valid from 9/23/2014 to 5/5/2036. (The previous CA certificate is valid from 5/20/2009 to 12/31/2030.)

SHA2 Certificate Hash:  57DE0583EFD2B26E0361DA99DA9DF4648DEF7EE8441C3B728AFA9BCDE0F9B26A

https://crt.sh/?id=12977067

This new CA certificate is signed using sha256WithRSAEncryption, whereas the previous CA certificate was signed using sha1.

Root Certificate Download:

http://crl.firmaprofesional.com/caroot256.crt


CP/CPS:  Effective June 28, 2021, the current CPS for Firmaprofesional is version 210628:   https://www.firmaprofesional.com/wp-content/uploads/pdfs/FP_CPS-210628-EN-sFP.pdf

Repository location: https://www.firmaprofesional.com/certification-policies-and-practices/

Test Websites:

Valid - https://www.firmaprofesional.com

Valid EV - https://testsslev2021.firmaprofesional.com

Revoked - https://testrevokedsslev.firmaprofesional.com

Expired - https://testexpiredsslev.firmaprofesional.com

 

BR Self Assessment is located here:  https://www.firmaprofesional.com/wp-content/uploads/pdfs/Firmaprofesional_BR_Self_Assessment-210519-EN.pdf

Audits:  Annual audits are performed by AENOR. The most recent audits were completed for the period ending March 27, 2021, according to ETSI audit criteria. https://www.aenor.com/Certificacion_Documentos/eiDas/2021%20AENOR%20Anexo%20ETSI%20319%20411-1-2%20PSC-FIRMAPROFESIONAL.pdf

There were three findings in the audit report plus a list of six Bugzilla bugs for incidents open during the 2020 -2021 audit period.  They were as follows:

Link to Bugzilla Bug

Matter description

https://bugzilla.mozilla.org/show_bug.cgi?id=1649943

Firmaprofesional: Incorrect OCSP Delegated Responder Certificate

https://bugzilla.mozilla.org/show_bug.cgi?id=1651637

Firmaprofesional: Failure to revoke ICAs within 7 days: OCSP EKU

https://bugzilla.mozilla.org/show_bug.cgi?id=1649502

Firmaprofesional: 2020 Audit Report Finding 1 out of 4 (CPS did not adequately disclose how Firmaprofesional would provide CRLs under certain scenarios)

https://bugzilla.mozilla.org/show_bug.cgi?id=1649679

Firmaprofesional: 2020 Audit Report Finding 2 out of 4 (contingency datacenter did not have same security measures as main datacenter)

https://bugzilla.mozilla.org/show_bug.cgi?id=1649724

Firmaprofesional: 2020 Audit Report Finding 3 out of 4 (inadequate log-keeping)

https://bugzilla.mozilla.org/show_bug.cgi?id=1649726

Firmaprofesional: 2020 Audit Report Finding 4 out of 4 (certificate issued with subject:organizationIdentifier field prior adoption by CABF of v. 1.7.0 of the EVGs)

https://bugzilla.mozilla.org/show_bug.cgi?id=1717790

Firmaprofesional: 2021 Audit Report Finding 1 out of 3 (recordkeeping lacked formal assignment and acceptance of appointment to trusted role)

https://bugzilla.mozilla.org/show_bug.cgi?id=1717791

Firmaprofesional: 2021 Audit Report Finding 2 out of 3 (trusted role of Validation Specialist inadequately defined)

https://bugzilla.mozilla.org/show_bug.cgi?id=1717795

Firmaprofesional: 2021 Audit Report Finding 3 out of 3 (certificates did not include CABF CP OID) (related to https://bugzilla.mozilla.org/show_bug.cgi?id=1700145)

 

Firmaprofesional has no open incidents at this time, and I have no further questions or concerns about this inclusion request, however I urge anyone with concerns or questions to raise them on this list by replying using the subject heading above.

A representative of Firmaprofesional must promptly respond directly in the discussion thread to all questions that are posted.

Again, this email begins a three-week public discussion period, which I’m scheduling to close on or about  November 11, 2021.

Sincerely yours,

Ben Wilson

Mozilla Root Program

 

Ben Wilson

unread,
Nov 11, 2021, 12:51:39 PM11/11/21
to dev-secur...@mozilla.org

On October 20, 2021, we began the public discussion period [Step 4 of the Mozilla Root Store CA Application Process] for Firmaprofesional’s inclusion request. We have received no negative comments. There does not appear any action item for Firmaprofesional to complete in order to move this request forward. This is notice that I am closing the public discussion period [Step 9] and that it is Mozilla’s intent to approve the inclusion request [Step 10].

This begins a 7-day “last call” period (through Nov. 18, 2021) for any final objections.

Thanks,

Ben

Reply all
Reply to author
Forward
0 new messages