This is to announce the beginning of the public discussion phase of the Mozilla root CA inclusion process (https://wiki.mozilla.org/CA/Application_Process#Process_Overview - Steps 4 through 9) for Firmaprofesional’s request to replace its SHA1 root CA certificate with a SHA256 version of the Autoridad de Certificacion Firmaprofesional CIF A62634068 (https://crt.sh/?caid=430).
Mozilla is considering approving Firmaprofesional’s request to add the root as a trust anchor with the websites and email trust bits and EV enabled, as documented in Bugzilla bug #1102143. This email begins the 3-week comment period, after which, if no concerns are raised, we will close the discussion and the request may proceed to the approval phase (Step 10).
A Summary of Information Gathered and Verified appears here in the CCADB:
https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000053
This CA certificate for Autoridad de Certificacion Firmaprofesional CIF A62634068 is valid from 9/23/2014 to 5/5/2036. (The previous CA certificate is valid from 5/20/2009 to 12/31/2030.)
SHA2 Certificate Hash: 57DE0583EFD2B26E0361DA99DA9DF4648DEF7EE8441C3B728AFA9BCDE0F9B26A
This new CA certificate is signed using sha256WithRSAEncryption, whereas the previous CA certificate was signed using sha1.
Root Certificate Download:
http://crl.firmaprofesional.com/caroot256.crt
CP/CPS: Effective June 28, 2021,
the current CPS for Firmaprofesional is version 210628: https://www.firmaprofesional.com/wp-content/uploads/pdfs/FP_CPS-210628-EN-sFP.pdf
Repository location: https://www.firmaprofesional.com/certification-policies-and-practices/
Test Websites:
Valid - https://www.firmaprofesional.com
Valid EV - https://testsslev2021.firmaprofesional.com
Revoked - https://testrevokedsslev.firmaprofesional.com
Expired - https://testexpiredsslev.firmaprofesional.com
BR Self Assessment is located here: https://www.firmaprofesional.com/wp-content/uploads/pdfs/Firmaprofesional_BR_Self_Assessment-210519-EN.pdf
Audits: Annual audits are performed by AENOR. The most recent audits were completed for the period ending March 27, 2021, according to ETSI audit criteria. https://www.aenor.com/Certificacion_Documentos/eiDas/2021%20AENOR%20Anexo%20ETSI%20319%20411-1-2%20PSC-FIRMAPROFESIONAL.pdf
There were three findings in the audit report plus a list of six Bugzilla bugs for incidents open during the 2020 -2021 audit period. They were as follows:
Link to Bugzilla Bug |
Matter description |
Firmaprofesional: Incorrect OCSP Delegated Responder Certificate |
|
Firmaprofesional: Failure to revoke ICAs within 7 days: OCSP EKU |
|
Firmaprofesional: 2020 Audit Report Finding 1 out of 4 (CPS did not adequately disclose how Firmaprofesional would provide CRLs under certain scenarios) |
|
Firmaprofesional: 2020 Audit Report Finding 2 out of 4 (contingency datacenter did not have same security measures as main datacenter) |
|
Firmaprofesional: 2020 Audit Report Finding 3 out of 4 (inadequate log-keeping) |
|
Firmaprofesional: 2020 Audit Report Finding 4 out of 4 (certificate issued with subject:organizationIdentifier field prior adoption by CABF of v. 1.7.0 of the EVGs) |
|
Firmaprofesional: 2021 Audit Report Finding 1 out of 3 (recordkeeping lacked formal assignment and acceptance of appointment to trusted role) |
|
Firmaprofesional: 2021 Audit Report Finding 2 out of 3 (trusted role of Validation Specialist inadequately defined) |
|
Firmaprofesional: 2021 Audit Report Finding 3 out of 3 (certificates did not include CABF CP OID) (related to https://bugzilla.mozilla.org/show_bug.cgi?id=1700145) |
Firmaprofesional has no open incidents at this time, and I have no further questions or concerns about this inclusion request, however I urge anyone with concerns or questions to raise them on this list by replying using the subject heading above.
A representative of Firmaprofesional must promptly respond directly in the discussion thread to all questions that are posted.
Again, this email begins a three-week public discussion period, which I’m scheduling to close on or about November 11, 2021.
Sincerely yours,
Ben Wilson
Mozilla Root Program
On October 20, 2021, we began the public discussion period [Step 4 of the Mozilla Root Store CA Application Process] for Firmaprofesional’s inclusion request. We have received no negative comments. There does not appear any action item for Firmaprofesional to complete in order to move this request forward. This is notice that I am closing the public discussion period [Step 9] and that it is Mozilla’s intent to approve the inclusion request [Step 10].
This begins a 7-day “last call” period (through Nov. 18, 2021) for any final objections.
Thanks,
Ben