Public Discussion of Asseco's Root Inclusion Request

173 views
Skip to first unread message

Ben Wilson

unread,
Apr 7, 2021, 3:50:08 PMApr 7
to dev-secur...@mozilla.org
Reposting to this dev-security-policy list.

---------- Forwarded message ---------
From: Ben Wilson <bwi...@mozilla.com>
Date: Mon, Mar 22, 2021 at 10:35 PM
Subject: Public Discussion of Asseco's Root Inclusion Request
To: mozilla-dev-security-policy <mozilla-dev-s...@lists.mozilla.org>


Dear All,

This is to announce the beginning of the public discussion phase of the Mozilla root CA inclusion process for the Certum Trusted Root CA and the Certum EC-384 CA.  See https://wiki.mozilla.org/CA/Application_Process#Process_Overview, (Steps 4 through 9).

These two (2) new root CA certificates were created in 2018 and are valid until 2043. They are proposed for inclusion with the email trust bit, the websites bit, and EV enabled.

The root CAs are run by an existing CA operator in the Mozilla Root Program - Asseco Data Services (“Asseco”), part of the Asseco Group.

Asseco's CA inclusion application has been tracked in the CCADB and in Bugzilla–

https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000519

https://bugzilla.mozilla.org/show_bug.cgi?id=1598577

Mozilla is considering approving Asseco’s request. This email begins the 3-week comment period, after which, if no concerns are raised, we will close the discussion and the request may proceed to the approval phase (Step 10).

Root Certificate Information:

Certum Trusted Root CA

    crt.sh –

https://crt.sh/?q=FE7696573855773E37A95E7AD4D9CC96C30157C15D31765BA9B15704E1AE78FD

https://crt.sh/?id=2224039330

Download - http://repository.certum.pl/ctrca.pem

Certum EC-384 CA

    crt.sh –

https://crt.sh/?q=6B328085625318AA50D173C98D8BDA09D57E27413D114CF787A0F5D06C030CF6

https://crt.sh/?id=2224044393

Download - https://repository.certum.pl/cec384ca.pem


CP/CPS:   

Current CP is Version 4.5, dated 19-Feb-2020.

https://files.certum.eu/documents/repsitory/2-cert-policy/CCP-DK02-ZK01-CP-Cert-Serv-4.5.pdf

Current CPS is Version 6.9, dated 21-December-2020.

https://files.certum.eu/documents/repsitory/3-cert-pract-state/CCP-DK02-ZK02-CPS-Cert-6.9.pdf

My review comments to CPS version 6.9 can be found here: https://bugzilla.mozilla.org/show_bug.cgi?id=1598577#c14.

 

Document repository location(s):   

https://www.certum.eu/en/repository/

https://www.certum.pl/pl/repozytorium/


Asseco's BR Self-Assessment (PDF) is located here: 

https://bugzilla.mozilla.org/attachment.cgi?id=9111193


Audits: 

Asseco received favorable WebTrust audits (Standard, Baseline, and EV) from Ernst & Young sp. z o.o. (E&Y).  These were issued on May 18, 2020.  Asseco’s most recently ended audit period ended on February 10, 2021, and Asseco expects to receive audit letters for that audit period sometime in April 2021. 

Incidents:

For your review, past incidents filed between 2018-2020, now closed, involving Asseco include the following:

1433118             Certificate with compromised private key not revoked

1435770             Non-BR-Compliant Issuance - Debian Weak Keys

1451228             EV certificate mis-issue

1495518             Unallowed key usage for EC public key (Key Encipherment)

1511459             Corrupted certificates

1518560             Use of forbidden subjectPublicKeyInfo algorithm

1524195             Invalid dnsNames

1550575             commonName not from subjectAltName entries

1566586             Overdue Audit Statements 2019

1567062             Inconsistent disclosure of externally-operated intermediate

1598277             CA certificates not listed in audit report

1600158             Failure to revoke intermediate certificates within the BR time period

1600301             EV Certificates issued with wrong Business Category

1611458             Invalid value in SAN dNSName

1639502             Incorrect OCSP response encoding

1667684             Failure to provide a preliminary report within 24 hours.

1667986             Invalid stateOrProvinceName field

1668523             Failure to revoke within 5 days

 

Test Results:

These CAs, and their associated test certificates, were checked for revocation processing, misissuances, and EV compatibility, and they passed those tests.


Thus, this email begins a three-week public discussion period, which I’m scheduling to close on or about Wednesday, 14-April-2021.

 

A representative of Asseco must promptly respond directly in the discussion thread to all questions that are posted.

 

Sincerely yours,

Ben Wilson

Mozilla Root Program

Ben Wilson

unread,
Apr 15, 2021, 3:57:23 PMApr 15
to dev-secur...@mozilla.org

Hi All,

On March 22, 2021, we began the public discussion period [Step 4 of the Mozilla Root Store CA Application Process] on Asseco’s request to include the Certum Trusted Root CA (RSA) and the Certum EC-384 CA (ECC) in the root store. See https://groups.google.com/g/mozilla.dev.security.policy/c/_A7OX4Tz65k/m/S0CWpqMPAwAJ, reposted here https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/1VjzYhp_ykc/m/w6i22HTVBQAJ).  The 3-week comment period has now passed, and I do not believe there are any issues to summarize or open action items for Asseco to complete. 

This is notice that I am closing the public discussion period [Step 9] and that it is Mozilla’s intent to approve Asseco’s request for inclusion [Step 10].  

This begins a 7-day “last call” period (through April 22, 2021) for any final objections.

Thanks,

Ben

Reply all
Reply to author
Forward
0 new messages