Public Discussion: Inclusion of Telia Root CA v2
Ben Wilson
All,
This is to announce the beginning of the public discussion phase of the Mozilla root CA inclusion process (https://wiki.mozilla.org/CA/Application_Process#Process_Overview - Steps 4 through 9) for Telia’s inclusion request for the Telia Root CA v2 (https://crt.sh/?id=1199641739).
Mozilla is considering approving Telia’s request to add the
root as a trust anchor with the websites and email trust bits as documented in Bugzilla #1664161
and CCADB
Case #660.
This email begins the 3-week comment period, after which, if no concerns are raised, we will close the discussion and the request may proceed to the approval phase (Step 10).
Summary
This CA certificate for Telia Root CA v2 is valid from 29-Nov-2018 to 29-Nov-2043.
SHA2 Certificate Hash:
242B69742FCB1E5B2ABF98898B94572187544E5B4D9911786573621F6A74B82C
Root Certificate Downloads:
https://support.trust.telia.com/repository/teliarootcav2_selfsigned.cer
https://support.trust.telia.com/repository/teliarootcav2_selfsigned.pem
CP/CPS: Effective October 14,
2021, the current CPS for the Telia Root CA v2 may be downloaded here:
https://cps.trust.telia.com/Telia_Server_Certificate_CPS_v4.4.pdf (v.4.4).
Repository location: https://cps.trust.telia.com/
Test Websites:
Valid - https://juolukka.cover.telia.fi:10603/
Revoked - https://juolukka.cover.telia.fi:10604/
Expired - https://juolukka.cover.telia.fi:10605/
BR Self Assessment (PDF) is located here: https://support.trust.telia.com/download/CA/Telia_CA_BR_Self_Assessment.pdf
Audits: Annual audits are performed by KPMG. The most recent audits were completed for the period ending March 31, 2021, according to WebTrust audit criteria. The standard WebTrust audit (in accordance with v.2.2.1) contained no adverse findings. The WebTrust Baseline Requirements audit (in accordance with v.2.4.1) was qualified based on the fact that the Telia Root CA v1 certificate did not include subject:countryName. (The Telia Root CA v2 contains a subject:countryName of “FI”.)
Attachment B to the WebTrust Baseline Requirements audit report listed eight (8) Bugzilla bugs for incidents open during the 2020-2021 audit period, which are now resolved as fixed. They were as follows:
|
Link to Bugzilla Bug |
Matter description |
|
Two CA certificates not listed in 2020 WebTrust audit report |
|
|
Ambiguity on KeyUsage with ECC public key |
|
|
One Telia certificate containing a stateOrProvinceName of “Some-State” |
|
|
Two Telia’s pre-2012 rootCA certificates aren’t fully compliant with Baseline Requirements |
|
|
AIA CA Issuer field pointing to PEM-encoded certificate |
|
|
Certificates with RSA keys where modulus is not divisible by 8 |
|
|
Subject field automatic check in CA system |
|
|
Disallowed curve (P-521) in leaf certificate |
Recent, open bugs/incidents are the following:
|
Link to Bugzilla Bug |
Matter description |
|
Issued three precertificates with non-NIST EC curve |
|
|
Invalid email contact address was used for few domains |
|
|
Delayed revocation of 5 EE certificates in connection to id=1736020 |
I have no further questions or concerns about this inclusion request, however I urge anyone with concerns or questions to raise them on this list by replying directly in this discussion thread. Likewise, a representative of Telia must promptly respond directly in the discussion thread to all questions that are posted.
Again, this email begins a three-week public discussion period, which I’m scheduling to close on December 22, 2021.
Sincerely yours,
Ben Wilson
Mozilla Root Program
md
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZZj87QS3jL7R_32JEnfPZeU4hBNBJ%2BGHWU_pUdqF%3Dbbg%40mail.gmail.com.
Ben Wilson
Hi,as Telia Company AB (Sweden) and Telia Oy (Finland) are two separate legal persons, its not clear what is Telia?Actually the same clarification needed for all other countries listed in the Bug.Thanks,M.D.Sent from my Galaxy-------- Original message --------From: Ben Wilson <bwi...@mozilla.com>Date: 12/1/21 17:16 (GMT+02:00)Subject: Public Discussion: Inclusion of Telia Root CA v2
--
md
Ben Wilson
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/61ae97d0.1c69fb81.1a5c0.698fSMTPIN_ADDED_MISSING%40mx.google.com.
Moudrick M. Dadashov
Hi Moudrick,
This division of Telia RA functionality to two internal affiliated teams is not now documented into our CP/CPS. I think many CA competitors like Entrust are also using several RA teams that are not documented. Should we document our RA practices from this angle?
SK ID Solutions is not counted as Telia affiliate because Telia ownership is only 50 %. Telia can’t control it now. Thus, it has its own processes and policies which are independent from Telia.
Br Pekka
From: Moudrick M. Dadashov <m...@ssc.lt>
Sent: tiistai 7. joulukuuta 2021 16.23
To: Lahtiharju, Pekka <pekka.la...@teliacompany.com>; Ben Wilson <bwi...@mozilla.com>
Cc: Liimatainen, Mika A. <mika.lii...@teliacompany.com>; Gholami, Ali <ali.g...@teliacompany.com>
Subject: RE: Public Discussion: Inclusion of Telia Root CA v2
Thank you, Pekka.
Is this RA policy described somewhere in Telia Finland Oyj CA documentation?
Hopefully this will help to understand the relationship between Telia Company AB, Telia Finland Oyj and the Estonian CA (a TSP under eIDAS) - SK ID Solutions which is owned by Telia Company AB, Swedbank AB and SEB AB.
Thanks,
M.D.
Sent from my Galaxy
-------- Original message --------
From: "Lahtiharju, Pekka" <pekka.la...@teliacompany.com>
Date: 12/7/21 16:03 (GMT+02:00)
To: "Moudrick M. Dadashov" <m...@ssc.lt>, Ben Wilson <bwi...@mozilla.com>
Cc: "Liimatainen, Mika A." <mika.lii...@teliacompany.com>, "Gholami, Ali" <ali.g...@teliacompany.com>
Subject: RE: Public Discussion: Inclusion of Telia Root CA v2
Hi Moudrick,
Currently Telia CA has two RA teams: one in Telia Finland Oyj in Finland and another in Cygate AB in Sweden. Cygate AB is also fully owned subsidiary of Telia Company AB. All validations from any country are done in these two teams but today we have a policy that company validation is done only to companies where it or its main company is located in one of the Telia countries meaning: FI, SE, NO, DK, EE, LT. These countries are divided to the our RA teams. Telia Finland has responsibility of FI, EE, LT and internal Telia certificates. Cygate has responsibility of SE, NO, DK certificates. Telia Finland Oyj is the “owner” of RA functions and may start using later other Telia affiliates for RA purposes if business in some country grows significantly. Telia Finland Oyj is also responsible of the TLS certificate process. Telia CA won’t use any external parties for TLS validation. This means that your example certificate from “Telia Company AB” is validated by Telia Finland Oyj. Note! DV certificates are enrolled without any country or company validation.
Telia also enroll some signature certificates for Swedish Citizens. These client certificates are outside of Mozilla scope based on their EKU. There user identification is outsourced to a third party called Formpipe AB (https://www.formpipe.com/). They use Swedish national citizen authentication called BankID to authenticate users. This functionality is included into our basic Webtrust audit under special subCA “Telia Class 3 CA”. Formpipe is the only external delegated RA party Telia CA is using.
Br Pekka
From: Moudrick M. Dadashov <m...@ssc.lt>
Sent: tiistai 7. joulukuuta 2021 15.18
To: Lahtiharju, Pekka <pekka.la...@teliacompany.com>; Ben Wilson <bwi...@mozilla.com>
Cc: Liimatainen, Mika A. <mika.lii...@teliacompany.com>; Gholami, Ali <ali.g...@teliacompany.com>
Subject: RE: Public Discussion: Inclusion of Telia Root CA v2
Hi Pekka,
Thanks for clarification.
As noted earlier, my question is about distribution/delegation of CA functions among all "part of Telia Company AB". Specifically, I'd like to understand delegated RA functions (if any).
Just take an example of issuing an TSL certificate for Telia Company AB.
Thanks,
M.D.
Sent from my Galaxy
-------- Original message --------
From: "Lahtiharju, Pekka" <pekka.la...@teliacompany.com>
Date: 12/7/21 14:48 (GMT+02:00)
To: Ben Wilson <bwi...@mozilla.com>
Cc: "Liimatainen, Mika A." <mika.lii...@teliacompany.com>, "Gholami, Ali" <ali.g...@teliacompany.com>, m...@ssc.lt
Subject: RE: Public Discussion: Inclusion of Telia Root CA v2
Hi Ben,
Here is the full evidence from our legal department related to Telia Company’s right to use trade mark “Telia”. Telia Finland Oyj is a fully owned subsidiary of Telia Company AB and has a license to use trademark TELIA in business in Finland. List of other valid countries is in the attachment.
Br Pekka
From: Lahtiharju, Pekka
Sent: tiistai 7. joulukuuta 2021 10.59
To: Ben Wilson <bwi...@mozilla.com>
Cc: Liimatainen, Mika A. <mika.lii...@teliacompany.com>; Gholami, Ali <ali.g...@teliacompany.com>;
m...@ssc.lt
Subject: RE: Public Discussion: Inclusion of Telia Root CA v2
Hi Ben,
I have the main responsibility of this discussion so you should add posting privileges to me. Before that I answer using this email.
Telia Group is a huge European company group consisting of about one hundred affiliates in several countries. The main company is “Telia Company AB” in Sweden. Telia Finland Oyj is its Finnish affiliate that is responsible of publicly trusted CA services for the whole company group. Telia Finland Oyj is using some other affiliates like Swedish “Cygate AB” when implementing CA services. Many affiliates resell Telia’s CA services. We have used both company names “Telia Company AB” and “Telia Finland Oyj” in this application.
The common name under Telia company group is “Telia” that is trade mark used in all Telia countries by most Telia affiliates. “Telia” trade mark is protected on European Union level using mechanisms of “European Union Intellectual Property Office”. It is also protected in all Telia countries using local rules in each country. The link to describe European Union level trade mark protection system is Trade marks (europa.eu). For these reasons we use name “Telia CA” in most contexts where public can see our CA services. E.g. we want to use CN value “Telia Root CA v2” so that it is clearly linked to Telia Company group in all Telia countries. Generally public is not aware of company names of Telia group or how they own each others, but public usually know our well-known trade mark “Telia” at least in our primary target countries.
Br
Pekka
From: Ben Wilson <bwi...@mozilla.com>
Sent: maanantai 6. joulukuuta 2021 20.13
To: Lahtiharju, Pekka <pekka.la...@teliacompany.com>; Liimatainen, Mika A. <mika.lii...@teliacompany.com>; Gholami, Ali <ali.g...@teliacompany.com>
Subject: Re: Public Discussion: Inclusion of Telia Root CA v2
Also, let me know who will be responding so that I can make sure they have posting privileges to the list.
On Mon, Dec 6, 2021 at 11:08 AM Ben Wilson <bwi...@mozilla.com> wrote:
Please respond to Moudrick on MDSP list and clarify - thanks!
My CCADB records say "Telia Finland Oyj, part of Telia Company AB"
This email may contain information which is privileged or protected against unauthorized disclosure or communication. If you are not the intended recipient, please notify the sender and delete this message and any attachments from your system without producing,
distributing or retaining copies thereof or disclosing its contents to any other person.
Telia Company processes emails and other files that may contain personal data in accordance with Telia Company’s
Privacy Policy.
Moudrick M. Dadashov
pekka.la...@teliacompany.com
1) How/if Telia Company AB is (Sweden) involved in Telia Finland Oyj’s CA/RA operations?
The main company “Telia Company AB” is the owner of the other Telia organizations (aka companies aka subsidiaries aka affiliates). Telia Finland Oyj and Cygate AB are such subsidiaries. Within Telia Company group, each subsidiary is responsible for running the operations. Telia Finland Oyj is the legal entity running Telia CA operations. Telia employees from many Telia companies may belong to group functions that create systems for the whole Telia group. E.g. Telia CA is a group function so that persons in virtual Telia CA team come from many Telia affiliates and thus from many countries. Complex but big enterprises may work like this. To simplify a bit you can say that Telia Finland is running Telia CA using resources from many Telia affiliates. And all is owned by Telia Company AB. All Telia CA employees belong legally to one of the Telia affiliates.
2) does "Telia CA Policy Management Team" mean Telia Finland Oyj?
Telia CA Policy Management team is also a Telia group function like described above. Currently it has members from “Telia Finland Oyj” and “Cygate AB”.
3) what is "affiliate" in terms of specific CA/RA functions?
We use affiliate like BR defines it: “Affiliate: A
corporation, partnership, joint venture or other entity controlling, controlled
by, or under common control with another entity, or an agency, department,
political subdivision, or any entity operating under the direct control of a
Government Entity.” Resources to run CA/RA come from several Telia affiliates
but CA belongs legally to Telia Finland Oyj. One RA belongs to and is run by
Telia Finland Oyj and the other belongs to Cygate AB.
m.m.dadashov
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
pekka.la...@teliacompany.com
I don't understand your statements above that we are not real or not disclosed our locations or audit criteria. Telia CA is a real CA under Telia Finland Oyj which is affiliate company of Telia Company AB. This is clearly disclosed in our CPS 1.3.1 using this wording: "The CA operating in compliance with this CPS is Telia CA. The legal entity responsible of Telia CA is Finnish company “Telia Finland Oyj” (BusinessID 1475607-9). Telia Finland Oyj is part of Swedish company “Telia Company AB” (BusinessID 5561034249)." Also our annual Webtrust audits clearly states that both countries have been in the audit scope. E.g. the last Webtrust report is using this wording: "... in providing its SSL and non-SSL Certification Authority (CA) services in Finland and Sweden, throughout the period 1 April 2020 to 31 March 2021, Telia has: -disclosed its SSL ...". The Full Webtrust audit reports are available at links below. Auditors have every year visited physically both countries since 2005 to verify our all our operations. Also audit criteria (Webtrust and its versions) is clearly stated in our audit reports.
>a) Is this audit material available somehere?
>The documents provided under this request show that Telia Company AB is a PKI participant whose roles/responsibilities within the CA are not disclosed. I’d suggest in your answers to focus on Telia Company AB CA/RA functions/responsibilities rather than ownership details - BRs and Mozilla policy do not assume any privileges for owners, affiliates or groups - CA’s operational independence must be ensured and respected not only by its affiliates (including owners) but also by its own company management.
>b) according to RFC 3647 BRs and Mozilla policy require CP and CPS, while this root has CPS only, correct?
>you explained that its a Telia group function with two participants Telia Finland Oyj and Cygate AB, however based on 1) and the documents provided under this request, this CA has at least three PKI participants whose roles/responsibilities need to be disclosed.
>you explaned that "We use affiliate like BR defines it", sorry, but this is misunderstanding - in BRs affiliate is used in specific CA/RA operation contexts, so please be as specific as possible, what is the role of the affiliate you mentioned earlier - Telia Lithuania (legal name AB Telia Lietuva)?
md
pekka.la...@teliacompany.com
Moudrick Dadashov
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/2572d036-b45c-4bea-b23b-3a0dfcf0de1en%40mozilla.org.
Dimitris Zacharopoulos
Thank you, Pekka
At least the audit reports in the Repository require password. Please advise.
Dimitris.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAMMZRrxvjboFLvo%3DTa2ADZk88yZsa3b8O9YhwS738_8r%2Bj%3Dt9w%40mail.gmail.com.
Moudrick Dadashov
Corey Bonnell
Hi Moudrick,
It would be worthwhile to try another PDF viewer, as I am successfully able to view the WebTrust report PDFs in Telia’s Repository using Firefox’s built-in PDF viewer without having to input any passwords.
Thanks,
Corey
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAMMZRrwr_j%2Br%2BX-3Eso2Y_j_NvqkmW2iSKhiuct6Aetc4CJi9g%40mail.gmail.com.
Moudrick M. Dadashov
thank you, indeed I'm able to open all documents on my laptop (looks like a bug in my Docs to Go app).
I'll proceed with responding to Pekko's email.
Thanks,
M.D.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/DM6PR14MB21860F98F4B330A5843153EA92779%40DM6PR14MB2186.namprd14.prod.outlook.com.
Ben Wilson
On December 1, 2021, we began a three-week public discussion[1] on a request from “Telia” for inclusion of its root certificate, the Telia Root CA v2.[2] (Step 4 of the Mozilla Root Store CA Application Process[3]). Telia seeks enablement of both the websites and the email trust bits.
Summary of Discussion and Completion of Action Items [Application Process, Steps 5-8]:
Moudrick Dadashov inquired about the relationship among the “Telia” entities, noting that Telia Company AB (Sweden) and Telia Oy (Finland) are two separate legal persons, and that the announcement of the public discussion did not clarify which one was operating the CA that is the subject of the inclusion request. I noted that the CCADB record reflected “Telia Finland Oyj, part of Telia Company AB” as the applicant.
Pekka Lahtiharju, a representative of the Telia companies, responded that “Telia” is a trademark recognized in the EU, but that “Telia Company AB” in Sweden was the main company, while Telia Finland Oyj was its Finnish affiliate responsible for publicly trusted CA services for the whole company group, and that Telia Finland Oyj was also using Swedish Cygate AB to perform CA and Registration Authority (RA) services for server certificates, and that for signature certificates under the “Telia Class 3 CA” subordinate CA, Formpipe AB would serve as an external RA. (According to the CCADB, that subordinate CA has EKUs of 1.2.840.113583.1.1.5 and 1.3.6.1.4.1.311.10.3.12 and a derived trust bit of “Document Signing.”)
Additional follow-up questions were about the RA relationships among Telia Company AB, Telia Finland Oyj and the Estonian CA (a TSP under eIDAS) - SK ID Solutions (owned by Telia Company AB, Swedbank AB and SEB AB), and Telia Lithuania (legal name Telia Lietuva AB).
Pekka responded that he couldn’t speak to SK ID Solutions because they were a separate company, and that Telia Lietuva AB was a Telia affiliate, but not an RA. He also responded that “[the] Swedish RA may not be directly mentioned in CPS but none of our competitors is listing all their RA teams either. All our CA/RA employees are internal Telia persons. Telia Company AB hasn't any real CA/RA role, instead it is the owner of Telia Finland Oyj and thus indirectly owner of Telia CA. Audit reports show how all our CA/RA processes in all locations have passed audits with only minor deviations. Auditors also verify all locations and roles of all trusted persons.”
Pekka also stated that all of the relevant public documentation was available for review at https://cps.trust.telia.com.
We did not receive any other objections or other questions or comments in opposition to Telia’s request.
There still remain the three, previously-mentioned, open incidents/bugs in Bugzilla. However, I do not believe that these, or the issues mentioned above, merit a delay in Mozilla’s approval decision.
Close of Public Discussion and Intent to Approve [Application Process, Steps 9-10]:
This is notice that I am closing public discussion (Application Process, Step 9) and that it is Mozilla’s intent to approve Telia’s request (Step 10).
This begins a 7-day “last call” period for any final objections.
Thanks,
Ben
[1] https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/52Gfr4dnJD8/m/yn5fpfnACQAJ
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1664161
[3] https://wiki.mozilla.org/CA/Application_Process#Process_Overview
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/43db5aaf-a7fb-0fc2-94c6-ead32239d7f4%40ssc.lt.
Moudrick M. Dadashov
Ryan Sleevi
If approved, this request will create a precedent of ”do like Telia” - a practice that is widely used by Telia Company AB and its affiliates in the trust services markets under eIDAS. That’s how the recent eIDAS & GDPR misimplementation chaos started.I suggest this request be approved after the conversion of corporate relationships into clearly identified, disclosed and audited specific PKI participant roles.
Moudrick Dadashov
md
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
pekka.la...@teliacompany.com
-"High Risk": Telia Company AB is by no means any "high risk" applicant. Telia CA has been a normal Root CA already more than 15 years without any security related issues in any of annual audit results. All BR rules have been followed during that time. Only minor technical deviations have ever been identified. Recently Telia also joined to CAB Forum work also.
-"Semi-government company": Telia Company is a normal private company. Check https://www.teliacompany.com/en: Founded in 1853. The share is listed at Nasdaq Stockholm and Nasdaq Helsinki. Approximately 490,000 shareholders. 20,800 employees. Net sales SEK 89,191 million.
-"The problem here is that the CA resources need to be clearly identified and audited":
CA Resources have been clearly identified above to be located in Finnish "Telia Finland Oyj" and in Swedish "Cygate AB". The full CA organization and system has been audited annually in both countries and in both companies. Auditors have got exact person details who belong to Telia CA and audit has been focused on those persons and their legal entities and how they implement Telia CA.
-"the discussion is about CA operations not ownership"
I agree. Auditors have audited all related CA operations annually based on publicly disclosed Telia CP/CPS.
-"the subject of audit should be a legal entity, not a country"
Audit scope in audit reports has been legal entity "Telia Company AB (Telia)" that is the main company. This audit scope covers both mentioned affiliate legal entities practically participating into Telia CA processes.
-"CA/Browser Forum Baseline Requirements Audit Report 2021 (15 pages). In this report there is no reference to Telia Finland Oyj."
In audit reports there is reference to main company "Telia Company AB" because auditors kept it as better because Telia CA functions are carried by both affiliates: "Telia Finland Oyj" and "Cygate AB". We can ask auditors to add all three company names in the future audit reports if it makes audit results clearer.
-"Telia Public Response to Audit 2021, In this single page document no reference to Telia Company AB or Telia Finland Oyj."
Incorrect, footer has identification of entity that created this response which is: Telia Finland Oyj
-"Mozilla policy requires clear indication of which audit criteria were checked (or not checked) at each location" - as you don’t have a CP and the relevant parts are not identified in the CP/CPS, its unclear what criteria you are talking about."
I don't understand. We have CP (combined CP/CPS) that identifies the legal entities. I think the used audit criteria and locations (Finland and Sweden) are clearly stated in the audit reports. Both locations were using the same criteria. For WTCA criteria it is clearly written there "...in accordance with the WebTrust Principles and Criteria for Certificate Authorities v2.2.1." and for WTBR is using "...in accordance with the WebTrust Principles and Criteria for Certificate Authorities - SSL Baseline with Network Security v2.4.1."
Moudrick M. Dadashov
Ryan Sleevi
1.1.1 instance means a data object that Telia's affiliates - SK ID Solutions (formerly AS Sertifitseerimeskeskus) together with its RA - Omnitel (legal name - AB Telia Lietuva) have been issuing to the public as "qualified certificate" (QS).
1.1.2 something means "Qualified certificate" - a complex data structure that was initially defined in directive 1999/93/EC. For clarity, the QS in 1.1.1 (which is incompatible with the directive) is called surrogate QS.
1.1.3 Worth mentioning also evaluation of legality of surrogate QS by:a) the Data Protection Authority (legal name Valstybinė duomenų apsaugos inspekcija - VDAI) ordered Omnitel to stop issuing surrogate QSs. This order is still ignored (how and why can be discussed separately);b) the Supreme administrative court which ruled that surrogate QS violates the Data protection law (an implementation of directive 95/46/EC, now regulation 2016/679 - GDPR). This is also ignored (how and why can be discussed separately).See case translation here: https://journals.sas.ac.uk/deeslr/article/download/2142/2072/
1.2.2 eIDAS has at least three directly applicable mechanisms to prevent issuing surrogate QCs, but none of them worked as expected (disorder):a) TSP audit by CAB - surrogate QCs were accepted;b) TSP "qualified service" assessment by the Supervisory body - surrogate QCs were accepted;c) Trust list management by the Scheme operator under the Commission implementing decision 2015/1505 - surrogate QCs were accepted.
2. RE "This sounds like you're specifically referring to actions taken by Telia Company AB"Correct. Telia Company AB is the driving force of an ”organized group”,
wherea) The Swedish government creates "favorable conditions" in the countries of Telia Company AB's business operation (at least easy access to local governments is guaranteed);
b) The Telia Company AB management partners with local governments so that the doors of relevant institutions (agencies) are open to its local affiliate (remember "What's good for General Motors is good for the country"?)
c) The Telia Company AB affiliate develops "special relationship" with the institutions so that at least supervision of its business is completely "switched off", this includes lobbying any desired legislation (surrogate QC is "locally legitimazed" despite of competing with other national laws and EU directives and regulations.
I must apologize for this schematic/simplified response covering 20+ years of Telia Company AB's business practices in Baltics.If you google "Telia + corruption", almost all information will be about Telia Company AB's (formerly TeliaSonera AB) "achievements" in teleco markets, this is partly because of:
Please let me know if you need more info or have any questions - the information above is backed by publicly acessible evidence material from official sources.
Moudrick Dadashov
pekka.la...@teliacompany.com
>Sorry, could you point us to specific URL's with page numbers?
>>"Auditors have audited all related CA operations annually based on publicly disclosed Telia CP/CPS."
>"all related CA operations" is not sufficient: as noted earlier, its not clear which legal entity is the CA - the references I provided were on behalf of Telia Company AB, however applicant of this request is Telia Finland Oyj - from CA operations point of view these should be two different (independent) entities (no matter who owns what).
>Besides, we don't know which [parts of CPS] constitute the CP. If you disclose this clearly, then we'll see what criteria auditors have checked.
>>"Audit scope in audit reports has been legal entity "Telia Company AB (Telia)" that is the main company. This audit scope covers both mentioned affiliate legal entities practically participating into Telia CA processes."
>But we need audit reports issued to Telia Finland Oyj, which should be the only "main company". We don't care who owns Telia Finland Oyj unless the CA shares its operational resources with third parties (including owners). In all other cases, let's forget about Telia Company AB. :)
>>"We can ask auditors to add all three company names in the future audit reports if it makes audit results clearer."
>I'm afraid this is misunderstanding - the CA under this request should be a clearly disclosed legal entity (ownership is out of scope here). If the CA operations rely on other party's (e.g. owner's, affiliate's etc.) material or human resources, you need to disclose those shared resources and have auditors do appropriate check ups. If this information already exist, please give us specific references.
>>"I think the used audit criteria and locations (Finland and Sweden) are clearly stated in the audit reports."
>OK, if you think so, just indicate specific audit report pages.
https://support.trust.telia.com/download/CA/Telia-2020-2021-WebTrust-Auditor-Report-WTBR-20210628.pdf
https://support.trust.telia.com/download/CA/Telia-2020-2021-WebTrust-Auditor-Report-WTCA-20210628.pdf
... on the first KPMG page in the first paragraph KPMG auditor has written this text: "Telia Company AB's ... CA operations in Finland and Sweden". Then later on the same page they state which Webtrust criteria was used. I can't understand how anybody may miss seeing company, locations or criteria that was used. To understand that legal entity behind Telia CA is "Telia Finland Oyj" and that it is affiliate to "Telia Company AB" you have to read also CP/CPS 1.3.1.
Ryan Sleevi
Thanks, RyanI'm afraid we are taking wrong direction. :)As I responded to Pekka today, the email you are commenting below is my answer to your questions about my comments re: eIDAS & GDPR chaos. If you are still interested, we can continue this discussion separately.
To keep the root inclusion process in order, I'd suggest to reply to my last email today.
If approved, this request will create a precedent of ”do like Telia” - a practice that is widely used by Telia Company AB and its affiliates in the trust services markets under eIDAS. That’s how the recent eIDAS & GDPR misimplementation chaos started.
instance means a data object that Telia's affiliates - SK ID Solutions (formerly AS Sertifitseerimeskeskus) together with its RA - Omnitel (legal name - AB Telia Lietuva) have been issuing to the public as "qualified certificate"
Correct. Telia Company AB is the driving force of an ”organized group”, where
Moudrick Dadashov
I agree with Pekka in a sense that eIDAS & GDPR chaos is not directly related to this request, however this CA is quite similar to Telia Company AB's eIDAS business.
Moudrick M. Dadashov
Ryan Sleevi
The audit reportYou explained that "Audit covered all relevant company parts under "Telia Company AB" including "Telia Finland Oyj". I still can't understand why this fact is hard to understand.", the problem here is that we need a single legal entity as the CA cooperates with other PKI participants - these roles must be disclosed clearly (no matter who owns what).If Telia Finland Oyj is the CA, then all others, including Telia Company AB, should be PKI participants. You need to disclose this. In the meantime the audit report states:"Telia makes use of external registration authorities for subscriber registration activities, as disclosed in Telia's business practices. Our procedures did not extend to the controls excercised by these external registration authorities."So, we have two different audit scenarious here:a) as the audit report is issued to the CA known as Telia Company AB, then the other PKI participants - Telia Finland Oyj and Cygate AB need to be audited according to their roles.b) in case if Telia Finland Oyj is audited as the CA, then the other two PKI participants - Telia Company AB and Cygate AB need to be audited according to their roles.Again, this has nothing to do with ownership relationship.
For Delegated Third Parties which are not Enterprise RAs, then the CA SHALL obtain an audit report, issued under the auditing standards that underlie the accepted audit
schemes found in Section 8.4, that provides an opinion whether the Delegated Third Party’s performance complies with either the Delegated Third Party’s practice statement or the CA’s Certificate Policy and/or Certification Practice Statement. If the opinion is that the Delegated Third Party does not comply, then the CA SHALL not allow the Delegated Third Party to continue performing delegated functions.
Is that correct?
Audit scope
Sorry, I cant accept your arguments, see The audit report above.
Peter Bowen
Thanks for clearly breaking down your concerns. Based on this, and
the other messages in this thread, I don't think that some of these
are issues under the Mozilla policy. Please see my comments below.
receive separate WebTrust audits when the CA operations are under
common management and governance. Many of the WebTrust audit reports
implicitly cover multiple legal entities simply by indicating
operations in multiple countries. A few WebTrust audit reports that I
checked including DigiCert, Sectigo, Google, and GlobalSign, all
indicate operations in more than one country. As most countries
require that people who work in that country be employed by a legal
entity in that country, I fully expect that all these audit reports
cover multiple legal entities.
I do not believe that what Telia is presenting is materially different
from what other CAs present. If Mozilla wants to have all the legal
entities involved listed in the audit report, that is something that
should be included the Mozilla policy; this would need to be carefully
considered, as it does not only impact multi-country CAs, but also CAs
that lease data center space, contract other companies to provide
physical security, or perform other actions covered under the audit.
> Separation of CP and CPS provisions
>
> You explain that "There are no requirements to specifically separate CP and CPS texts.", according to RFC content of these two documents should be different. I’m ok with the combined document CP/CPS (but not content!) - I can’t see which part of combined document should be considered CP. At least section/page numbers could help.
acceptable to only have a CPS - that is a single document that lays
out the practices of the CA.
> Audit scope
>
> Sorry, I cant accept your arguments, see The audit report above.
>
> ********************
>
>
> To sum-up, obviousely we are in a loop, I don’t see any reason to change my opinion (see 2021-12-29 email).
>
> Thanks,
> M.D.
Mozilla policy.
Thanks,
Peter
(my personal view and does not necessarily reflect the views of anyone else)
Moudrick Dadashov
acceptable to only have a CPS - that is a single document that lays out the practices of the CA."
pekka.la...@teliacompany.com
I think that Moudrick is using term "PKI participant" like it would mean "Delegated Third Party". But I think that is not the right term for Telia CA. The best definitions I found for "third party" and "affiliate" are from BR and it is clear that Telia CA case is the latter (not delegating functions):
Delegated Third Party: A natural person or Legal Entity that is not the CA but is
authorized by the CA, and whose activities are not within the scope of the appropriate
CA audits, to assist in the Certificate Management Process by performing or fulfilling
one or more of the CA requirements found herein.
Affiliate: A corporation, partnership, joint venture or other entity controlling,
controlled by, or under common control with another entity, or an agency,
Government Entity.
All three listed Telia affiliates were included into Telia CA audit scope. There are no non-audited Telia CA parts for TLS. In our Server CP/CPS 1.3.2 we say that "All RA functions in this CPS are performed internally by Telia. Telia will not delegate domain validation to be performed by a third-party". On Telia client certificate process we define in our Client CP/CPS how Enterprise RA may be used and that Telia Class 3 client certificates (which are outside of Mozilla context) are using external RA. I think that Enterprise RA is a normal concept on client certificates. I can't see any problems in this either
I hope that Mozilla now concludes if there is something that is against Mozilla policies or not. I haven't yet found any relevant issues on this discussion. I'm ready to improve our CPS or suggest new audit report formulation next time if I get instructions how. Our new root should be accepted soon so that we can replace the old one that has technical issues (read audit report).
Moudrick Dadashov
Moudrick M. Dadashov
Ryan Sleevi
You asked if my comment was about Delegated Third Parties - sorry, no, I had in mind the CA [1] and its RAs [] as defined in BRs.
Audit scope"If my above understanding is correct, then I’m not fully sure your argument here is correct. It’s certainly true that the RAs, which are DTPs, need to be audited, but that doesn’t necessarily propagate to the scope of the parent."My comment was about Pekka's argument, which is quite typical to Telia Company AB and its affiliates, that their corporate ownership relationship is directly apllicable to the CA operations, I believe this is fundamentally wrong.
The CA has a single audit report and I’m OK with that, but, as I quoted earlier, the audit report says:"Telia makes use of external registration authorities for subscriber registration activities, as disclosed in Telia's business practices. Our procedures did not extend to the controls excercised by these external registration authorities."
Peter Bowen
>
>
>
> On Thu, Jan 6, 2022 at 1:18 AM Moudrick M. Dadashov <m.m.da...@gmail.com> wrote:
>>
>> You asked if my comment was about Delegated Third Parties - sorry, no, I had in mind the CA [1] and its RAs [] as defined in BRs.
>
>
> I'm not sure I understand this. An RA is a DTP.
RAs are DTPs. In one way of describing PKI structure (or
participants), every certificate request first goes to a RA. The RA
validates the information, for example validates control of the
requested domains, then requests the CA to issue the certificate. The
RA and CA functions may be operated by the same entity, have the same
governance, and be part of the same audit. In this case the RA is not
a DTP, rather it is just a function of what in Mozilla terminology is
the "CA".
From my reading of this thread, there are two kinds of RAs for Telia
CA. The first are RA functions operated by the Telia group. These RA
functions are covered under the WebTrust audit. The people operating
the RA functions are employed by various companies, but ultimately
Telia Company AB is stating that they have governance and management
oversight of these RA functions. The second are Enterprise RAs which
are only used for client certificates. From earlier in the thread,
context) are using external RA."
>> Audit scope
>>
>> "If my above understanding is correct, then I’m not fully sure your argument here is correct. It’s certainly true that the RAs, which are DTPs, need to be audited, but that doesn’t necessarily propagate to the scope of the parent."
>>
>> My comment was about Pekka's argument, which is quite typical to Telia Company AB and its affiliates, that their corporate ownership relationship is directly apllicable to the CA operations, I believe this is fundamentally wrong.
>
>
> I'm sorry, I'm still not sure I think I understand the substance of your argument here, and it does seem like you're ascribing a particular malice to Telia that appears to be unsubstantiated, at least at present.
>
>>
>> The CA has a single audit report and I’m OK with that, but, as I quoted earlier, the audit report says:
>>
>> "Telia makes use of external registration authorities for subscriber registration activities, as disclosed in Telia's business practices. Our procedures did not extend to the controls excercised by these external registration authorities."
>
>
> Correct, this part is difficult to square with Pekka's remarks that they were all part of the same audit scope, as the report does not appear to substantiate this. That is, the WebTrust Illustrative Guidance provides examples on how to disclose if no external RAs are involved, and that this seems to highlight a disconnect that bears some clarification, at the minimum.
RA does for any certificate that falls within the Mozilla policy
(which includes at least server and e-mail end-entity certificates).
Thanks,
Peter
md
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
pekka.la...@teliacompany.com
Moudrick M. Dadashov
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
Peter Bowen
dev-secur...@mozilla.org <dev-secur...@mozilla.org>
wrote:
>
>
> Before your claim can be finalized, we need clarification of the terms in your statement:
>
>
> "Specifically that Telia hasn't used any third party RAs except in the mentioned client certificate cases".
>
> You explained earlier that Telia is a trademark that Telia Finland Oyj is authorized to use in Finland.
>
> In the Telia's Management Assertion Telia Company AB uses the term Telia as a self short name. The same short name is used in the audit reports.
>
> So, based on the official documents, we don't know which legal entity represent the CA - Telia Company AB (Sweden) or Telia Finland Oyj (Finland). Once we identify the CA, it should be easier for you to disclose/identify other PKI participants, if any.
>
> "And that all other RA functions were operated internally by the Telia group so that all internal RA functions were covered under the WebTrust audit."
>
> Here you use the terms "internally" and "group" that have no meaning in the context of the CA operations - if you think they are defined in existing standards and Mozilla policy, just refer us to the appropriate sources.
>
> Once again, as from the CA operations' (CP/CPS) point of view Telia Company AB and Telia Finland Oyj are two different legal entities, you need to disclose their PKI participant roles as required by all applicable standards, policies I quoted earlier.
I'm afraid I'm somewhat confused. Mozilla Policy calls out two places
where the legal entity has to be disclosed: "ownership or control of
the CA’s certificate(s)" and "ownership or control of the CA’s
operations". I'm going to assume that the first really should be CA's
private keys, but that is something for a policy discussion.
The CPS says "The CA operating in compliance with this CPS is Telia
Finland Oyj” (BusinessID 1475607-9). Telia Finland Oyj is part of
Swedish company “Telia Company AB” (BusinessID 5561034249)."
ownership of the CA certificate and keys. This has been stated
multiple times in the thread.
It also seems clear to me that Telia Company AB has overall control of
the CA operations, as they are the responsible party as documented in
the WebTrust management assertion and addressed in the auditor's
opinion.
I am unaware of any requirement in the Mozilla policy (directly or via
inclusion by reference) that requires a CA to disclose the employer of
all people they contract to assist in operations of the CA. This
applies regardless of whether the employer(s) are Affiliates of the
legal entity operating the CA, Affiliates of the legal entity owning
the private keys, or independent third parties. The thing that
matters is that the entity operating the CA takes responsibility for
and has control over the actions undertaken by the people operating
the CA.
As an example, as I understand it, if Afla, Inc. owns a private key,
they can contract Bravo Ltd. to operate the CA (including RA
functions). Bravo Ltd would then be listed as the responsible party
in the WebTrust audit report. Bravo can contract Charlie Pty Ltd,
Delta GmbH, and Echo BV to assist in the operations of the CA. This
could include providing physical security for the private keys,
providing ICT administration, applicant review services, or other
work. As long as Bravo is has oversight and control of the
operations, it is not necessary to list Charlie, Delta, or Echo in the
CPS nor in the WebTrust audit report.
I do realize that other regulations and requirements may require
disclosure of some or all of Charlie, Delta, or Echo. For example,
some CAs disclose information sub-processors for the purpose of
complying with GDPR; see
https://www.globalsign.com/en/repository/GlobalSign-Subprocessors.pdf
as an example. This is independent of the Mozilla requirements, to
the best of my knowledge.
md
the WebTrust management assertion and addressed in the auditor's
opinion."
Peter Bowen
>
> Thanks, Peter
>
> Below I’m relying on the Mozilla policy (MP) published here:
> https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/
>
> You say you are confused and looks like because of following:
>
> Please note Telia Finland Oyj is a legal entity with its own BusinessID, material/human resources, management and location (see MP section 3.1.4 (13)).
>
> As "CAs SHOULD NOT assume that trust is transferable" (MP section 8), using the MP terminology the relationship between Telia Company AB and Telia Finland Oyj is "legal ownership". Feel free to rely on any privileges the policy assumes for this kind of ownership parties.
>
> The reason of confuse is mixing two different terms "legal omwnership" and "CA operations" (as in MP section 8.2).
>
> the WebTrust management assertion and addressed in the auditor's
> opinion."
>
>
> ************
>
>
> I’m afraid your good example below is not applicable to this case - those companies, If I understood correctly, have contractual relationship, whereas in our case all we have is "is part of" which means the legal owner (Telia Company AB) controls shares of another legal entity (Telia Finland Oyj). This has nothing to do with CA operations.
the Certificate Authority (CA) services as listed in Appendix A" (the
first sentence of
https://support.trust.telia.com/download/CA/Telia-2020-2021-WebTrust-Auditor-Report-WTCA-20210628.pdf).
From that same file, KPMG conducted their procedures as per ISAE 3000,
which requires KPMG to determine the "responsible party". KPMG
clearly states that it is "Telia Company AB" in their opinion letter.
Given the root certificate currently under discussion is not part of
the root program, and the ownership and control seem to be clearly
stated, I do not see an issue here.
There may be a separate concern that the operations of the
"TeliaSonera Root CA v1" CA were transferred at some point. Mozilla
policy does not require public notice of transfer - notice can be
provided to Mozilla privately. Given this, it is not possible to
identify if notice was provided.
From this discussion, it does seem that Mozilla should consider a few actions:
1) Update the policy to require disclosure of the legal entity that
owns the CA private key (instead of the CA certificate)
2) Update the policy to require disclosure in the CCADB, for each root
CA and subordinate CA, of:
* the legal entity that owns CA private key
* the legal entity that is the operator of the CA and is either the
"Responsible Party" (ISAE 3000) or employer/contractor of the
"Management and Those Charged With Governance" (AT-C 801) of the CA
3) Clarify how the community will be notified of changes, given the
policy says that "Mozilla will normally keep commercially sensitive
information confidential."
Thanks,
Peter
Moudrick M. Dadashov
Peter Bowen
<m.m.da...@gmail.com> wrote:
>
> Thanks, Peter
>
> Indeed, you just quoted the same parts from the documentation that I did in my 2021-12-29 email.
>
> According to CPS two different legal entities declared to have been representing the CA just because one "is part of" another which according to Mozilla policy means "legal ownership" that has nothing to do with the CA operations.
of" does not matter. I'm looking at the audit reports which, but the
definition of ISAE 3000, list the "responsible party". My
interpretation is that "responsible party" is equivalent to "ownership
or control of the CA’s operations" in the Mozilla policy.
As you call out, the CPS says "The legal entity responsible of Telia
party for the operations of the CA. Prior messages stated that Telia
Finland is the legal owner. This indicates Telia Finland has
"ownership or control of the CA’s certificate(s)".
> Sorry, I’m confused that while you don’t see problems here, but at the same time proposing improvements to Mozilla policy - isn’t this "customization of rules" to the needs of a specific legal entity?
different countries and different tax jurisdictions that it is very
common to have people employed by different legal entities who work
together as a single team. I frequently have not known which company
my colleagues legally work for - it just doesn't matter for day to day
purposes. At one point I worked for XYZ Canada Ltd, my boss worked
for ABC GmbH, his boss worked for XYZ Inc in the US. The person
working for XYZ Inc was the senior vice president and general manager
for ABC and had responsibility and control of ABC, even if he didn't
work for ABC GmbH. At another group of companies, we had people from
multiple legal entities working in the same building side by side.
The fact that I worked for Example PQR LLC and my colleague worked for
Example JKL LLC was only found if you looked at the details for
entries in the corporate directory. We both had email addresses
ending in @example.com. This seems normal and common to me.
I'm suggesting improvements in Mozilla policy because this discussion
has shown the current policy does not provide clarity as to legal
entities and because you have reasonably called out that having
clarity is beneficial to transparency. This lack of claity is not
unique to Telia; for example, the Globalsign CPS says "GlobalSign
NV/SA and affiliated entities". Given the lack of requirement of
public disclosure of the owner of the private key/certificate, I'm not
sure how many other CAs in the Mozilla program have separation between
the operator and key owner.
> While this is quite typical for Telia Company AB’s eIDAS related practices, I’m very concerned its happening here.
eIDAS-related practices.
Thanks,
Peter
Ryan Sleevi
While this is quite typical for Telia Company AB’s eIDAS related practices, I’m very concerned its happening here.
Moudrick M. Dadashov
of" does not matter. I'm looking at the audit reports which, but the
definition of ISAE 3000, list the "responsible party". My
interpretation is that "responsible party" is equivalent to "ownership
or control of the CA’s operations" in the Mozilla policy
Based on the audit report, Telia Finland Oyj is NOT the responsible
party for the operations of the CA. Prior messages stated that Telia
Finland is the legal owner. This indicates Telia Finland has
"ownership or control of the CA’s certificate(s)".
entities and because you have reasonably called out that having
clarity is beneficial to transparency."
Dimitris Zacharopoulos
Sorry for chiming in late, I was monitoring this discussion and thought of adding a comment about the completeness of audit reports.
In my understanding, when Mozilla or any other Root Program is evaluating audit reports (Point-in-Time or Period-of-Time), they must confirm that all entities/functions that should be audited, are included in the submitted audit reports.
It is acceptable to submit multiple audit reports when multiple legal entities fulfill different CA functions, but at the end of the day all functions that need to be audited must be accounted for.
If the CA is company A and they have an external RA which is company B, then one of the following is acceptable:
a) Company A presents an audit report that contains its own CA operations AND the operations of company B, which means that the auditor of company A has engaged into independently evaluating the RA operations of company B
b) Company A presents an audit report that contains its own CA operations and states that it did not evaluate operations of external RA of company B, and there is a separate external audit report of company B which independently evaluates the RA operations of company B. Together, these two audit reports prove that all audited functions have been performed and nothing is missing.
If I understand one of Moudrick's concerns (obviously he has plenty of concerns but I only focus on the audit completeness), the audit report submitted by Telia does not include an opinion on "external RAs" which means that we are missing an audit report about these external RAs. AFAIK, external RAs are not exempt and must be audited by a qualified (external) auditor. Unless I am missing something, I believe that only Enterprise RAs can exist without external audits.
Ryan, Peter, do you agree with the last comment?
Thanks,
Dimitris.
PS: I was trying to find the right message in the various existing threads to reply to but it was too many messages to process, so apologies for starting a new thread.
All,
This is to announce the beginning of the public discussion phase of the Mozilla root CA inclusion process (https://wiki.mozilla.org/CA/Application_Process#Process_Overview - Steps 4 through 9) for Telia’s inclusion request for the Telia Root CA v2 (https://crt.sh/?id=1199641739).
Mozilla is considering approving Telia’s request to add the root as a trust anchor with the websites and email trust bits as documented in Bugzilla #1664161 and CCADB Case #660.
This email begins the 3-week comment period, after which, if no concerns are raised, we will close the discussion and the request may proceed to the approval phase (Step 10).
Summary
This CA certificate for Telia Root CA v2 is valid from 29-Nov-2018 to 29-Nov-2043.
SHA2 Certificate Hash:
242B69742FCB1E5B2ABF98898B94572187544E5B4D9911786573621F6A74B82C
Root Certificate Downloads:
https://support.trust.telia.com/repository/teliarootcav2_selfsigned.cer
https://support.trust.telia.com/repository/teliarootcav2_selfsigned.pem
CP/CPS: Effective October 14, 2021, the current CPS for the Telia Root CA v2 may be downloaded here:https://cps.trust.telia.com/Telia_Server_Certificate_CPS_v4.4.pdf (v.4.4).
Repository location: https://cps.trust.telia.com/
Test Websites:
Valid - https://juolukka.cover.telia.fi:10603/
Revoked - https://juolukka.cover.telia.fi:10604/
Expired - https://juolukka.cover.telia.fi:10605/
BR Self Assessment (PDF) is located here: https://support.trust.telia.com/download/CA/Telia_CA_BR_Self_Assessment.pdf
Audits: Annual audits are performed by KPMG. The most recent audits were completed for the period ending March 31, 2021, according to WebTrust audit criteria. The standard WebTrust audit (in accordance with v.2.2.1) contained no adverse findings. The WebTrust Baseline Requirements audit (in accordance with v.2.4.1) was qualified based on the fact that the Telia Root CA v1 certificate did not include subject:countryName. (The Telia Root CA v2 contains a subject:countryName of “FI”.)
Attachment B to the WebTrust Baseline Requirements audit report listed eight (8) Bugzilla bugs for incidents open during the 2020-2021 audit period, which are now resolved as fixed. They were as follows:
Link to Bugzilla Bug
Matter description
Two CA certificates not listed in 2020 WebTrust audit report
Ambiguity on KeyUsage with ECC public key
One Telia certificate containing a stateOrProvinceName of “Some-State”
Two Telia’s pre-2012 rootCA certificates aren’t fully compliant with Baseline Requirements
AIA CA Issuer field pointing to PEM-encoded certificate
Certificates with RSA keys where modulus is not divisible by 8
Subject field automatic check in CA system
Disallowed curve (P-521) in leaf certificate
Recent, open bugs/incidents are the following:
Link to Bugzilla Bug
Matter description
Issued three precertificates with non-NIST EC curve
Invalid email contact address was used for few domains
Delayed revocation of 5 EE certificates in connection to id=1736020
I have no further questions or concerns about this inclusion request, however I urge anyone with concerns or questions to raise them on this list by replying directly in this discussion thread. Likewise, a representative of Telia must promptly respond directly in the discussion thread to all questions that are posted.
Again, this email begins a three-week public discussion period, which I’m scheduling to close on December 22, 2021.
Sincerely yours,
Ben Wilson
Mozilla Root Program
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZZj87QS3jL7R_32JEnfPZeU4hBNBJ%2BGHWU_pUdqF%3Dbbg%40mail.gmail.com.
pekka.la...@teliacompany.com
I wonder why Telia should provide audit report to Mozilla about the only external RA Telia CA is using when this external RA is using subCA that is out of scope of Mozilla based on its EKU values. This external RA is producing only client certificates for signature purposes.
Both provided audit reports WTCA and WTBR state that they cover Telia CA operations in Finland and Sweden and only WTCA report has remark about External RA in this format (WTBR report doesn't have this):
"Telia makes use of external registration authorities for subscriber registration activities as disclosed in Telia's business practices. Our procedures did not extend to the controls excercised by these external registration authorities."
This text above refers to Telia Client CPS that has disclosed that the only case in addition to Enterprise RA when Telia is using External RA is related to Telia Class 3 client certificates and all SMIME related validation is done only by Telia CA itself. E.g. Client CPS 1.3.2: "Telia CA employs two RAs: Internal RA and External RA. Telia will not delegate domain validation to be performed by a third-party. The CA itself verifies email domain ownership or verifies that End-entity controls the email account." Chapter 1.3.2.2 defines Telia's only External RA to be restricted only to Class 3 certificates outside of Mozilla context. Note also that Server CPS states clearly that within TLS validation no External RAs are used: 1.3.2: "All RA functions in this CPS are performed internally by Telia. Telia will not delegate domain validation to be performed by a third-party."
Dimitris Zacharopoulos
Hi Dimitris,
I wonder why Telia should provide audit report to Mozilla about the only external RA Telia CA is using when this external RA is using subCA that is out of scope of Mozilla based on its EKU values. This external RA is producing only client certificates for signature purposes.
If they are out of scope, then it makes sense not to disclose such audit reports to Mozilla and other Root Programs that are only interested in "websites" and "email" certificates. However, it needs to be clearly (and explicitly?) stated that this external RA does not perform RA functions related to Certificates for TLS and email. In any case, this is not a very popular condition because external RAs typically validate identities that can be used for all certificate types, including TLS (OV/IV/EV) and email certificates that include identity. However, it is perfectly fine to scope these external RAs out for TLS and email certificates if you choose to do so.
Both provided audit reports WTCA and WTBR state that they cover Telia CA operations in Finland and Sweden and only WTCA report has remark about External RA in this format (WTBR report doesn't have this):
"Telia makes use of external registration authorities for subscriber registration activities as disclosed in Telia's business practices. Our procedures did not extend to the controls excercised by these external registration authorities."
This text above refers to Telia Client CPS that has disclosed that the only case in addition to Enterprise RA when Telia is using External RA is related to Telia Class 3 client certificates and all SMIME related validation is done only by Telia CA itself. E.g. Client CPS 1.3.2: "Telia CA employs two RAs: Internal RA and External RA. Telia will not delegate domain validation to be performed by a third-party. The CA itself verifies email domain ownership or verifies that End-entity controls the email account." Chapter 1.3.2.2 defines Telia's only External RA to be restricted only to Class 3 certificates outside of Mozilla context. Note also that Server CPS states clearly that within TLS validation no External RAs are used: 1.3.2: "All RA functions in this CPS are performed internally by Telia. Telia will not delegate domain validation to be performed by a third-party."
It is not for me to decide whether this needs to be explicitly stated in audit reports or not. However, the fact that the "external RA" is mentioned only in the WTCA and not in the WTBR report, might implicitly state that there are no external RAs involved in the TLS certificate issuance process, but does it apply to the email certificate issuance? To the best of my knowledge, email certificate issuance is covered by the WTCA audit report and TLS is covered by the WTCA+WTBR. This could mean that "External RAs" might be used in the validation process (email or identity) for S/MIME certificates which are in scope of the Mozilla Root Program.
As a side note, I believe it would greatly help the community if WT experts could provide some guidance how Relying Parties should interpret WTCA and WTBR reports. Should a RP read a WTBR report as a stand-alone report or in combination with the WTCA?
Best regards,
Dimitris.
pekka.la...@teliacompany.com
Ben Wilson
All,
Over the past few weeks, we have discussed here Telia Finland Oyj’s request in more depth. The discussion has mainly focused on Telia Finland Oyj’s parent company, Telia Company AB, and whether any unaffiliated third-party entities might be involved in providing RA services.
As Moudrick Dadashov rightly noted, the management assertion that accompanied the WebTrust audit report stated, “Telia Company AB (Telia) operates the Certificate Authority (CA) services as listed in Appendix A, and provides the following services: Subscriber registration, Certificate renewal, Certificate rekey, Certificate issuance, Certificate distribution, Certificate revocation, Certificate validation, Subscriber key generation and management. The management of Telia is responsible for establishing and maintaining effective control over its CA operations….”
KPMG’s audit report likewise addressed Telia Company AB management and stated, “Telia makes use of external registration authorities for subscriber registration activities, as disclosed in Telia's business practices. Our procedures did not extend to the controls exercised by these external registration authorities.”
Telia has stated that its CA resources were clearly identified by the auditors as located in Finland and Sweden and that the full CA organization and system had been audited annually in both countries and in both companies. Auditors received details on the persons involved with the Telia CA and the “audit has been focused on those persons and their legal entities and how they implement Telia CA.” It also responded that the audit scope in the audit reports included the legal entity Telia Company AB, because it was the main company, but also included affiliated legal entities practically participating in the Telia CA processes.
Moudrick has made the point that the two organizations (Telia Company AB and Telia Finland Oyj) are separate legal entities. He said it was unclear which legal entity was the CA. He has argued that some of the materials provided (e.g. the audit documents) were on behalf of Telia Company AB, while the applicant is Telia Finland Oyj, and that these are two different, independent entities. He argued that "legal ownership" has nothing to do with the CA operations -- that Telia Company AB only controls shares of another legal entity (Telia Finland Oyj), which has nothing to do with CA operations. Moudrick has argued that the audit reports should have been issued to Telia Finland Oyj, which should be the only ‘main company’, but that “[a]ccording to the audit report … Telia Company AB is the CA.”
Representatives from Telia have stated clearly and consistently that the applicant and CA operator is Telia Finland Oyj. The CA certificate identifies “Telia Finland Oyj” as the Organization. Section 1.3.1 of the CP/CPS for Telia Server Certificates (v.4.4) states, "The CA operating in compliance with this CPS is Telia CA. The legal entity responsible of Telia CA is Finnish company “Telia Finland Oyj” (BusinessID 1475607-9). Telia Finland Oyj is part of Swedish company “Telia Company AB” (BusinessID 5561034249)." To avoid future confusion, Telia has offered to “ask [its] auditors to add all three company names in the future audit reports if it makes audit results clearer.” I’d ask Telia to also improve its CP/CPS to provide more detail on the involvement of Telia Company AB in the management of the CA and any other subsidiaries’ provision of operational services.
Wikipedia and other information sources provide some information on the organizational and financial relationships among Telia Company AB and its subsidiaries, but not enough information is available on management structure and operations of the conglomerate. KPMG, in addressing its opinion to the management of Telia Company AB, implied that it had determined that Telia Company AB had some degree of control over CA operations. This is where the CP/CPS could be improved.
As noted by Ryan Sleevi, Peter Bowen, and Dimitris Zacharopoulos, PKI participant roles need to be adequately disclosed and any Delegated Third Party RAs need to be disclosed and audited. There is a need for greater transparency and specificity. Ryan and Peter both felt that more explanation was needed concerning RA functions--“it would be helpful to clarify what functions any external RA does for any certificate that falls within the Mozilla policy.” Dimitris also stated that “it needs to be clearly (and explicitly?) stated that this external RA does not perform RA functions related to Certificates for TLS and email.” Pekka Lahtiharju from Telia responded that Telia hasn't used any third party RAs except in the mentioned client certificate cases – that the external RA does not perform RA functions related to Certificates for TLS and email.
Basically, Moudrick has also asked for greater transparency and specificity, which is in line with what Mozilla wants. Moudrick also cited MRSP section 8, that “trust is not transferrable”. Without getting into an interpretation of what that means for CAs operated by conglomerates, I agree with these points - it is important to know who is responsible, and I agree with Moudrick’s position that “If the CA operations rely on other party's (e.g. owner's, affiliate's etc.) material or human resources, you need to disclose those shared resources.” Peter Bowen noted, “If Mozilla wants to have all the legal entities involved listed in the audit report, that is something that should be included in the Mozilla policy.” As a result of this, I have filed an issue in Github for these issues to be explored and worked on further in the future development of the Mozilla Root Store Policy. See https://github.com/mozilla/pkipolicy/issues/237
Based on all of the discussions back and forth, it appears that there is some common management under the umbrella of Telia Company AB, but that is no reason to withhold the approval of the inclusion of the root CA operated by Telia Finland Oyj, which has ownership and control of the CA certificate and keys. I believe the question of whether unaffiliated third-party entities might be involved in providing RA services has been adequately answered. I urge Telia to add more detail, relative to these public discussions, the next time it updates its CP/CPS.
Thus, I'm going to ask Kathleen to proceed and approve the request to include the Telia Root CA v2 in the Mozilla/NSS root store.
Thanks,
Ben
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/ed9f3f6b-ada4-439a-8ce1-d650297d1953n%40mozilla.org.
pekka.la...@teliacompany.com
Moudrick Dadashov
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/b2f1143c-906a-4fcd-bddd-0f5513cae4aen%40mozilla.org.