This is to announce the beginning of the public discussion phase of the Mozilla root CA inclusion process for the TunTrust Root CA. See https://wiki.mozilla.org/CA/Application_Process#Process_Overview, (Steps 4 through 9).
The TunTrust Root CA is operated by Government of Tunisia, Agence National de Certification Electronique / National Digital Certification Agency (ANCE/NDCA).
This current CA inclusion application has been tracked in the CCADB and in Bugzilla–
This new root CA certificate is valid from 2019 to 2044, and it is proposed for inclusion with the websites bit (for OV certificates issued to entities under the ccTLD ".tn").
Mozilla is considering approving ANCE/NDCA’s request. This email begins the 3-week comment period, after which, if no concerns are raised, we will close the discussion and the request may proceed to the approval phase (Step 10).
Root Certificate Information:
TunTrust Root CA
Current CPS is Version 4.5 / December 2, 2020
TunTrust's 2021 BR Self-Assessment (Excel) is located here:
TunTrust’s WebTrust auditor is Deloitte, and the most recent audit reports are dated 12/15/2020. These may be downloaded by clicking on the WebTrust seals at the bottom of TunTrust’s repository page.
In September 2020, TunTrust filed Bugzilla Bug #1663953 representing a 20-hour period during which OCSP was unreachable due to human error while executing a patch management script that deleted the OCSP VM. Remedial measures are in progress, including the hiring of a third party for patch management, which should be completed this month. For more details, see Bug Comment #9.
No misissuances were found under the TunTrust Root CA and the TunTrust Services CA (issuing CA) appears to be properly formatted. Here are the name constraints (marked critical) for the TunTrust Services CA:
Permitted: DNS: tn; DirName: C = TN
Excluded: IPv4: 0.0.0.0/0.0.0.0; IPv6: 0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0
Thus, this email begins a three-week public discussion period, which I’m scheduling to close on or about 30-April-2021.
A representative of TunTrust must promptly respond directly in the discussion thread to all questions that are posted.
Mozilla Root Program
TunTrust Services CA: This issuing CA is restricted to only issue OV SSL certificates to domain names- under “.tn” top-level domain and owned by entities operating under the Tunisian Jurisdiction.
Is TunTrust applying with the intention of being name constrained to the .tn name space of their own volition or is this an agreed/negotiated constraint as a mitigating factor for other uncertainties or non-compliances?
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/3c4f4ae7-810b-4a71-9289-9441530fc908n%40mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20210407163437.09090c4451f7299457acc216%40andrewayer.name.
According to our Tunisian regulation, we are not authoritative on “.tn” domain and we are prevented by law to be authoritative, as DNS activity does not fall into our activity scope defined by law.
We are automatically checking the CAA records for all the certificate requests equally. We do not have affiliates and the only DNS operator in Tunisia is the «Agence Tunisienne d’Internet» (https://www.ati.tn/ ; https://whois.ati.tn/ ). Exception on checking CAA records does not apply to us.
The CT logs bring evidence that we are not restricting organizations in the Tunisian Jurisdiction from having their SSL certificates from other CAs (the best example is our website, our SSL certificate was purchased from a CA that is already included in the Mozilla and Chrome trust stores). We are also not restricting organizations in the Tunisian jurisdiction from purchasing SSL certificates with domain names other than “.tn” (for instance : .com). We never imposed to Tunisian citizens and entities to manually add our Root CA certificates to their browsers and software.
In regards to our investment into compliance, both initial and ongoing, we have shown that we spare no money and no effort to reach compliance with BR, Mozilla Policy, and Webtrust requirements.
Being ISO 27001 and ISO 9001 certified since 2018, we are applying a PDCA approach that requires a continuous improvement of our processes and services. As evidence, we did not delay to do the necessary investment in response to the OCSP incident that we reported in bug 1663953. We provided timely report to the community and we are thoroughly following an action plan to remediate to the incident. We are now in the process of preparing the ISO 22301 v2019 certification related to business continuity management as part of improving our services (especially after the above mentioned incident).
I also would like to highlight that our budget and expenditures are regularly being supervised and controlled by supervising entities. Being a government entity does not allow us to operate with no accountability and no follow-up on goal achievement. I also do clearly confirm that being trusted by main root policy programs is one of our main strategic objectives.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/3b85ce38-7809-49ff-a2a3-1a9c2a936c30n%40mozilla.org.
Hi All :
We would like to move forward with our inclusion request in public discussion since April 7th 2021. Based on the public discussion thread  and on the new section “CA/Quantifying Value” , we have submitted a document in our Bugzilla case  that provides answers and clarifications on our CA.