FNMT has applied to include the “AC RAIZ FNMT-RCM” root certificate and
enable the Websites trust bit.
Fábrica Nacional de Moneda y Timbre (FNMT) is a government agency that
provides services to Spain as a national CA.
The request is documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=435736
And in the pending certificates list:
https://wiki.mozilla.org/CA:PendingCAs
Summary of Information Gathered and Verified:
https://bugzilla.mozilla.org/attachment.cgi?id=8677034
Noteworthy points:
* Documents are in Spanish, and some are translated into English.
Document Repository:
https://www.sede.fnmt.gob.es/normativa/declaracion-de-practicas-de-certificacion
CP:
https://www.sede.fnmt.gob.es/documents/11614/67070/dpc_componentes_english.pdf/
CPS:
https://www.sede.fnmt.gob.es/documents/11614/137578/dpc_english.pdf/
* CA Hierarchy
** This root has internally-operated subordinate CAs
- “AC Componentes Informáticos” issues certificates for SSL Servers and
code signing.
- "AC Administración Pública" is an updated version of the “APE CA” in
order to meet new requirements from Spanish Government about
certificates of Public Administrations.
- “APE CA” is no longer used.
* This request is to enable the Websites trust bit.
** From dpc_componentes_english.pdf…
*** Section 5.3.2.1, item 43: Checking the identity and particulars of
the Certificate Applicant and the Subscriber and/or its Representative,
and obtaining the representation that the Applicant is authorized by the
Subscriber to file the application. ... Identification will be
implemented through acceptable electronic signature certificates and the
functionalities established in respect of the DNId [electronic ID
document] for the above-mentioned purposes.
*** Section 5.3.2.2, item 48: As regards management of the lifecycle of
Component Certificates, FNMT-RCM is the only authorized Registry Office,
through its Registry Area. ... To check that the domain title holder's
name matches the Subscriber's identity or, if appropriate, to obtain the
Subscriber's authorization, which will be associated with the Component
Certificate, using the means within its reach that, reasonably, make it
possible to prove the title, according to the state of technology.
*** Section 6.1.3 item 66: The Registry Office will verify the
Subscriber's personality and, if appropriate, the Representative's
personality and capacity, through verification of the Electronic
Signatures and Certificates used in the process and/or inquiry on the
databases of the Companies Register or of trustworthy third parties.
*** Section 6.1.3, item 65: If the Certificate is associated with one or
more Internet domains, the Registry Office will check, on the authorized
domain registrars' databases, that the title holder of the domain and
the Certificate Subscriber match, and will keep proof of the inquiry.
* EV Policy OID: Not applicable; not requesting EV treatment.
* Root Cert URL:
http://www.cert.fnmt.es/certs/ACRAIZFNMTRCM.crt
* Test Website:
https://www.sede.fnmt.gob.es/certificados
* CRL
ldap://
ldapape.cert.fnmt.es/CN=CRL164,CN=AC%20Administraci%F3n%20P%FAblica,OU=CERES,O=FNMT-RCM,C=ES?certificateRevocationList
ldap://
ldapfnmt.cert.fnmt.es/CN=CRL,OU=AC%20RAIZ%20FNMT-RCM,O=FNMT-RCM,C=ES?authorityRevocationList;
* OCSP
http://ocspape.cert.fnmt.es/ocspape/OcspResponder
http://ocspap.cert.fnmt.es/ocspap/OcspResponder
* Audit: FNMT is audited annually by PWC according to the WebTrust CA
and WebTrust BR criteria. I exchanged email with the auditor to confirm
the authenticity of the audit statement at this URL:
https://www.cert.fnmt.es/documents/11601/4379265/auditReport_en.pdf
* Potentially Problematic Practices -- None noted
(
http://wiki.mozilla.org/CA:Problematic_Practices)
This begins the discussion of the request from FNMT to include the “AC
RAIZ FNMT-RCM” root certificate and enable the Websites trust bit.
At the conclusion of this discussion I will provide a summary of issues
noted and action items. If there are outstanding issues, then an
additional discussion may be needed as follow-up. If there are no
outstanding issues, then I will recommend approval of this request in
the bug.
Kathleen